How to Meet GDPR Article 30 Requirements

The GDPR has several reporting requirements, including Article 30, which pertains to records of processing activities. The requirements for Article 30 are likely to apply to most companies because of Article 30’s broad applicability. Companies preparing to comply with Article 30 should look at how data moves through each of its business processes, not just where the data resides. In other words, “follow the data”.

What is article 30 in GDPR?

Article 30 requires companies to produce “records of processing activities”, which will allow regulators to see that companies are adhering to GDPR. With this goal in mind, the records should show why and how the data is being processed. Strictly focusing on the data elements themselves may cause a company to overlook including these important elements. In contrast, focusing on how the data is collected and why it is collected will help you adhere to GDPR requirements.

How does it affect my business?

What documentation is required? 

Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

  1. the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
  2. the categories of processing carried out on behalf of each controller;
  3. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  4. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Where can I find templates for documentation required by article 30? 

TrustArc has developed special on-demand reporting tailored to meet Article 30 requirements.


Sample Article 30 input form in TrustArc Data Flow Manager

Checklist: How to comply with Article 30

  • Gather stakeholders together and explain the benefits of having an up-to-date data inventory in order to get buy-in.
  • After approaching stakeholders, start to gather the approximate number of business processes that need to be mapped. Asset inventories and vendor lists can be leveraged to help get an idea of the size and scope of the business mapping project.
  • Start with a pilot project using one business unit to test and validate the methodology used to gather the information needed. Then use early deliverables from the pilot to secure better engagement for the broader project.
  • Map your business processes.

GDPR Article 30
Records of processing activities

  1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
    1. the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
    2. the purposes of the processing;
    3. a description of the categories of data subjects and of the categories of personal data;
    4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
    5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
    6. where possible, the envisaged time limits for erasure of the different categories of data;
    7. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
  2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
    1. the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
    2. the categories of processing carried out on behalf of each controller;
    3. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
    4. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
  3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
  4. The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
  5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Speak to a privacy expert about how your company can meet Article 30 requirements.

 

 

Global Businesses of All Sizes Selecting TrustArc to Address Cookie Consent Compliance

Cookie Consent Manager - TrustArc

Much of the focus around preparing for the upcoming GDPR deadline has been around some of the new requirements, such as Data Protection Impact Assessments (DPIAs). While resources must be dedicated to meeting these new requirements, organizations should also keep in mind compliance with cookie consent requirements.

Clients of all sizes across a wide range of industries and geographies continue to select TrustArc to help them address cookie consent requirements.  A sampling of recent launches include:

  • US based international clothing retailer
  • SaaS based CRM provider
  • EU based global insurance company 
  • Multinational food producer
  • World renowned toy manufacturer
  • Several leading hospitality companies

You can learn more on how to prepare for cookie compliance under the GDPR by listening to this on-demand webinar: Profiling, Big Data & Consent Under the GDPR.

If you would like to join the growing list of global brands using our solutions, request a demo here to get started.

TrustArc named Top 10 Hottest Privacy Technologies

TrustArc Assessment Manager dashboard

Based on Forrester Research investigated the current state of the 20 most important data protection tools, where Forrester assessed “20 of the key traditional and emerging data security and privacy technologies that security and privacy leaders and their staffs can use to underpin a holistic strategy,” Forbes has named TrustArc solutions in its list of the 10 hottest data security and privacy technologies. Specifically, Forbes included TrustArc in these categories:

Consent/data subject rights management: Managing consent of customers and employees, as well as enforcing their rights over the personal data that they share, allowing organizations to search, identify, segment, and amend personal data as necessary.

Data privacy management solutions: Platforms that help operationalize privacy processes and practices, supporting privacy by design and meeting compliance requirements and initiating auditable workflows.

These are just two of the areas where TrustArc can help organizations meet compliance with privacy frameworks and new laws, such as the GDPR. If you would like to learn more about TrustArc solutions, including Data Inventory and Mapping, contact us.

 

 

The Solution to help Meet GDPR Article 30 Requirements

TrustArc Data Flow Manager

EU General Data Protection Regulation Article 30

Article 30 pertains to Records of Processing Activities. Not only do organizations have to keep records, and in addition, they have to be able to produce them on-demand.

