On May 25, 2018, the EU General Data Protection Regulation (GDPR) enters into force. One of the major changes the GDPR introduces is a duty for in-scope controllers and processors to maintain written records of processing activities. Under Article 30 GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth, inter alia, the purposes of processing operations, international transfers, and retention periods. Companies must provide their processing records (sometimes informally referred to as a “processing inventory”) to EU data protection authorities (DPAs) upon request.
Last week, the DPA for the German state of Bavaria issued a circular discussing Article 30 GDPR’s new recordkeeping requirements. Many of the points the Bavarian DPA raised will not come as surprises to companies that have spent time getting to know the GDPR, such as:
One question many companies are asking is “How detailed do our processing records need to be?” The Bavarian DPA indicates it also sees this question as “intriguing,” especially since Article 30(1)(g) and 30(2)(d) only require a “general description” of a company’s technical and organizational information security measures “where possible.”
To help controllers and processors meet their recordkeeping obligations, the Bavarian DPA announced that the 17 German DPAs have formed a working group that will develop a Model Processing Operations Index for Article 30 compliance. Currently, the German DPAs plan to release the Model Processing Operations Index in mid-2017.
The detail provided in the Model Index should be an invaluable resource for companies with operations or customers in Germany, and may set the tone for what DPAs throughout the EU expect under Article 30 GDPR. Moreover, while Article 30 GDPR specifies the categories of information processing records must include, it does not specify format—and the Model Index may be the first DPA indication as to acceptable formats for Article 30 records.