It’s good practice for all businesses and organisations to document all their data processing activities. This is typically done via a Record of Processing, which acts as an inventory of the data processing an organisation is undertaking. This provides a clear snapshot that can be used to assist with managing many of the compliance obligations required under the GDPR.
In the UK it’s a legal requirement for every business or organisation with 250 employees or more to maintain a Record of Processing to be compliant with the UK GDPR. For those with less than 250 employees, it is still a requirement to document activities that:
- are not occasional;
- are likely to result in a risk of the rights or freedoms of an individual; or
- involve special category or criminal data.
What information should we document?
The “processing” of personal data is defined quite widely and can be anything from collecting personal data to storing personal data, which is important to consider when deciding what information, you should be documenting.
There are different requirements on what information you need to document depending on whether you are a controller or a processor. A controller determines the purposes and means of processing personal data whereas a processor only processes the personal data on behalf of the controller and follows the controller’s instructions.
Some of the information you may have to document includes:
- the purposes of the processing;
- the categories of the individuals whose personal data is being processed;
- the categories of the personal data being processed;
- the categories of recipients of personal data (who you share the personal data with); and
- whether you share any information outside the UK.
How should we document the information?
The documentation must be in writing, whether this is in paper or electronic form. A generic list will not be compliant with the UK GDPR. The documentation should be done granularly, for example, by including the categories of personal data processed for each category of individual. The ICO website has a helpful template for a Record of Processing which can be found here. There are also many software vendors providing software to assist with preparing and maintaining a Record of Processing.
However you chose to document the information, it is essential that you treat the document as a living document and continue to keep it updated to reflect any changes. It may be useful to undertake regular reviews to determine whether any of your processing activities have changed and whether the Record of Processing should be updated.
How do I get started?
Some things you can do to get started on recording your processing activities are:
- use our free data assist audit tool following which, you will receive a personalised report outlining any issues you should address. You can find this tool here;
- determine what personal data your organisation holds and processes; and
- review any data protection policies (e.g. privacy policies and data retention policies), data sharing agreements or data processing contracts you have.
We can assist you with each of these steps, from providing you with some general guidance to undertaking an audit exercise of your processing activities and drafting a Record of Processing on your behalf. For further information or advice, please get in touch with our Commerical & Technology Team.