The GDPR stipulates broad requirements regarding the documentation and proof of compliance. Controllers will need to prove that their data processing meet the requirements of the GDPR and provide records of such activities, subject to Article 30 GDPR.
If your organisation has 250 or more employees, you must maintain additional internal records of your processing activities. However, this obligation also applies to smaller enterprises if:
- the processing is likely to result in a risk to the rights of affected employees (e.g. scoring, comprehensive monitoring, high risk resulting out of unauthorized disclosure or access, use of new technologies),the processing is not occasional; or
- the processing includes special categories of data:
- as referred to in Article 9 (1) (e.g. health data, biometric data, data related to political or philosophical beliefs); or
- personal data relating to criminal convictions and offences referred to in Article 10.
Records of processing activities shall be in writing or in electronic form, and much be made available to the supervising authorities upon request. If the requirements are not met, an administrative fine of up to EUR 10 Million or up to 2% of the annual global turnover may be imposed (Art. 83(4) GDPR).
For an example of the content requirement of records, get your free copy of the “5 Aspects of GDPR for Legal Departments”, where we go into more detail on the key obligations every GC needs to know.