Within the GDPR regulations, there is one section that is causing a lot of chatter among small business owners and that is Article 30.

What is Article 30?

Article 30 is titled Records of processing activities. It gives a long list of the records that you must hold in order to comply with the GDPR. The complete list can be found here on pages 50 – 51.

As you can see the list will require companies to put a lot of new records in place. However, for the small business owner, there is a glimmer of hope. If you take a look at Article 30 (5) it states

“The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.”

To help unravel this take a look at the infographic below.

article 30 flowchart

Article 30 – Points you need to consider

Further guidance suggests that managing client data, employee data and supplier data”, all data that might be processed by a company on a daily basis, could be excluded from the definition of “processing” for the purpose of Article 30(5) so cannot be deemed to be a risk to the rights and freedoms of data subjects. Anything more than this i.e. sending email campaigns or other such marketing activities would definitely not be excluded.

 “Special categories of data” are defined as;

      • political opinions
      • religious or philosophical beliefs
      • trade union membership
      • genetic data
      • biometric data for the purpose of uniquely identifying a natural person
      • health data
      • sex life or sexual orientation data
      • racial or ethnic origin

“Occasional “has yet to receive a precise definition.

So are you Article 20 except?

You can see there is a chance that, if you meet very strict constraints, your data processing does not need to have Article 30 records. However, they are still many grey areas, particularly around what is “occasional”,  so we would always advise you to consider opting on the side of caution. It is better to have too many Article 30 records rather than not enough.

This, of course, does not mean you do not need to comply with the GDPR just that you have an exception from Article 30.

If you have any queries about this or any other area of your GDPR compliance just give us a call and we will try to help.