Article 30 of the General Data Protection Regulation (GDPR) is the written statement of law made for organizations to maintain data security. Adopted in 2016, Article 30 of GDPR says that data controllers must keep solid records for all their processing activities. All these documents must be in electronic format. Plus, they must include every necessary detail and information outlined in Article 30(1). Data Controllers are required to present the records of processing activities to the relevant supervisory authority when asked to. Additionally, Article 30 of the GDPR covers processes like data mapping, synchronizing data across systems, and improving data collection practices.
of companies spend over half a million dollars for GDPR compliance.
of businesses have ended up appointing a DPO (data protection officer) to take care of GDPR and other data-related compliances.
of companies operating in Europe are not confident about their GDPR compliance.
is the rise in the demand for Data Protection Officers after the strict implementation of GDPR regulations.
In the last two years, companies have paid 164 million euros as GDPR fines due to insufficient legal basis for data processing. Businesses today have data spread across dozens of systems. It is quite difficult to keep exact records of all the data processing among so many systems. GDPR’s Article 30 emphasizes a focused approach to following data protection regulations more than any other privacy regulation. For instance, there is no centralized law to regulate data privacy and security. Each state has its own regulation for that matter. California Consumer Privacy Act (CCPA), signed in 2018 comes closest to the GDPR in terms of holistically managing data privacy regulations.
Moreover, protecting other aspects of your IT infrastructure is not as tricky as data security. There are so many cyber security measures such as vulnerability assessments, API Penetration Testing, Network scanning, etc. But none such a sure-shot measure is available to ensure data privacy. For that, adhering to compliance regulations is necessary. Article 30 makes following GDPR rules much easier
There have been heavy fines on companies due to noncompliance with Article 30 of GDPR. Although all lapses are not measured with the same tape. The determination of fines depends on the following criteria:
If a company is liable for more than one infringement, it can’t be punished for all of them. Eventually, the fine is decided according to the infringement that is the most severe. Additionally, fines are categorized into two distinct levels. First is the lower level where the company needs to pay €10 million, or 2% of the annual revenue of the prior fiscal year—whichever is higher. The second one is the higher level where the fines can go up to €20 million, or 4% of the annual revenue of the prior fiscal year.
You can see that non-compliance with Article 30 of GDPR can get quite heavy on your budget. So, it is better to take it seriously as you do with measures like API Penetration Testing for your business applications.
Earlier, organizations used to file these details with outside authorities. But now, they must keep all the records internally. The following are the points to keep in mind to follow
Article 30 of GDPR: