Data Inventory and Article 30 Compliance
A data inventory identifies the data the organisation has, and ultimately forms the catalogue against which impact and risk can be assessed, and any remedial work planned and estimated.
Article 30 is the part of the GDPR that refers to the record keeping required by every business that processes personal data. All companies must keep records of processing activity, but those companies with more than 250 employees are required to keep very detailed records. For example:
Personal Data Being Processed
Do you keep accurate and up to date records of
what personal data is being held and processed?
Have you created Data Flow Maps to show
how this data is captured and moves around
Lawful Basis for Processing
you must have a lawful basis for processing data,
and remember storing data counts as processing.
Have you determined and documented how you
concluded your lawful basis?
Personal data can only be stored for as long as
the business has a lawful basis. Retention times
must be set for each data category, and not at the document level which presents serious challenges to most organisations.
Meeting Rights of Data Subjects
Your systems must be capable of meeting the rights of the data subjects to whom it relates. Data Subjects may request access to their data, or request the data be erased, updated or restricted from processing for example.
Records of Processing
A system of record must be kept of the processing activities for your organisation. This may comprise DPIA's, Data Flow Maps, Retention Records and other relevant documents that describe how you capture, process and secure personal data.
Data Protection Impact Assessments
DPIA's are at the heart of many data processing activities. They are legally required were there is a potential for high risk to the rights and freedoms of data subjects if the processing is carried out. However, many companies carry them out as a matter of course and good practice
How We Can Help
UKGDPR can create a plan of how you can approach this exercise in a way that works for your business. We can help you identify the best outcome in the most cost-effective way, pulling together the information you already have, and building on that to create a comprehensive set of Article 30 compliant documentation.
Build a system based on Microsoft Office templates
We can build your documentation base using standard Microsoft office tools with our custom templates.
Suitable for smaller organisations less than 250 people and those processing smaller amounts of personal data, we will use a range of tried and tested templates that meet the guidelines from the EDPB.
Use Dedicate Compliance System OneTrust
We have successfully implemented OneTrust compliance systems for large organisations to make a central interactive system of record.
Using dedicated compliance software like OneTrust brings a number of benefits, and for large organisations it is essential to organise your workflow, capture risks, and work with 3rd parties.
Contact us and let us know how we can help you
We're a group of privacy and security consultants with experienced GDPR practitioners and Data Protection Officers. We look forward to helping you align your company goals with appropriate and adequate organisational and technical measures.
Copyright 2018 UKGDPR Limited, a company registered in England, company number: 11002759