With the GDPR fully enforceable, more and more questions arise regarding the scope of article 30 GDPR. As you might already know, article 30 GDPR imposes the obligation to maintain records of processing activities by both controllers and processors. In this blog post, we will address if and how small and medium-sized enterprises (SMEs) can comply with article 30 GDPR.
SMEs are busy preparing to be GDPR-compliance. The Article 29 Working Party (WP29) received a lot of questions regarding the applicability of article 30 GDPR, more specific on the derogation that is laid down in article 30(5) GDPR. In order to provide more clarity for SMEs, the WP29 published a position paper on this topic.
Article 30(5) GDPR states article 30(1)(2) GDPR does not apply to organisations with fewer than 250 employees, unless at least one of the following conditions applies:
Please note that the GDPR is not talking about a high risk, just a risk is enough in order to meet this condition. The WP29 adds that keeping records of processing activities enables organisations to assess whether a processing is likely to result in a risk to the rights and freedoms of data subjects.
Every organisation with employees stores some personal data about them in order to fulfil the obligations you have as an employer, such as paying salaries. This kind of processing activity is not occasional and therefore they have to be included in the records of processing activities.
This does not mean that an organisation needs to keep track of all processing activities. They only have to maintain records of the processing activities that fall under the scope of article 30(5) GDPR.
Lastly, processing activities that include the processing of special categories of data (article 9 GDPR) and/or data relating to criminal convictions and offences (article 10 GDPR) need to be included in the overview of processing activities.
The WP29 emphasises that it is unlikely that keeping records of these processing activities will constitute a lot of work for SMEs. Using your privacy administration as the heart of your privacy governance enables your organisation to comply with all the other obligations of the GDPR, such as data protection impact assessments, data breach notification obligations and complying with data subject rights.