As the compliance deadline approaches, legal departments are working with other departments in the company, like IT, to ensure that infrastructure and systems help your organization meet the new GDPR requirements. New requirements under the GDPR relating to data processing record keeping represent entirely new challenges for legal departments and data protection officers.
The GDPR stipulates broad requirements regarding the documentation and proof of compliance. Controllers will need to prove that their data processing meet the requirements of the GDPR and provide records of such activities, subject to Article 30 GDPR.
If your organisation has 250 or more employees, you must maintain additional internal records of your processing activities. However, this obligation also applies to smaller enterprises if:
- the processing is likely to result in a risk to the rights of affected employees (e.g. scoring, comprehensive monitoring, high risk resulting out of unauthorised disclosure or access, use of new technologies),
- the processing is not occasional; or
- the processing includes special categories of data:
- as referred to in Article 9 (1) (e.g. health data, biometric data, data related to political or philosophical beliefs); or
- personal data relating to criminal convictions and offences referred to in Article 10.
Records of processing activities shall be in writing or in electronic form, and much be made available to the supervising authorities upon request. If the requirements are not met, an administrative fine of up to EUR 10 Million or up to 2% of the annual global turnover may be imposed (Art. 83(4) GDPR).