Reduced need for record keeping by SMEs

Legal Update


We hadn't realised this particular issue was such a hot topic, but it clearly has been. WP29 has described a 'high number of requests coming from companies'.

To help, they have issued what they call a 'position paper'.

What is WP29?

The full name is the Article 29 Working Party, and they are currently the top data protection group within then EU aparatus.

We say 'currently' because on 25th May 2018 WP29 will cease to exist, and become the European Data Protection Board or EDPB for short. This will remain the highest authority for data protection issues within the EU.

Not much of an exemption

The document points out that article 30(5) states that organisations with less then 250 staff are not required to keep records of processing in some circumstances.

But there are three types of processing where this requirement remains, where processing:

  • is likely to pose a high risk to data subjects
  • is not occasional
  • covers special categories of data including convictions and offences

If any of these are the case, records must still be kept. But as the document goes on to say, the ‘occasional’ word is an issue. A small organisation will regularly process data about it’s staff, so this cannot be occasional.

The good news is records only need to be kept for regular processing, processing special categories of data and processing which is likely to cause a high risk to data subjects.

WP29 also explicitly asks the ICO to help SME’s by making record keeping easy, perhaps by providing simplified models for SME’s to use. This does not yet exist, but watch this space.

If you need advice about GDPR, contact us!

FREE initial consultation!

Call now on 0800 2800 679