Gemma Briance and Geoffrey Sturgess explore the GDPR, focusing on a presumed attempt to reduce the burden of smaller organisations which lacks clarity
Article 30 of the GDPR states that each controller and processor of a data subject’s personal data shall maintain a record of processing activities that are its responsibility. It goes on to set out what should be contained in each of the controller’s and processor’s records. When used in Article 30.1a-g and 30.2a-d the word ‘record’ does not bear its usual meaning. For the purposes of Article 30 the record is a statement that must contain the information set out in Article 30.1 for controllers and Article 30.2 for processors.
Article 30.5 provides an exemption that allows Smaller Organisations to avoid Article 30 record keeping obligations provided that the processing is (i) only occasional; (ii) the processing is not considered a risk to the rights and freedoms of the data subjects; and (iii) the processing is not of ‘Special Categories of Data’ (Article 9.1) or personal data relating to criminal convictions and offences (together, for the purposes of this article ‘Sensitive Processing‘). GDPR is clear as to what Sensitive Processing is but what does ‘occasional’ mean? The term is not defined and so far there has been no guidance from the Article 29 Working Party.
Under the GDPR, ‘personal data’ includes merely a name or an email address of an individual (Article 4.1), and processing includes storage of personal data on an electronic system or in a relevant filing system (Article 4.2). If ‘occasional’ has its literal meaning (occurring, appearing, or done infrequently and irregularly: OED), it would mean that the exemption provided for by Article 30.5 would be meaningless. Organisations process personal data on a daily basis which cannot by any stretch of the imagination be occasional; for example by holding a list of their employees. Interpreting Article 30 purposively requires some other meaning as the legislators must have intended Article 30.5 to have some effect. How can we interpret Article 30.5 so that ‘day-to-day’ processing would not prevent the exemption from applying to 99.99% of Smaller Organisations? Can we perhaps find an exemption within an exemption?
The Information Commissioner’s Office
The ICO have provided specific guidance for Smaller Organisations and the records exemption is mentioned. Two of the ‘disqualifiers’ (Sensitive Processing) are referred to, but whether or not the data processing is occasional is ignored entirely. The ICO state that ‘If your organisation has less than 250 employees you are [only] required to maintain records of activities related to [Sensitive Processing]‘. Having contacted the ICO helpline and asked them why they have ignored the disqualifier relating to occasional data processing we were informed that they have not commented on what ‘occasional’ means because the Article 29 Working Party is yet to provide guidance on this. The ICO Information Officer said that the Article 29 Working Party is likely to produce an opinion on this in early 2018 and the ICO will update their guidance thereafter.
The Belgian Privacy Commission
The Belgian Privacy Commission (their ‘Data Protection Authority’) has provided guidance on the meaning of ‘occasional’ in this context and their view is that ‘managing client data, employee data and supplier data’, all data that would be processed daily, could be excluded from the definition of ‘processing’ for the purpose of this disqualifier. They go on to say that they recommend that all organisations keep Article 30 records of their personal data processing, however they will not object if occasional (in the true sense of the word) processing is not recorded. This suggests that either they like repeating themselves or, and perhaps this is the point, that even if the rest of the world does not agree with their interpretation of Article 30.5 they will not penalise a Smaller Organisation for not recording truly occasional processing.
If we are to rely on the Belgians’ view the next question is therefore what does ‘managing’ mean in this context? Our view is that ‘managing’ the above data includes employees’, customers’ and suppliers’ records, placing orders with suppliers, invoicing customers and liaising with them over progress of work but would not extend to sending marketing emails or processing personal data in a way that would not be considered normal for the day-to-day running of the business. If we follow the view of the Belgian Data Protection Authority, organisations should apply the following thought process.
Without a definition for ‘managing data’, what decides
whether a controller/processor is ‘managing data’ or not ‘managing data’
remains unclear; it is our view that if a Smaller Organisation is unsure, the
data processing should be recorded.
What does this mean for Smaller Organisations?
A literal interpretation of Article 30.5 suggests there either is or is not an obligation to record all personal data processing. The Belgians however seem to be saying that it is only data processing that falls foul of the disqualifiers that needs to be recorded and that other processing can take advantage of the exemption. This means that Smaller Organisations will only need to record their Sensitive Processing and any other processing that is not day-to-day management processing, unless truly occasional. This means that Smaller Organisations may be relieved of some record keeping but will still need to keep Article 30 records of some of their processing. The ICO guidance also suggests that Article 30.5 exempts Smaller Organisations from recording some categories of processing rather than all processing.
This is undoubtedly an example of how unclear GDPR is and without any specific guidance from the Article 29 Working Party or the ICO we can only apply a purposive and proportionate approach. Whilst the recording obligations are somewhat less for Smaller Organisations it is clear that recording of data processing is a sensible precursor to compliance with GDPR. In the likely situation that an organisation is unclear as to whether or not they are obliged to record a specific processing activity they should err on the side of caution and record the activity. Without analysing the data flows and identifying whether the data is ‘managing data’ or whether the processing is ‘occasional’ it would be impossible to know what to record and, as that process is required for an Article 30 record, it would appear that Smaller Organisations would need to create a comprehensive record of all processing so that they can decide, and subsequently justify to the ICO, what processing they do not need to record. In other words they will need to produce a record in order to demonstrate that they have correctly decided what does and does not have to be recorded!
We await the opinion of the Article 29 Working Party with bated breath, and will update this article accordingly.
 ‘Smaller Organisations’ are, for the purposes of this article, organisations or enterprises that employ fewer than 250 people.
 For the purposes of this article the term ‘Sensitive Processing’ means processing considered a risk to the rights and freedoms of the data subjects; and processing of ‘Special Categories of Data’ or personal data relating to criminal convictions and offences.
 This term is being used to describe data processing that would prevent the Art. 30 exemption from applying to an organisation; i.e. disqualify the organisation from relying on the exemption.
 Wording added
 https://www.privacycommission.be/sites/privacycommission/files/documents/recommandation_06_2017_0.pdf Opinion only published in French and Flemish.
 Note: If the organisation was a marketing company, sending thousands of marketing emails a day to customers, prospects, or on behalf of an organisation would undoubtedly not be included in the definition of ‘managing data for the day to day running of the business’.