Record-keeping requirements under GDPR

GDPR is now in full effect and it contains explicit rules about how you process and secure data. Diana Bruce of the CIPP explains the ins-and-outs.

On 23 May 2018 the General Data Protection Regulation (GDPR) was effectively integrated into the new Data Protection Act (DPA) 2018. There were significant changes within GDPR which moved the emphasis away from the “best practice” approach of DPA 1988 to a “requirements” approach under GDPR. The documentation of processing activities is a new requirement under GDPR.

GDPR contains explicit provisions about documenting your processing activities. You must maintain records on several things such as processing purposes, data sharing and retention. You may be required to make the records available on request to the Information Commissioner’s Office (ICO) or other appropriate authority for the purposes of an investigation.

The record-keeping obligation applies to both controllers and processors employing 250 people or more. Processing activities of internal records must be maintained and the following information as a minimum must be recorded:

  • Name and details of the organisation (and where applicable, of other controllers and the data protection officer)

  • Purpose(s) of the processing

  • Description of the categories of individuals

  • Description of the categories of personal data

  • Categories of recipients of personal data

  • Details of transfers to third countries or international organisations including documentation of the transfer mechanism safeguards in place

  • Retention schedules

  • Description of technical and organisational security measures

There is a limited exemption for small and medium-sized organisations so if you have fewer than 250 employees, you only need to document processing activities that:

  • Are not occasional

  • Could result in a risk to the rights and freedoms of individuals

  • Involve the processing of special categories of data or criminal conviction and offence data

Even if you are not obliged to keep records, doing so can only increase the effectiveness of your GDPR compliance processes.

All organisations have to provide comprehensive, clear and transparent data privacy policies.

As part of your record of processing activities, it can be useful to document (or link to documentation of) other aspects of your compliance with GDPR and the UK’s Data Protection Bill. Such documentation may include information required for privacy notices, such as:

  • The lawful basis for the processing

  • The legitimate interests for the processing

  • Individuals’ rights

  • The existence of automated decision-making, including profiling

  • The source of the personal data

  • Records of consent

  • Controller-processor contracts

  • The location of personal data

  • Data Protection Impact Assessment reports

  • Records of personal data breaches

  • Information required for processing special category data or criminal conviction and offence data under the Data Protection Bill, covering: the condition for processing in the Data Protection Bill, the lawful basis for the processing in GDPR and your retention and erasure policy document.

Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is. You can find out why personal data is used, who it is shared with and how long it is kept by distributing questionnaires to relevant areas of your organisation, meeting directly with key business functions, and reviewing policies, procedures, contracts and agreements.

Records of your processing activities must be kept in writing and this can include an electronic format – the information must be documented in a granular and meaningful way. It may well depend on the size of your business and the volume of processing activities as to whether a spreadsheet format would suffice or whether you need to consider a bespoke package to be tailored to your specific business needs.

The ICO has developed some basic templates to help you document your processing activities.

Written by: