Home

Do SMEs need to keep record of their processing activities?

With the GDPR being fully enforceable on May 25th, more and more questions arise regarding the scope of article 30 GDPR. As you might already know, article 30 GDPR imposes the obligation to maintain records of processing activities by both controllers and processors. In this blog post, we will address if and how small and medium-sized enterprises can comply with article 30 GDPR.

One of the purposes of the GDPR is to make sure that organisations are accountable if they are processing personal data of their employees, clients or other data subjects. In order to do so, the GDPR imposes the obligation to maintain records of your processing activities, you may call this a privacy administration or bookkeeping for privacy officers. This administration needs to be done by both the data controller and the data processor.

With the due date of May 25th rapidly approaching, SMEs are busy preparing to be GDPR-ready. The Article 29 Working Party (WP29) received a lot of questions regarding the applicability of article 30 GDPR, more specific on the derogation that is laid down in article 30(5) GDPR. In order to provide more clarity for SMEs, the WP29 published a position paper on this topic.

Article 30(5) GDPR – the derogation

Article 30(5) GDPR states article 30(1)(2) GDPR does not apply to organisations with fewer than 250 employees, unless at least one of the following conditions applies:

  • The processing is likely to result in a risk to the rights and freedoms of data subjects;
  • The processing is not occasional;
  • The processing includes special categories of data of personal data relating to criminal convictions and offences.

The processing is likely to result in a risk to the rights and freedoms of data subjects

Please note that the GDPR is not talking about a high risk, just a risk is enough in order to meet this condition. The WP29 adds that keeping records of processing activities enables organisations to assess whether a processing is likely to result in a risk to the rights and freedoms of data subjects.   

The processing is not occasional

Every organisation with employees stores some personal data about them in order to fulfil the obligations you have as an employer, such as paying salaries. This kind of processing activity is not occasional and therefore they have to be included in the records of processing activities.

This does not mean that an organisation needs to keep track of all processing activities. They only have to maintain records of the processing activities that fall under the scope of article 30(5) GDPR.

The processing includes special categories of data of personal data relating to criminal convictions and offences

Lastly, processing activities that include the processing of special categories of data (article 9 GDPR) and/or data relating to criminal convictions and offences (article 10 GDPR) need to be included in the overview of processing activities.

The WP29 emphasises that it is unlikely that keeping records of these processing activities will constitute a lot of work for SMEs. Using your privacy administration as the heart of your privacy governance enables your organisation to comply with all the other obligations of the GDPR, such as data protection impact assessments, data breach notification obligations and complying with data subject rights.

So no matter if the obligation applies to your organisation, it is still useful to have an overview of all processing activities. Want to start right now? Download our free whitepaper on how to carry out a data mapping and start today with your record of your organisation’s processing activities!

Tess Priester
Legal Advisor at PrivacyPerfect

Other posts you might find interesting:

Interested in what PrivacyPerfect can do for your organisation? Contact us!