Under GDPR, companies are required to keep certain records of their processing activities. There has been some question about the types of records controllers should keep. To help clarify the questions arising from many companies, CNIL issued guidance recently about how to fulfill record keeping obligations. The guidance includes an RPA template for controllers, and outlines contents to include for both controllers and processors. This includes keeping track of why information was collected, the categories of personal information, recipients of personal information, and any out-of-country transfers. Companies should also include how long information will be kept. For processors, records should be kept “for each type of activity operated in place of customers” with many of the same details. The CNIL recommends gathering information, making a list of processing activities, clarifying any questions and then creating the record. CNIL notes that this record should be updated “frequently” with an eye towards the activities and type of information. While the document is internal, companies should keep in mind that it will need to be provided to the CNIL if requested.
Putting it Into Practice: The recent CNIL guidance provides helpful insight on how to maintain records in accordance with GDPR requirements. Other resources include information from the UK ICO.