2. How to comply with GDPR Article 30

March 31st, 2020

Article 30 is the part of GDPR concerned with how processing activities are recorded. If your business has more than 250 staff, OR there is regular, large-scale processing of personal data, OR the personal data are of a sensitive nature, then Article 30 considerations need to be followed. The geographical considerations are nuanced, but some good rules of thumb are (i) if the business has an office in the European Economic Area (EEA), OR (ii) the business has customers in the EEA, OR (iii) the business has staff outside the EEA who access data stored in the EEA, then GDPR applies…

Metadata – what?

Metadata are data about your data. Like it or not, your business will have to understand its Personal Data landscape – think of that as a map of what stores of data the business has, who owns each data store, what information is in each… and where they send information to. Can you, for your business, hand on heart say you know and have recorded for each store containing personal data the legal basis (or bases) under which the information was gathered? The lifetime of the data? The measures that will be taken (e.g. return or erasure) at the end of the data’s lifetimes? This is not an academic exercise – under the data subject’s new rights (over and above those in the old UK Data Protection Acts) information may have to be sought, extracted and collated – to a surprisingly brief timescale, in a complex data environment.

Not just pretty pictures

The Personal Data Landscape needs to be mapped: this will likely require interviewing of a number of staff in different parts of the business. It’s a common mistake to assume that only digitised information is relevant – paper records count too! If there’s regular processing of large quantities or sensitive information, then summary details need to be kept in a Data Processing Register.

We can help

HMC Ltd. can help with the mapping of your personal data landscape, with advice on the collation, organisation and storage of your business’ metadata, putting you in the best position to comply with the law and efficiently satisfy any future DSARs or similar enquiries.