The importance of the Records of processing activities (Art. 30 GDPR)

A number of Supervisory Authorities have already mentioned that their investigations on GDPR compliance will start from the analysis of the Records of processing activities (Art. 30 GDPR). By having accurate and complete Records, organisations will be able to prove that they are taking the GDPR seriously by applying a systematic approach to mapping and governing data flows and related processing activities.

This is also confirmed by the recent statement of the Dutch Supervisory Authority which can be found here. In this respect, it is worth pointing out the extensive interpretation of such obligation by #A29WP (now #EDPB) in its Working Party 29 Position Paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR.

Comments are closed.