GDPR Article 30: Logging and reporting data transfers
This post looks at GDPR Article 30 and your responsibilities for logging and reporting data transfers that include personally identifiable data. It is part of our GDPR blog series. Each post looks at different aspects of data transfers or file sharing, and includes recommendations for GDPR compliance.
In previous blogs, we have discussed encrypting personally identifiable data in transit and at rest, in order to satisfy GDPR requirements. This blog post looks at reporting and auditing the file transfer operations.
Unlike many articles in the GDPR, you can find what you need to know in one simple place: Article 30 (Records of processing activities).
You need to consider the following recital statement (#82) for GDPR Article 30:
In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.
This means you need to document how your data transfers should take place (through an impact assessment), and log how they actually occurred in practice. Your Data Protection Impact Assessment (DPIA) should explain the sensitivity of the data, where data is sent, among other factors, and stipulate security requirements accordingly.
To be compliant with GDPR, you should be able to compare the DPIA with your logging – perhaps through an automated means – to show that transfers are taking place as stipulated and any discrepancies can be addressed as they occur.
The ‘supervisory authority’, would generally be the Data Protection Officer (DPO), who is responsible for an organisation’s GDPR compliance, including performing impact assessments. At a minimum, DPOs need to know when the reporting flags up that a transfer has diverged from the criteria stipulated in the impact assessment (articles 35 & 39).
Managing user accounts
Another point to consider is the management of user accounts. First, there is Article 7 (Consent) to take into account. You must keep a record of the consent given when an end user signs up to the file transfer service. (Mostly this applies to external users, as internal users usually give consent through their terms of employment). You must be able to show the wording of the consent at any time during the life of the user account, so you may wish to record (and report) on this information separately – perhaps in the user profile itself.
You will also need to report on user accounts at various stages of their life. Under GDPR, you can only keep personal data for as long as it is required, and reporting will highlight any personally identifiable data that needs removing. Article 17 tells us that the controller has an obligation to erase personal data when it is no longer necessary for the purpose for which it was collected. Many systems will automatically expire accounts if they are not used for a period of time, but you may still have user’s personal details that will need to be removed. Creating a report of expired user accounts will highlight these.
Managed File Transfer (MFT) solutions transfer data quickly and securely, enhancing productivity and providing visibility. Systems have a range of features to keep you compliant with the GDPR. Find out more about how it can can transform your business on the MFT solutions page.
Are you reviewing your data transfer and file sharing processes and systems for GDPR compliance? Pro2col’s GDPR White Paper is an essential read for you.