The European Union approved a new law that will take effect on May 25, 2018, called the General Data Protection Regulation or GDPR for short. The new law aims to consciously and directly protect the personal data of EU residents giving individuals greater control over how their information is used and enforcing harsh consequences if companies do not abide by the law.
The GDPR consists of nearly 100 articles that cover a wide range of components involving personal data compliance. One of the most specific and important articles is that of the Article 30 Record. It is a pretty straightforward process but can be far more complex to navigate is data compliance is not as easy as it used to be.
Article 30 requires organizations keep a consistent record of both sensitive and non-sensitive data. Such a record allows organizations to demonstrate their compliance in accordance with the GDPR’s rule of accountability. Additionally, in case of an audit, the records must be handed over to EU data protection authorities for investigation.
An Article 30 Record covers 8 primary aspects:
1. Name and contact details of the data controller
2. Purpose of processing the personal data
3. Categories of different data subjects
4. Elements of personal data the organization is processing
5. Contacts who have received the personal data
6. Countries where the organization has sent the data
7. Retention period for the personal data or an idea of how the organization will calculate it
8. Technical and organizational security methods the organization will use to protect the personal data
In the digital age that is complete equally with threats as it is with innovation, 80% of all data that is collected is now unstructured, meaning it is extracted from content sources such as email, text message, and chat. Every 2 years, this volume doubles, forcing organizations to create a data map. To ensure the proper collection and use of data, organizations must keep updated Article 30 records.