Consent is not enough (part 2): GDPR recordkeeping, reporting and notification requirements

Last month, in my article titled Think you’re GDPR compliant? Think again, I wrote about how consent can be key to proving that your organization’s collection, storage, and processing of personal data of individuals is lawful under the GDPR.  Then earlier this month, in part one of the “Consent is not enough” series, I discussed GDPR data security requirements.

This time, we’ll get into another “must do” if your organization falls under the scope of the EU’s General Data Protection Regulation – which most, even if they don’t have a physical presence in Europe, do – and that is the mandate to document and report on the measures taken to comply, and to notify various parties regarding data breaches and other relevant information pertaining to the personal data that you collect, store, or process.

Recordkeeping and reporting

Surely one of the least glamorous aspects of operating a business – any business – is the recordkeeping. Back in the “olden days” (i.e., the beginning of my adult life), that meant rows and rows of humongous file cabinets housing mounds of paper files. And that was before we were deluged with so many government regulations requiring us to document every detail of every business transaction or decision.

Today most records are digital. In theory, this should make things easier, and in some ways, it does. We can store on one small SSD drive more data than would fit into a large file room decades ago. The problem is that the sheer amount of data that organizations process and store has increased exponentially.

NOTE: A few years back, IDC Research predicted that worldwide digital data would grow from around one zettabyte in 2010 to approximately 50 zettabytes in 2020. Now we’re only two years shy of that date, and last year the company estimated that we are creating 16.3 ZB per year and that by the year 2025, that number could reach 163 ZB annually. The good news is that not all of the data that’s created will be (or should be) stored. IDC said less than 20 ZB of the data generated between now and 2025 will be deemed worth keeping.

The bottom line is that organizations are already dealing with a massive amount of data, and GDPR requirements will only add to that. In addition to keeping the records, GDPR compliance also means you have to secure the parts of those records that contain personal data (as discussed in the previous article) and be able to find the relevant information quickly and provide it to data subjects and supervisory authorities upon request.

Records of processing activities

Both the controller and the processor are required to maintain a record of processing activities. Those requirements differ slightly depending on which category your organization fits into. The responsibilities of both are listed in Article 30, appropriately titled Records of processing activities.

The information requirements for the processor’s records are a bit more extensive than that of the processor. These include:

• Name and contact info of the controller, as well as any joint controller, controller’s representative, and data protection officer (where applicable)
• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients to whom the personal data is disclosed
• Third country or international organization transfer of personal data
• Time limits for erasure
• A description of technical and organizational security measures implemented to protect the personal data

As for the processor, records must include:

• Name and contact info for the processor and controller(s), as well as controllers’ representatives and data protection officer (where applicable)
• Categories of processing
• Third country or international organization transfer of personal data
• A description of technical and organizational security measures implemented to protect the personal data

Both controller and processor are obligated under Article 30 to provide the above records to the supervisory authority when requested. There are exceptions to the recordkeeping requirement for organizations with fewer than 250 employees – however, there are also exceptions to the exception, so it behooves any org that falls under the scope of the GDPR to keep these records, and/or to consult with legal counsel conversant in the Regulation’s requirements before deciding not to do so.

Rights of data subjects related to transparency and communication

Another thing that must be documented is communications between a controller and a data subject regarding data subject requests. The GDPR gives data subjects the following rights relating to their personal data, as laid out in Article 13:

• The right to information regarding the identity and contact info of the controller and data protection officer
• The purposes for the processing and the legal basis for processing
• Recipients of the personal data
• Information regarding third party or international organization transfer of the data
• Further information necessary to ensure fair and transparent processing, including notification of the right to lodge a complaint with the supervisory authority

When a subject’s personal data was obtained from other than the data subject, there are further requirements, which are listed in Article 14, so be sure to check out those requirements if you store or process data of that nature.

Article 15 is an important one, as it gives data subjects the right to access their personal data along with information about that data.  The GDPR mandates that the control provide a copy of the personal data undergoing processing, at the request of the data subject (an administrative fee can be charged for additional copies). In reading Article 15, be sure also to review Recital 63, which goes into a more detailed explanation of the right of access.

Further rights of data subjects, including the right to rectification (correction of inaccurate or incomplete data), right to erasure, and right to the restriction of processing, also should be documented when a data subject exercises them, and records kept showing how the controller handled the request.

Notification to recipients

When a data subject requests rectification, erasure, of restriction of processing of his/her personal data, in accordance with the rights discussed above, the controller is obliged under Article 19 to communicate the rectification, erasure, or restriction to any and all recipients to whom that personal data has been disclosed (if possible).

The controller also is required to inform the data subject about the recipients, if the data subject requests it. The controller should inform the processor of the data subject’s requests, to erase links to or copies of that personal data. This is part of the so-called “right to be forgotten” that has been and continues to be a basic tenet of European privacy laws.

Data breach notification

The GDPR designates that both the affected data subjects and the supervisory authority are to be notified in the case of a data breach that is likely to result in a risk to the rights and freedoms of natural persons.

Notification to the supervisory authority

It is the responsibility of a processor who becomes aware of a breach of personal data notify the controller without undue delay. It is then the responsibility of the controller to notify the supervisory authority. Whereas “without undue delay” on the part of the processor is not further defined, there is a time limit regarding the controller’s notification to the SA: not later than 72 hours of becoming aware of the breach, where feasible. If the notification is not made within that time period, it must be accompanied by an explanation for the delay.

Article 33 details the required content of the notification, which includes:

• The nature of the breach, categories and approximate number of both data subjects and personal data records
• Name and contact details of the DPO or another contact point
• Likely consequences of the breach
• Measures were taken or proposed to address the breach and mitigate adverse effects

Communication to data subjects

In addition to notifying the supervisory authority, the controller is required to communicate the facts of the breach to the data subjects whose rights and freedoms are likely to have been put at high risk, per Article 34.  

There are several conditions that, if you meet any one of them, will relieve you of the requirement for communication of the breach to the data subjects. These include:

• Breach is not likely to result in a high risk to the rights and freedoms
• You have implemented appropriate technical and organizational protection measures, particularly encryption, and applied them to the personal data affected by the personal data breach
• You have taken subsequent measures which ensure that the high risk is no longer likely to materialize
• If communicating to each data subject individually would involve disproportionate effort, you can instead make a public communication to inform data subjects

Note that Recital 88 mentions (among other things) that, in setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.

Summary

Recordkeeping, reporting, and notification of data breaches are all important elements of GDPR compliance, and it’s important for all organizations that fall under the regulation become very familiar with their responsibilities in those areas.

For more information on GDPR and what your company needs to be compliant, download our whitepaper here.