GDPR: most SMEs will be unable to avoid the requirement of an RPA for some types of processing

The General Data Processing Regulation (“GDPR”) exempts small and medium enterprises (“SMEs”)[1] from the requirement to maintain Records of Personal Data Processing Activity ("RPA") unless the processing carried out by the SME entails risk to the rights and freedoms of the interested parties, is not occasional, or if it includes special categories of personal data or similar conditions.

In practice, this wording has left many SMEs unsure about whether or not they are required to keep an RPA.

The Article 29 Working Party ("WP29") has just published its position report regarding this exception (article 30.5 GDPR). The WP29 report interprets the GDPR in the sense of confirming the requirement to maintain an RPA in the case of SMEs that fulfil any of three circumstances that mean they cannot take advantage of the exception. Although it clarifies that this RPA should only refer to processing activities affected by the specific causes mentioned. That is, it introduces the innovation of separating activities for the RPA, and thus it is only necessary to keep a record in respect of those particular activities.

Thus, for example, a company that processes personal data solely deriving from salary management will only need to keep an RPA that includes processing concerned with that area, because that processing is, by definition, regular and repeated, and as a result it is habitual, and not occasional.

It should be recalled that the RPA is the key to Data Governance in any organization. It is the essential element for structured data management, both internally and in the event of possible requirements of the control authority. Furthermore, it is an extremely useful tool for enabling companies to gain a comprehensive overview of their processing activities, and also for this new perspective to result in increased consistency in corporate privacy strategy.

Basically, article 30 of the GDPR establishes a minimum content for RPA, both for data controllers and data processors. For the moment, neither the new LOPD draft bill nor the Spanish Data Protection Agency (“AEPD”) have come up with a framework proposal for the RPA[2], which has created considerable uncertainty among businesses, particularly those SMEs that may find themselves in a grey zone as to whether or not they are eligible for the exception established in article 30.5 of the GDPR[3].

The Bavarian Data Protection Authority has published a guide for creating an RPA. This guide to the RPA is the only one of its kind to have been issued so far, except for some comments contained in the recent WP29 position report, although it only mentions the RPA in respect of the aforementioned exception in article 30.5 of the GDPR.

The Bavarian guide raises a series of apparently minor issues regarding the RPA but which have considerable relevance in practice. By way of example, the requirement to maintain a record of RPA amendments for a specific period from the date of each modification made, pursuant to the principle of proactive responsibility, ie. Accountability as established in article 5.2 of the GDPR. This record is necessary in order to be able to check the RPA amendments during the aforementioned specific period, which it recommends should be extended in order to ensure that it coincides with the prescription period of related data protection matters.

In respect of article 30.5, the aforementioned Bavarian Authority indicates that this exception will be extremely limited in its application, as normally SMEs are subject to conditions that will prevent them from taking advantage of that exception, usually because either they are required to repeatedly process personal data or because the data that they process is sensitive information.

This vision of limited application of the exemption for SMEs from the need to create an RPA is further confirmed in the WP29 position report. At the present time it would be difficult to find an SME that does not process personal or sensitive data on a regular basis for some type of category of interested party, albeit employees, clients or representatives of other enterprises.

In short, compliance with all the GDPR requirements will, in practice, necessitate compilation of data processing inventory documents, which, irrespective of the name and title given to them, will essentially be extremely similar to an RPA.

It could even be considered that the exception based on an objective numerical criterion is something that should have been eliminated during drafting of the legislative process, as the different versions of the GDPR were developed (Commission, Parliament, Council, Trialogue), in the same way that other objective thresholds were ruled out, such as those originally devised for designation of the Data Protection Officer, with that objective focus replaced by one of proactive responsibility ((accountability).

In any case, the initiatives being undertaken by different authorities are illustrative of the need to continue considering local specificities, despite the terms of the GDPR.