Guide to GDPR Article 30 for Financial Services

What Does GDRP Article 30 Mean for Your Business?

This section of the GDPR has several purposes:

• To create an audit trail for tracking GDPR compliance
• To promote transparency around data processing
• To give customers and data subjects more control over their personal data
• To help your business identify security vulnerabilities effectively

Compliance with Article 30 requires time, effort,data management toolsand good planning, but the results are positive.

Important Terms

To understand the scope of Article 30 of the GDPR, you need to know the meaning ofkey terms.

Personal Data

Under GDPR guidelines, personal data refers to information that can identify a living person either directly or indirectly:

• Name
• Street address or personal email address
• IP address or other location tracking data
• ID card number
• Mobile device advertising ID

Evensmall pieces of data can reveal a person’s identity when combined with other information, such as certain cookies.

Data Processing

Processing covers any interaction with personal data. Collecting, storing, analyzing, using and combining data are types of processing.

Controller

A controller is a person or organization that makes decisions about the use of personal data. Controllers are also responsible for managing compliance. Many online businesses are controllers, including retailers and lenders.

Processor

A processor is a third-party individual or business that works with personal data on behalf of another organization. Processors don’t make decisions about data handling; they follow instructions from the controller instead.

Required Information

Good organization is necessary to comply with GDPR Article 30information processing requirements.

Controller Document Requirements

Controllers must document many details for each category of personal data processing, such as:

• Organizational details:Your company’s name and contact information, as well as information for joint controllers or EU representatives
• Processing purposes:The reasons you need to use personal data, such as marketing, customer relationship management or HR
• Category of individuals:The type of people you gather or use personal data from, such as customers or employees
• Type of personal data:Every category of personal data you process, such as financial details, names, location data and payment processing methods
• Data recipients:Any third-party recipients of personal data, including credit management agencies, advertisers and accounting firms
• Data security measures:Overview of safeguards in place for personal data, such as two-factor authentication or secure workflow applications
• Data storage policies:The length of time that your business stores personal data

The GDPR requires controllers to list any countries or international businesses that receive personal data outside of the EU. For example, a United States-based business has to disclose if it transfers personal data from EU customers to North America.

Processor Document Requirements

Data processors have fewer GDPR requirements, but they must still document the following information:

• Your organization’s (and data protection officer’s) name and contact details
• Details of the controllers you do business with (names and contact information)
• The data processing services you provide (such as payroll distribution)
• Names of businesses, countries or organizations outside of the U.K. that receive personal data during processing
• List of security measures in place for data protection (such as encryption or secure workflow platforms)

You also need to document any third-party subprocessors or intermediaries, such as an EU-based representative.