What documentation is sufficient to fulfil the basic obligations under the Personal Data Protection Act and the GDPR if the organisation is not required to appoint a DPO and is exempt from maintaining a record of processing activities? We currently have authorisations
ANSWER
The GDPR does not specify in detail how to maintain documentation on personal data processing or what elements it should contain. However, to demonstrate compliance with the law, an organisation should document its activities in four key areas:
- Implementation of policies and procedures — including a data protection policy and procedures related to personal data processing.
- Maintenance of registers and records — such as the Record of Processing Activities (ROPA), the Register of Categories of Processing Activities and the Breach Register.
- Regular compliance analyses — including data protection impact assessments (DPIAs) and risk analysis, which help monitor and minimise risks associated with processing.
- Use of appropriate clauses and provisions — in all documents where personal data are collected, such as contracts, forms, website privacy policies or consent forms.
It is worth considering whether the organisation is indeed not obliged to maintain a Record of Processing Activities. Under Article 30(1) GDPR, every controller maintains a record of processing activities for which it is responsible. An exception applies: this obligation does not apply to an enterprise or organisation employing fewer than 250 persons, unless:
- the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects,
- the processing is not occasional,
- the processing includes special categories of personal data or data relating to criminal convictions and offences.
In practice, almost every entity processing data deals with risk-based processing, and if it employs staff (regardless of number), it will process special category data (e.g. sick leave records).
