Many privacy officers are under the impression that Article 30 of the General Data Protection Regulation (GDPR) on records of processing activities creates a legal obligation for a data inventory or data mapping. This is not the case. The GDPR replaces current legal obligations that require you to notify and register your processing activities with local DPAs. Under the GDPR you are no longer required to make such notifications but rather are required to maintain a record of all your organisation’s processing activities internally and to make it available to supervisory authorities upon request. So, just like you had an external register, you now need an on-demand internal record.
In our recent webinar, Nymity explores how an organisation can:
- Incent the business to maintain a processing-based inventory that when used in the EU will turn GDPR article 30 reporting into an outcome
- Leverage the power of focusing on purposes of data processing and how implementing this approach better aligns with business operations and practices and is much easier to scale, update and maintain.
Also, learn more about local Article 30 GDPR guidance, including the Article 30 template guide recently released by the French data protection authority (CNIL), further highlighting the intention behind the GDPR records of processing requirement.
View our webinar on demand to hear from leading privacy experts including David Smith, former Deputy Commissioner and Director of Data Protection Information Commissioners Office, UK, Oran Kiazim, Vice President, Global Privacy at Sterling Talent Solution and Anne Fontanille, Privacy Counsel, Data Protection Officers Department, CNIL.