GDPR (6) Assessment of personal data and obligation to keep records

28 August 2017

The best way to start working on ensuring compliance with the GDPR is to make a proper assessment of the personal data that your company or organisation keeps and uses. It may be the case that you also have to convert this information into formal records of personal data processing operations. It can be difficult to determine whether such records are compulsory in your particular situation. For this reason, in this instalment of our blog we will attempt to provide clarification.

Assessment of personal data

Large organisations use specialised software for assessing their personal data, although a simple spreadsheet that contains the necessary information can be just as useful. You can find out a great deal simply by asking the departments involved the following questions:

  • Which personal data do they collect and/or use (categories of data, the types of people to which they relate, the number of data subjects involved)?
  • How are the data processed (what is done to the data) and for what purpose is this done?
  • With which suppliers, partners or other third parties are data shared?
  • Are there any flows of data to countries outside the EU?

Next, you need to determine whether the objective for which the data are used is legitimate and in balance with the data subjects’ right to privacy. Finally, you need to identify the threats that exist with respect to guaranteeing the confidentiality and integrity of the data and the measures that you take in order to protect the data. It is a minimum requirement that every controller responsible for the processing of personal data asks itself these questions.

The output of this exercise will provide you with most of the information you require to set up records of your personal data processing operations, which is a new requirement imposed by the GDPR.

Records of personal data processing operations

The existing, or ‘old’, privacy legislation includes an obligation to report automatic processing operations involving personal data to the supervisory authority. In Belgium, this authority is the Commission for the Protection of Privacy (CPP), which is usually referred to simply as the Privacy Commission. This information is entered in public records that may be viewed by anyone. However, this requirement does not apply to the most common uses of personal data, such as personnel management, payroll records and accounting, customer and supplier management, contact details (as long as these do not include any additional information), lists of members of associations, and student records. As a consequence, the majority of organisations are not required to report any information.

This will change when the GDPR enters into force and controllers have to keep their own data processing records. These records must be in digital form, and it must be possible to present them quickly and easily when an audit is carried out by the Privacy Commission or in the context of an investigation into a complaint or data breach. The records must demonstrate that the controller has a clear overview of the personal data that it processes. The controller uses this to prove it has thought about its right to carry on the processing operations and that the security measures put in place by the controller are adequate.

Another difference between the GDPR and the existing privacy legislation is that the GDPR is not limited to automatic data processing and does not provide an exception for ‘commonly used personal data’.

Who does the obligation apply to?

An exception to the obligation to keep records can be made for small organisations to a certain extent, although the GDPR is not entirely clear on this matter. For this reason, the Privacy Commission recently published detailed recommendations (on 14 June 2017). The most important recommendations are summarised below.

  • Every controller (and processor – of which more later), irrespective of whether it is a company, government organisation, association or natural person, must keep records of its personal data processing operations.
  • An exception is made, however, for organisations with fewer than 250 employees (and with turnover of less than EUR 50 million). This is not in keeping with the spirit of the law, however, as all measures must result from the risk assessment. When a small organisation processes personal data, this can entail just as much risk, if not more. For this reason there are a great many situations in which the obligation to keep records will remain in force, including for SMEs.
  • The obligation to keep records cannot be avoided if:
    • the data that are processed concern special categories of personal data or data relating to particularly vulnerable groups of people, such as children;
    • the processing of the data entails risks for the rights and freedoms of individuals and may therefore result in serious physical, material or non-material damage. The recommendations contain a number of examples: if there is a risk that the confidentiality of financial information or data protected by a legal obligation of professional secrecy could be breached, if there is a risk of identity theft or fraud, or if data about health, personality, behaviour or movements, etc., is used to produce personal profiles;
    • the data subject does not have the possibility of exercising their personal rights and therefore has no control;
    • a controller processes the personal data on a structural basis, rather than an occasional basis, in other words the data processing is not an accidental or once-only occurrence but is in fact ‘normal’. The example provided in the recommendations refers to information concerning clients, suppliers and employees.

Clearly, drawing a dividing line is very difficult. Every organisation holds some data that could cause damage if there were a breach of confidentiality, and every organisation keeps some data on a structural basis. The Privacy Commission therefore recommends that all companies and organisations keep records, although in the case of SMEs such records may be limited to the data that is processed on a structural basis. This will mean that the exercise will be relatively limited in scale at small companies and organisations.

What the records should look like, and what information they need to provide on each processing operation, will be discussed in the next instalment of this blog.

Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).

If you have any questions or comments, please write to us at