My kids have a tendency to throw rules of evidence around at one another when they’re arguing because, you know: lawyer kids. One of my favorite lines is “you have no evidence at all that I did that!” which is usually called out despite blatant, overwhelming proof to the contrary, like the culprit being covered in paint or covered in mud or covered in feathers. (Kids are messy). Last week they tried it on me, no joke, with the very chocolate I asked about on their faces. They were unhappy when I introduced them to the concept of res ipsa loquitur and cancelled iPad time for the afternoon.
They do have a point, of course – it’s hard to prove anything without documentary evidence. A good audit trail has saved many a company when regulators come asking questions about operations or, far worse, a breach. Ultimately, every aspect of the GDPR preparations we have discussed over the past fourteen weeks are valuable primarily if they’re a component of a well-documented program.
Keeping records of all data security and compliance efforts isn’t just common sense, either. GDPR itself imposes a comprehensive recordkeeping regime, one that mandates a very thorough reporting of all data security and privacy efforts undertaken by the company. Article 30 provides a list of records that controllers (and, to a lesser extent, processors) have to keep in order to be considered compliant. The list is a substantial one, requiring:
- the controller’s name, contact information, and DPO;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- any transfers to other countries and the safeguards in place in that country;
- any time limits for erasure of the different categories of data; and
- a general description of the data securities protocols and technology in place.
It is true that, in a way, this list is no different than what a regulator would ask a company to compile in the wake of a breach if there was an investigation. In another sense, it’s an entirely novel requirement, because this information has to be available upon request, any time a supervisory authority asks for it. Article 30, then, imposes an ongoing duty to have a comprehensive listing of all data categories you take in, what you do with it, and what safeguards are in place for it, and regulators can ask to see it whenever they wish. If that sounds like an open invitation for an investigation or an enforcement action, that’s because it is.
Managing the records is going to be an essential task. Unlike in the past, the presumption will be that companies will update the records in real time to reflect modifications to the categories of data kept or the third party recipients of data. No more playing catchup after a year or four; the records you keep will need to be ready to go to a supervisory authority at any time. And because the records you keep detail the acceptable scope of the use of data, you do not want to fall into the trap of using data beyond what your records disclose you to have been doing.
In an interesting carveout, small and medium sized entities (SMEs) don’t have to comply. So if your company has fewer than 250 employees, you technically are free from the burdens of Article 30. Don’t be too thrilled, however, because even if the records requirement is less demanding, regulators will still expect you to be able to answer questions about all seven categories of documents, which means you’ll need to have the answers ready, which means . . . you’ll probably be complying anyway.