The GDPR has several reporting requirements, including Article 30, which pertains to records of processing activities. The requirements for Article 30 are likely to apply to most companies because of Article 30’s broad applicability.
Companies preparing to comply with Article 30 should look at how data moves through each of its business processes, not just where the data resides. In other words, “follow the data”.
Article 30 requires companies to produce “records of processing activities”, which will allow regulators to see that companies are adhering to GDPR. With this goal in mind, the records should show why and how the data is being processed. Strictly focusing on the data elements themselves may cause a company to overlook including these important elements. In contrast, focusing on how the data is collected and why it is collected will help you adhere to GDPR requirements.
Because most companies subject to GDPR will need to comply with Article 30, TrustArc has developed a Solutions Brief that covers the general requirements, processes to help meet the requirements, how to build a data flow map, and how to produce Article 30 compliance reports.