Record of processing activities solicitors

On 25 May 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR ushered in a number of changes to data protection, including new requirements for organisations to deal with.

One of the new core requirements of the GDPR is to know and to document the personal data that an organisation uses, what it is used for, where it is stored, where it flows from and to, and how it is protected. This is summarised in Article 30 of the GDPR, which requires organisations to establish and maintain a record of processing activities.

What is a record of processing activities?

A record of processing activities is a critical document for any organisation that processes personal data in the EU. Controllers must document all the applicable information under Article 30(1) and processors must document all the applicable information under Article 30(2). Such information includes the purposes of the processing, a description of technical and organisational security measures and, where applicable, details of personal data transfers to third countries. The record of processing activities must be kept in writing but can be in paper or in electronic form. Electronic form may be more beneficial, allowing organisations to update and amend the document as necessary. Your record of processing activities must be made available on demand to applicable data protection authorities. In the UK, this is the Information Commissioner’s Office (ICO).

Why do I need a record of processing activities?

You need to keep a record of processing activities in order to comply with the GDPR. If you do not keep correct data processing records then you could be ordered to pay a large fine.

Do all organisations need to document their processing activities?

Organisations with 250 or more employees must document all of their processing activities. Organisations with less than 250 people only need to process activities that:

  • are not occasional (i.e. are more than just a one-off occurrence); or
  • are likely to result in a risk to the rights and freedoms of individual; or
  • involve special category data or criminal conviction and offence data, as defined by Articles 9 and 10 of the GDPR.

Even if you don’t technically need to keep a record of processing activities, it is good practice to do so. Keeping a record of processing activities will assist you with your other GDPR obligations further down the line.

If you are looking for assistance with a record of processing activities or want advice on GDPR more generally contact Neil Williamson.