In order to meet this requirement, an organization should follow these best practices:

  • Create a centralized, secure data inventory that can be maintained over time
  • Provide stakeholders across the organization with visual data maps of business process flows
  • Ensure that all information necessary for the Article 30 reports is recorded so that reports can be generated on-demand
  • Generate a scalable, sustainable process for meeting Article 30 requirements

Visual data maps make it easier for stakeholders across the organization to see how data flows through complex business processes. Unlike an Excel spreadsheet that confines multilinear connections between different data flows to rows and columns, a visual data map makes it easier to follow the data throughout the business process.

When data inventories are kept up to date, generating current reports  will be an easier task. While data maps and data inventories are not required by the GDPR, they provide a great foundation for building the reports necessary to meet GDPR requirements. To gain stakeholder buy in, we suggest highlighting these benefits that a comprehensive data inventory will bring:

Business Unit Focus Benefits to BU & Business
Information

Technology

identifying storage redundancies • Reduce infrastructure complexity

• Cost savings

Information Security understanding what data reside in which systems • Prioritize protection efforts – focus on high risk, high value

• Establish appropriate access controls

• Cost savings

Operations visualizing flows and uses of data throughout the company • Reduce redundancies

• Improve efficiencies

• Cost savings

Procurement identifying points at which the company shares information with third party vendors and understanding the sensitivity of the data being shared • Support risk-based vendor management

• Greater efficiency in contract management

• Cost savings


After creating a data inventory and visual data maps, an organization still has to be able to generate Records of Processing Activities.

Data Flow Manager, part of the TrustArc Privacy Platform can generate an on-demand report of these records, because our privacy experts have purpose built this solution to meet these GDPR requirements.

The solution combines powerful technology with privacy expertise, providing a streamlined way to generate sustainable data inventories and visual representations of data throughout the lifecycle. Data Flow Manager also helps businesses prepare to meet privacy regulations, including the GDPR because it provides Article 30 reports on-demand.

  • Create a sustainable data inventory
  • Visual data maps
  • Article 30 reports on-demand
  • Optional assistance building sustainable processes from TrustArc privacy experts

See the power of TrustArc Data Flow Manager by reserving a time to to speak with one of our privacy experts.

TrustArc Partners with Alibaba Cloud

We announced our newest partnership with Alibaba Cloud (the cloud computing arm of Alibaba Group) at the IAPP Asia Privacy Forum 2017.

As data privacy increases in importance for organizations of all sizes and maturity in Asia, TrustArc saw an opportunity to partner with one of the fastest-growing cloud computing companies in the world. Both TrustArc and Alibaba Cloud believe that as organizations continue to provide excellent experiences for their customers by collecting personal data, keeping up with evolving regulations and protecting data privacy is key. Scaling a privacy program requires using a combination of privacy expertise and technology.

This strategic partnership will bring TrustArc’s privacy compliance technology to Alibaba Cloud’s growing base of customers across Asia and around the world. Alibaba Cloud will be deploying TrustArc’s Data Privacy Management Platform and TRUSTe certification services within its organization to demonstrate compliance across the organization, minimize risk and build trust.

For other organizations, TrustArc is also offering its privacy platform through the Alibaba cloud infrastructure, providing businesses in Asia with a safe and efficient way to manage privacy compliance and risks via Alibaba Cloud’s extensive global network while minimizing the need to transfer information across international borders and any corresponding regulatory requirements.

TrustArc Chris Babel said:

Our partnership with them is an important step in our mission to enhance and streamline privacy compliance on a global basis.

This partnership continues our business application integration partnerships with top Business Intelligence, Governance Risk and Compliance, Help Desk, Human Capital Management, and IT System Management Applications. Examples of those integrations are:

  • Conducting privacy assessments in the TrustArc Platform that were triggered from GRC and HCM systems (e.g., Archer, SAP)
  • Exporting assessment remediation tasks from theTrustArc Platform into service desk systems (e.g., ServiceNow, JIRA) to track project status
  • Importing asset information from IT Service Management systems (e.g., BMC Remedy) to construct data maps for privacy risk analysis in the TrustArc Platform
  • Exporting risk assessment results and program metrics from theTrustArc Platform into business intelligence systems (e.g., Crystal Reports, Domo) to produce program accountability reports

See how the TrustArc Platform can help your organization, or contact us today to learn more.

