Identification and mapping of processing activities (Part 1)
One of the most important requirements of the GDPR – a requirement which is already familiar to controllers operating under the Norwegian Personal Data Act – is that a data controller must maintain a record of all processing activities under its responsibility. Such records form part of what are often referred to as the controller's internal control documentation.
Novel in the GDPR, as opposed to current requirements in the Personal Data Act and the Data Protection Directive, is that records of processing activity must also be kept by data processors. Although the content of records that must be kept by processors differs to the mandatory content that controllers must maintain, this distinction is understandable because the role performed by processors is different to that of controllers. Whereas a controller is the person who determines, alone or with other controllers, the purposes and means of processing, the role of a processor is to process personal data on behalf of one or more controllers.
Records of processing activities by data controllers
Pursuant to article 30(1) of the GDPR, the data controller must identify the different types of processing activities and chart the purposes, the categories of personal data and data subjects, as well as, where applicable, record the name and contact details of any joint controller, representative of the controller and the data protection officer. Though not mandatory in article 30(1), it is advisable for the controller to also record the legal basis for each processing activity pursuant to article 6 (and in the case of sensitive personal data, article 9) as documentary evidence that an assessment of the lawfulness of each processing activity has been carried out. It is likewise advisable that the controller keeps an overview of which processing activities are sub-contracted to data processors. This will ensure that no data processing activity is overlooked, thereby reducing the risk that it is not regulated by an appropriate data processing agreement.
Where personal data are to be disclosed to another data controller, the categories of recipients must be recorded. If any data controller to which data are disclosed, or data processor to which data are being transferred, is located in countries outside the European Economic Area (EEA) – so called "third countries", this must also be recorded. When the legal basis for the transfer to third countries is the new and rather exceptional basis of legitimate interest pursuant to the second sub-paragraph of article 49(1) (that can only be used when no other instrument pursuant to the GDPR is available), the safeguards taken to protect the personal data must be recorded.
Furthermore, where possible, the envisaged time limits for the erasure of the different categories of personal data, as well as a general description of the technical and organisational security measures that are obligatory pursuant to article 32, must also be recorded.
In Part 2 of this article next week, we will look at records of processing activities by data processors.