- Over the past 2 years there have been 168 GDPR fines, totalling 164 million Euro, for insufficient legal basis for data processing
- Keeping accurate records of data processing is difficult for businesses with data strewn across dozens of systems
- Data mapping, synchronizing data across systems, and improving data collection practices can all aid in compliance with Article 30
For the better part of the last decade, the European Union has been a global trendsetter when it comes to shaping privacy laws. The GDPR has inspired policy in other countries and garnered worldwide attention for its revolutionary policies including “the right to be forgotten.” These watershed laws have impacted business and individuals alike. In fact, one new regulation that went fully into effect in 2018 has fundamentally changed the way companies have needed to handle personal data.
What is Article 30 and a Records of Processing Activities (RoPA)?
Article 30 of the EU General Data Protection Regulation (GDPR) is a law that “requires organizations that process personal data to maintain a record of their processing activities.” Originally adopted back in 2016, this law affects all controllers and processors of GDPR-regulated organizations of personal data information.
What are the specific requirements?
Companies are required to keep a record of the data being processed and must explain the purpose of the processing. This record shall include a description of the categories of the data subjects and of the categories of personal data. Additionally, they are responsible for disclosing the recipients of the data and must identify third countries or international companies receiving those transfers of personal data. The name and contact information of the controller who collects the information or any of their representatives must be kept as a part of the records as well. If possible, records should indicate the planned time frame for erasing personal data records, but for the time that sensitive data is being kept there should also be an outline of security measures being taken to protect that information if it is applicable. Also, records are to be kept both in writing and electronic form, and these records should be prepared and readily available upon request to the supervisory authorities.
In a data-driven world, there are ever-evolving ways that data is being used, making it difficult to be compliant. As a result of these newfound challenges, there has been a stark number of fines levied in recent years. From 2018 to 2019, the number of fines per month increased by 260%, proving that compliance is not getting easier and data is only getting more complex. Over 220 fines for GDPR violations have been handed out so far in 2020, totaling an amount exceeding €155 million. In fact, Google received one of the largest fines totaling €50 million for insufficient transparency, control, and consent over processing of personal data to be used for behavioral advertising. It is important to note that while it may be difficult to be fully compliant, there are companies that have had punishments reduced as a result of exemplary cooperation while under review.
Who does it apply to?
The GDPR states that only organizations that employ 250 or more employees must keep these records of processing activities (RoPA).
Like most rules, there are exceptions, and there are times when smaller enterprises must comply with Article 30 as well. One such exception is if the processing includes “personal data relating to criminal convictions and offenses.” Based on that, as well as other exceptions, many smaller organizations will need to comply with this new law or face serious consequences.
Organizations had already been reporting this information to outside local Data Processing Authorities, but Article 30 now requires organizations to keep internal records. And the records that both need to keep are staggering. Among other items, controllers need to keep records of the purpose of processing, the categories of individuals as well as the personal data processed, and “the safeguards in place for exceptional transfers of personal data to third countries or international organizations” (ICO).
Why is it significant?
GDPR’s Article 30 has much more focused rules and requirements as compared to any prior privacy regulation. In the United States, there is no federal regulation of data privacy; each state is on its own in that regard. California has the closest laws to the GDPR with the California Consumer Privacy Act (CCPA). Signed into law in 2018, “its goal [was] to extend consumer privacy protections to the internet… Businesses can’t sell consumers’ personal information without providing a web notice… and giving them an opportunity to opt-out.” Article 30 and RoPA require such detailed processing of data that it makes complying with other GDPR rules much easier.
Data Subject Requests (DSRs) are only one aspect of the GDPR. The regulations and fines are not confined to whether the information is requested by the data subject. Keeping a RoPA is about GDPR compliance over all in order to avoid fines, even if it is not associated with a request from a subject. It is still important to protect the data so it is not breached in other capacities due to carelessness.
Article 30 fits well into a time where privacy has come to the forefront for consumer expectations and has become an integral part of a company’s brand. Citizens are increasingly concerned about who has their personal information and how the organizations are using it. By requiring these organizations to keep such detailed records of not only the actual personal information, but how they obtained that information, there is a smaller chance of personal details falling into the wrong hands. Moreover, accurate and detailed record-keeping also enables a company to cooperate in the event of a review that can help to reduce potential fines.
What are the implications to businesses?
Since organizations used to have to report this information to outside companies and now have to keep the records internally, there is a lot at stake for each individual company. By mishandling the information that a company obtains, or obtaining it in a way that is non-compliant with Article 30, companies face several consequences.
Besides the huge fines that await them if they do not comply with Article 30, the trust of their customers is on the line. No user wants their data to be processed, sold, or shared with third parties without first giving consent, and studies show consumers are ready to switch companies over privacy issues. When someone gives over their personal information to a company or organization, they are trusting that that information will be safeguarded and not used without their permission. Customers won’t hesitate to leave the business and request that their data be deleted in the case that the trust is broken. In fact, 3 in 4 people would boycott their favorite retailer if it didn’t keep their personal data safe.
Why were companies fined in the past over Article 30?
The fines for noncompliance with Article 30 can be astronomical; however, they are not one size fits all. Each fine is determined based on ten criteria: nature of infringement, intention, mitigation, preventative measures, history, cooperation, data type, notification, certification, and other (“other aggravating or mitigating factors may include financial impact on the firm from the infringement”). The final determination of the fine is which infringement is the most severe; this means that companies can not be punished for each individual infringement made.
There are two levels of fines. The first is the Lower Level which is up to €10 million, or 2% of annual revenue of the prior financial year—whichever is higher. The second is the Upper Level, which is a fine of up to €20 million, or 4% of the annual revenue of the prior financial year—again, whichever amount is higher. The determining factor for which level a company’s fine ends up being is which infringement they have made.
How can businesses solve compliance with Article 30?
Data Mapping
To ensure that all data collection is done effectively and within regulations, the role of data mapping is extremely important. As security is imperative when thinking about protecting someone’s personal information, figuring out how the data is retrieved is vital.
Data mapping is a form of auditing that visualizes information so organizations can see how data flows through its systems. This helps a company to understand what personal data is being processed which is critical to managing potential data protection risks. Specifically, it shows the type of personal data an organization holds, where it is being kept and in what format, who it belongs to, who has access to it, and with who it is shared – all of which are central to GDPR compliance. Data mapping also helps an organization respond to data subject to requests.
Maintaining a RoPA
Setting up a RoPA is an important step in the data collection process as well. Each controller is required to have a record of their responsibilities of processing activities. Having a RoPA requires diligence and great detail, but it is incredibly helpful when tracking any data. However, the immense detail that is required to ensure it is done properly is also one reason why it is difficult to complete properly.
Automation and Best Practices
As with anything that can be automated, there are both pros and cons. Automating RoPA frees up employees to oversee other areas of the data processing journey. But if one aspect of the automation fails or is done incorrectly, it can have a drastic effect on the company and open them up to incurring a large fine without realizing that something was wrong. Rigorous testing must be done in order to ensure that all automation is set up correctly and working properly.
The data collection process has gone through quite a journey over the last few decades. The GDPR and Article 30 have taken the act of collecting personal information and turned it into a true system which has the potential to benefit billions of people around the world. But it is important that constant care is taken to keep the system updated and aligned with current technologies, otherwise companies can face significant consequences.
Trying to keep up with privacy regulation and industry news? Subscribe to the Weekly Grail to get insights on the latest in data privacy.
Learn more about data privacy and compliance with these related resources: