July 24, 2024
What are my GDPR record keeping obligations?
We examine the record keeping obligations businesses hold under GDPR. Learn more about record keeping with our GDPR FAQs.

All companies greater than 250 employees (and many with less than 250 employees) are required to maintain thorough records of their data, per Article 30 of the Regulation.

GDPR uses the phrase “record keeping” but chances are you’ve encountered adjacent phrases such as data mapping, data inventory, and data processing inventory. Much of the literature online co-mingles the definitions of these phrases, but in reality they refer to fundamentally different things.

Below, we explore the meaning of each of these phrases:

  • Data inventory: A traditional data inventory is not a new concept introduced by GDPR and is a practice already completed by many organizations. In a data inventory companies are expected to account for all of of the data in that is collected and stored on behalf of the organization, identify the personnel responsible for managing the data, identify which personnel has access to which types of data. and be able to show data flows and access on a country by country basis. (1)
  • Data map: In a data map, the results of the data inventory are taken a step further. In a data map, the path a data record travels from the point of collection through to the point of storage and/or deletion is made available. The data map also includes information about what personnel accesses a data record as well as access on a country by country basis.
  • Data Processing Inventory (DPI): This is a relatively new obligation as introduced by GDPR, but it is not a fundamentally new concept for organizations. A DPI is specifically explained in Article 30 and requires that a company maintain clear documentation of the following:
    • The name and contact details of the controller, representatives and the DPO, if applicable
    • The name and contact details of any processors or joint controllers
    • The purpose of processing
    • The legitimate basis for processing
    • The category and type of data you are processing
    • The members of your organization who will have access to the data and their location
    • Any data transfers to third countries
    • The time limit that you will hold the data
    • The security measures put in place to safeguard the data
  • Record keeping: Under GDPR, record keeping refers to the global set of activities contained in documenting records, processes, and accountability for the data stored by an organization.

Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.

Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.