Records of Processing Activities For Small Businesses
As a micro, small, or medium-sized enterprise (SME), it is essential to maintain a record of processing activities involving personal data. This requirement is mandated by the General Data Protection Regulation (GDPR), which is aimed at protecting the rights and privacy of individuals within the European Union (EU) and the European Economic Area (EEA). Regardless of the size of your business, maintaining these records helps ensure compliance with GDPR regulations and demonstrates your commitment to safeguarding personal data.
By keeping a record of processing activities, you can create a comprehensive overview of how personal data is handled within your organization. This includes documenting the purposes of data processing, data categories, data recipients, data transfers, and the retention period for each type of data. These records not only facilitate compliance with GDPR but also contribute to fostering transparency and accountability in your data processing practices.
Moreover, maintaining these records can help you assess potential risks associated with data processing and implement appropriate measures to mitigate these risks. It also enables you to respond effectively to data protection inquiries from supervisory authorities and data subjects, should the need arise.
Overall, the documentation of processing activities serves as a valuable tool for demonstrating your commitment to data protection and your adherence to the GDPR requirements, thereby building trust with your customers and business partners.
Should you, as a micro, small or medium sized enterprise, keep a record of processing activities of personal data?
“Should” is the key word here, because I see a lot of confusion among founders and entrepreneurs around what they should or shouldn’t do and the purpose of this article is to bring clarity on this topic.
Therefore, in this article I am going to address the following questions:
- What legal obligations do small businesses have in respect to records of processing activities?
- What are the applicable mandatory legal requirements in order for small business to be compliant?
- What derogations does the GDPR provide for small businesses?
- What is the risk that you, as a business and founder or leader of your organization are exposed to?
- How can your business become compliant today and mitigate those risks?
- Legal obligations for small businesses under the GDPR
Under the GDPR every controller should maintain a record of their processing activities and, if requested, present it to the competent supervisory authority (data protection authority). This is an inventory of all processing operations and can help you make correct assumptions of your responsibilities under the GDPR and possible risks.
Each processor, and their respective representatives also has a legal obligation to maintain a record of all categories of processing activities carried out on behalf of a controller.
Each of the processing activities must be described therefore in a record of processing activities, which should be in writing, including in electronic form.
2. Mandatory rules and requirements applicable to small businesses under the GDPR
The record of processing activities that controllers are obliged to keep shall contain all of the following information:
- the name and contact details of the controller and their representative.
- the purposes of the processing (e.g. direct marketing);
- a description of the categories of data subjects and of the categories of personal data processed(e.g. for direct marketing: first name, last name, email address, mobile number, etc.);
- who has access to the data – the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations – e.g.: the department in charge of marketing, the VA, management, service providers, partners…);
- where applicable, information related to transfers of personal data outside the European Economic Area (EEA),
- where possible, the storage or retention period (the period for which the data are useful from an operational point of view, and from an archiving perspective, up to and including final erasure).
- where possible, a description of the security measures taken by your organization- these are technical and organizational measures that you’ve undertaken to ensure a level of security appropriate to the risk and include:
- pseudonymization and encryption of personal data,
- measures taken to ensure the ongoing confidentiality, integrity, availability and resilience of your processing systems and services,
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
- a process for regularly testing, assessing and evaluating the effectiveness of your security measures.
Almost inevitably, you will also be acting as processor, on behalf of another controller, therefore you are also legally required to maintain a record of all categories of processing activities carried out on behalf of all the controllers on whose behalf you are acting.
This record must be available to the data protection authority (DPA) of the EEA country where you operate, upon request.
3. What derogations does the GDPR provide for small businesses?
There is one derogation provided under the GDPR according to which, if your business employs fewer than 250 persons, then you are not obliged to maintain records of processing activities. However, this derogation does not apply – and you will therefore not be exempt form the obligation to keep a record or processing activities – if:
- The processing you are carrying out is likely to result in a risk to the rights and freedoms of data subjects
- The processing is not occasional (e.g. launching a new program, workshop, offering), but rather conducted on a regular or permanent basis (e.g. repeated launches of the same or new programs, workshops, offerings to the same target audiences) or
- The processing includes special categories of data or sensitive personal data.
To conclude, it is not required for instance, for organisations employing fewer than 250 persons to mention purely occasional activities in their record (e.g. data processed for one-off events such as the launching of a new product or service, provided that this is a one-off event, and not a repeated, re-branded, re-communicated event).
4. What is the risk that you, as a business and founder or leader of your organization are exposed to?
Keeping a record of processing activities not only makes you compliant with legal obligations and requirements under the GDPR, but it also gives you an awareness (and a lot of power) in understanding your organization’s vulnerabilities and taking control over the integrity of your business.
Failure to provide access to the DPA to your record of processing activities, in this particular case, and, more generally, to information enabling the DPA to conduct its investigative powers, or non-compliance with an order by a supervisory authority shall subject you to an administrative fine of up to 4% of the total worldwide annual turnover of the preceding financial year under the GDPR and other, locally applicable fines and sanctions, depending on the competent DPA at the place of your operations.
When you are not compliantly keeping records of processing activities, you are single-handedly exposing your organization to data leaks and/or data breaches (read more here on the distinction between the two), which in return can lead to class action law suits for damages, affect your reputation in the market and can effectively lead to a bankruptcy.
The record of processing activities falls under the responsibility of your organisation’s manager (e.g. CEO, general manager, director of the company, but often times also the founder him/herself, etc.).
So, if you were counting on that there is no personal liability for you in the process, I would second-guess that and think ten-times before not making the necessary transformation in your business to become by design and by default compliant with the GDPR, even where you are a small business owner. In fact, the impact for a small business owner is, in absolute amounts, so much greater and serious than for large enterprises, who, at the end of the day, have options. Much more options than you do.
5. How can your business become compliant today?
An organisation not only should process personal data according to the General Data Protection Regulation, but it also needs to be able to demonstrate its compliance.
This includes implementing data protection by design, keeping a record of processing activities, and in certain circumstances, conducting a data protection impact assessment.
When it comes to being compliant with the obligations to keep a record of processing activities, as controller and processor, we recommend starting with an assessment of your factual situation.
Our team of legal and privacy experts is prepared to lead you through an interview and assessment process that allows you to apply data protection principles by design and by default, so that you can correctly assess the risks, adequately implement the right measures, and embed data protection and privacy of individuals in every aspect of your business, and at every stage of your processing operations, in the tools used, with your business partners and team members, or in any other business activity.
Book your discovery call here.
This article is a part of the Data Protection For Small Businesses series. Follow us for updates.