Legal Update
We hadn't realised this particular issue was such a hot topic, but it clearly has been. WP29 has described a 'high number of requests coming from companies'.
To help, they have issued what they call a 'position paper'.
The full name is the Article 29 Working Party, and they are currently the top data protection group within then EU aparatus.
We say 'currently' because on 25th May 2018 WP29 will cease to exist, and become the European Data Protection Board or EDPB for short. This will remain the highest authority for data protection issues within the EU.
The document points out that article 30(5) states that organisations with less then 250 staff are not required to keep records of processing in some circumstances.
But there are three types of processing where this requirement remains, where processing:
If any of these are the case, records must still be kept. But as the document goes on to say, the ‘occasional’ word is an issue. A small organisation will regularly process data about it’s staff, so this cannot be occasional.
The good news is records only need to be kept for regular processing, processing special categories of data and processing which is likely to cause a high risk to data subjects.
WP29 also explicitly asks the ICO to help SME’s by making record keeping easy, perhaps by providing simplified models for SME’s to use. This does not yet exist, but watch this space.