EU Data Processing Records Rule Brings Challenges, Opportunities

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

The new EU privacy regime requirement that companies keep detailed data processing records poses compliance challenges but will benefit companies facing regulator audits, privacy professionals told Bloomberg BNA.

The requirement is intended to push companies to be more mindful of the data they hold but also helps them know themselves better. Developing detailed records of processing activities, and where and to whom data go, forces companies to take a full inventory that will assist future decision-making and allows them to identify gaps in their compliance program. It will also allow companies to more easily demonstrate to privacy regulators their compliance with the GDPR.

The European Union General Data Protection Regulation, which is set to take effect May 25, 2018, provides detailed rules that specify exactly which type of data companies must record. Record-keeping violations will be subject to fines of the higher of up to 2 percent of a company’s global income or 10 million euros ($11.73 million). In addition to lowering the risk of fines, getting a handle on the record-keeping tasks serves as strong base for undertaking other GDPR compliance preparations.

The record-keeping rules will relieve companies of one administrative duty. The GDPR’s record-keeping obligation will replace an existing requirement that companies notify privacy regulators of their data processing activity. Now companies won’t have to give proactive notice, but instead must be prepared to produce specific records upon the request of a privacy regulator.

“Overall this is one of the biggest tasks that companies are performing right now in their GDPR journey,” Jay Cline, the U.S. privacy leader at PwC in Minneapolis, told Bloomberg BNA. “It’s the foundational step they must get right in order to get the rest of GDPR obligations right.”

U.S. companies that use personal data of EU citizens will need to comply with the GDPR, including the data processing record-keeping requirement. Compliance should be easier for U.S. companies because the kind of record keeping envisioned under the new EU law has been a best practice in the U.S. for at least a decade, privacy professionals said.

Lothar Determann, data privacy partner at Baker & McKenzie LLP in Palo Alto, Calif., told Bloomberg BNA that the documentation requirement is positive because “it helps companies have something concrete in their hand so they have facts at hand for decision-making.” In the event a company is investigated by a privacy regulator, it can demonstrate that its compliance efforts were thorough, and a violation may have only been a good faith mistake, he said.

Karen Neuman, privacy partner at Goodwin LLP in Washington, told Bloomberg BNA that the obligation to keep records goes straight to the accountability emphasis of the GDPR. Having good records will help companies show privacy regulators that they are making good faith reasonable steps to comply with other provisions in the new law, such as tighter consent rules, she said.

Keeping it Simple

Creating processing records is often a good place for “starting, assessing or upgrading a compliance program,” Determann said. Even smaller companies that may be exempt from the record-keeping requirements should keep processing records, he said.

Sebastian Kraska, founder of the German Institute for Information Technology in Munich, told Bloomberg BNA that although vendors have been offering GDPR record-keeping compliance tools, including ones designed to create sophisticated data maps showing processing points, “the fancy visualization tools are often just not practical.” Companies still need a person with privacy-compliance expertise, he said.

Determann said companies can reach a reasonable level of precision using simple records to identify data processing. They should look at where the data is within the company, such as with human resources or customer service, or as part of third-party vendor relationships. “Don’t let perfect be the enemy of the good,” he said. “Put together some reasonable, informative, and plausible” descriptions of the company’s data processing, Determann said.

Cline said that companies should include a data inventory step in the data protection impact assessment (DPIA) process, which is required under the GDPR for certain high-risk data processing, such as automated processing of sensitive personal information. Even if not required, companies should routinely conduct DPIAs, and whenever new information is being processed, it should be added to the inventory and combined with the DPIA process, he said.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security