Once the General Data Protection Regulation (GDPR) becomes effective, on 25 May 2108, all businesses and organizations that deal in processing the data of people residing within the European Union will be supposed to abide by its stipulations. It’s also vital to see that, as described in Article 30 of GDPR, organizations and companies should keep documentations of their handling activities. Being a data manager, not doing this implies that they can encounter fines or other restrictions for non-conformity.
What Must be Documented?
According to Article 30 of GDPR, here is the information that should be documented.
- The name and contact particulars of the business or organization.
- The name and contact details of any Data Protection Officer (DPO) that is in place.
- The contact details and name of any business or organization that’s a joint manager of any personal data that is being handled.
- The name and contact particulars of representatives within the European Union, for businesses or organizations that are based outside of the European Union.
- The cause that the personal data is processed, e.g. advertising.
- The categories of data processed. For example, is the individual an employee or a customer?
- The kind of data that is handled, For instance, financial information or health information.
- Details of anybody whose personal data is communicated with.
- Details of any non-European Union states to which personal data is transferred.
- Particulars of safeguards applied for any special transfers of data, as illustrated in Article 49 of GDPR.
- Retention particulars for different sorts of personal data.
- Details of the safety measures set up for the security of personal data.
As you can notice, the documentation needed is comprehensive. For that reason, any business or organization should devote time and effort, to make certain conformity.