TRUSTe Transforms to TrustArc

TrustArc – TRUSTe Update

New Name – New Look – Continued Commitment to Privacy Compliance Innovation

Today we changed our name to TrustArc.  Our new name reflects our evolution from a privacy certification company into a global provider of technology powered privacy compliance and risk management solutions.  

The name change also coincides with our 20th anniversary of delivering innovative privacy solutions.

The TrustArc brand will be used for all corporate communications as well as our technology platform and consulting services.  The TRUSTe brand will continue to be used for our certification offerings, including the certification seal.   While most of the changes have already been implemented on our website and collateral, some items will be transitioned over the next few weeks.

TrustArc Hierarchy

TRUSTe History

The TRUSTe name dates back to 1997 when we were founded to provide certifications to help businesses assure users they could share their data online by demonstrating adherence to a high standard for privacy management.  The TRUSTe name became synonymous with our certification services and the iconic green privacy seal displayed on thousands of websites worldwide.  

While certifications remain an important component of many company’s privacy programs, managing privacy compliance and risk has become increasingly complex due to new regulations such as the GDPR, cyber security concerns, and increased volumes of personal data collection.  Businesses need a wide range of technologies and consulting services to help them design, implement, manage and demonstrate their enterprise privacy programs.

To meet these evolving market requirements, we launched the first module of our Data Privacy Management Platform in 2011 to address advertising privacy compliance.  Our technology platform has been continuously expanded and now includes data inventory and mapping, risk assessment, website monitoring, consent management, and dispute resolution capabilities.  

The platform now generates the largest percentage of our revenue and is used to power TRUSTe certifications and our rapidly growing consulting and managed service business.

Introducing TrustArc

The TrustArc name reinforces our deep privacy expertise developed over the past two decades along with our ongoing expansion into new technology powered solutions.

“Trust” reflects our strong history as an innovator and leader in the privacy market, and the value businesses place on ensuring they can build trust with their customers and partners.

“Arc” conveys the broader set of solutions we now offer and our ongoing commitment to continuously expand our technology platform and services to meet the future needs of our clients.

The TrustArc symbol, inspired by the strength and intelligence of dolphins, reflects the continued evolution of the privacy industry along with the continued changes that both our clients and TrustArc will need to make to address new challenges as they arise.

Dolphins

Dolphin Traits TrustArc Strengths
Intelligence – The dolphin’s brain is the most powerful and complex in animals, second only to humans Our solutions are powered by robust technology and regulatory intelligence derived from two decades of experience.
Collaboration – Dolphins are highly social and usually travel together in pods Strong partnerships with clients and other solutions providers help us address the needs of organizations of all sizes, across all industries.
Agility – With bodies shaped like torpedoes, dolphins can maneuver through the water at rapid speeds of over 20 mph Our depth of expertise and agile development approach enables us to rapidly respond to ongoing changes in the global privacy market.
Protection – Sailors have long believed that dolphins are a good omen and protectors of those in need For two decades, we have provided a range of solutions that enable organizations to demonstrate how they protect privacy.
Inner Strength – Dolphins are fearless in the wild, and if threatened by sharks or orcas, do not hesitate to fight rather than flee We have been the privacy solutions market leader for 20 years, and do not hesitate to swiftly adapt to changing market needs.

TrustArc offers an unmatched combination of solutions backed by over 150 employees dedicated to privacy, a comprehensive purpose-built technology platform used by over 1,000 clients, and a proven methodology honed through thousands of customer engagements over the past 20 years.

In addition to continuously expanding our technology platform and services to meet our clients needs, we are opening our platform to integrate with other key business systems as well as making our platform available for partners across the privacy ecosystem to use to deliver their services.

The spirit of innovation that has inspired TRUSTe for the past 20 years will continue to guide TrustArc into the future.  It’s why more than 1,000 clients worldwide rely on us to minimize risk and help fuel new business initiatives.

For more information on TrustArc, visit www.trustarc.com

div>