GDPR – We Employee Less than 250, we’re Exempt from Keeping Records of Data Processing Activities, right?

This question pops up in discussion forums and from clients quite a bit and deserves a good examination of the new data protection laws, particularly Article 30 (5) of the General Data Protection Regulation (GDPR)[i], as there appears to be an exemption from maintaining records of data processing activities for organisations employing fewer than 250 persons.

First, what does the GDPR Article 30 state? In summary terms, there is a requirement in Art. 30 for data controllers and data processors to maintain specific records of their data processing activities. The full requirements are given in Art. 30 (1) – (2).

Recognising that for smaller organisations this may pose a challenge, there is a derogation (exemption) stated in Art. 30 (5) however, there are limitations to the derogation. What does Art. 30 (5) state:

Article 30 (5) The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is [1] likely to result in a risk to the rights and freedoms of data subjects, [2] the processing is not occasional, or [3] the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Note, the numbers in square brackets [1] above are added by the author to link to the points below.

To help understand the impact of this Art. 30 (5), the three types of processing identified, and the effect of the derogation, we can refer to guidance issued by the Article 29 Data Protection Working Party[ii], which has now evolved into the European Data Protection Board[iii].

The first thing to note is that the derogation provided by Art. 30 (5) is not an absolute and it does not apply to three types of processing:

1. Processing that is likely to result in a risk to the rights and freedoms of data subjects.
2. Processing that is not occasional.
3. Processing that includes special categories of data or personal data relating to criminal convictions and offences.

The guidance highlights one key fact, that the three types of processing above are alternative, they are “or” i.e., point 1 or point 2 or point 3. This means that the occurrence of any one of them requires organisations employing fewer than 250 persons to maintain records of data processing activities.

In point 1 the phrase is ‘…likely to result in a risk to the rights and freedoms of data subject.’ The risk is classed as that, a risk, not a high risk, just a risk.

In point 2 it refers to processing ‘…that is not occasional.’ Occasional in simple terms means not a regular data processing activity.

There is a general definition of the term “occasional” on page 4 of the WP29 Guidelines on Article 49 of Regulation 2016/679 (WP262)[iv] and to summarise this, for data processing to be classed as occasional, it must be that, occasional and not a regular process and is likely to fall outside normal business activities.

Therefore, any organisation that employs persons is likely to regularly process data about those employees and as such, will be required to maintain records of data processing activities.

In point 3, if an organisation employing fewer than 250 persons processes data which comes under special category data (see GDPR Art. 9) or relates to criminal convictions and offences (see GDPR Art. 10), then there is no derogation available to the organisation and they must maintain records of data processing activities.

If you have now identified that you must maintain records of data processing activities do not despair, this is not a bad thing as it is something that is useful to do (and you ought do) as part of understanding the data the organisation processes and identifying the risks in processing that data.

There is also some useful information published by the UK’s Data Privacy Regulator the ICO (Information Commissioner’s Office), these are 1) What do we need to document under Article 30 of the GDPR?[v] and 2) How do we document our processing activities?[vi] The second link includes downloadable templates for maintaining records of processing for data controllers and data processors. See the Useful Resources links below to access these.

Useful Resources:

[i] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119 [Last Accessed 26 October 2018]  < https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1540559321086&uri=CELEX:32016R0679>

[ii] WORKING PARTY 29 POSITION PAPER on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR [Last Accessed 26 October 2018] < http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51422>

[iii] European Data Protection Board (formerly the Article 29 Working Party on Data Protection) [Last Accessed 26 October 2018] < https://edpb.europa.eu/>

[iv] WORKING PARTY 29 Guidelines on Article 49 of Regulation 2016/679 [Last Accessed 26 October 2018] < http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49846>

[v] ICO Guidance – What do we need to document under Article 30 of the GDPR? [Last Accessed 26 October 2018] < https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/documentation/how-do-we-document-our-processing-activities/>

[vi] ICO Guidance – How do we document our processing activities? [Last Accessed 26 October 2018] < https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/documentation/how-do-we-document-our-processing-activities/>