Practice Areas

Record of processing activities

EM Law are experts in helping clients create a record of processing activities. Our lead data protection lawyer is Neil Williamson who has extensive experience in advising clients on a wide range of data protection matters.

On 25 May 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR ushered in a number of changes to data protection, including new requirements for organisations to deal with.

One of the new core requirements of the GDPR is to know and to document the personal data that an organisation uses, what it is used for, where it is stored, where it flows from and to, and how it is protected. This is summarised in Article 30 of the GDPR, which requires organisations to establish and maintain a record of processing activities.

What is a record of processing activities?

A record of processing activities is a critical document for any organisation that processes personal data in the EU. Controllers must document all the applicable information under Article 30(1) and processors must document all the applicable information under Article 30(2). Such information includes the purposes of the processing, a description of technical and organisational security measures and, where applicable, details of personal data transfers to third countries. The record of processing activities must be kept in writing but can be in paper or in electronic form. Electronic form may be more beneficial, allowing organisations to update and amend the document as necessary. Your record of processing activities must be made available on demand to applicable data protection authorities. In the UK, this is the Information Commissioner’s Office (ICO).

Why do I need a record of processing activities?

You need to keep a record of processing activities in order to comply with the GDPR. If you do not keep correct data processing records then you could be ordered to pay a large fine.

Do all organisations need to document their processing activities?

Organisations with 250 or more employees must document all of their processing activities. Organisations with less than 250 people only need to process activities that:
• are not occasional (i.e. are more than just a one-off occurrence); or
• are likely to result in a risk to the rights and freedoms of individual; or
• involve special category data or criminal conviction and offence data, as defined by Articles 9 and 10 of the GDPR.

Even if you don’t technically need to keep a record of processing activities, it is good practice to do so. Keeping a record of processing activities will assist you with your other GDPR obligations further down the line.

If you are looking for assistance with a record of processing activities or want advice on GDPR more generally contact Neil Williamson.

EM Law Neil Williamson

Make An Enquiry


Make An Enquiry Now

Please call us now on 0203 637 6374 or Make An Online Enquiry and we will soon be in touch with you


Make An Enquiry

Can We Help You?

We are here to help with any of your questions.
Just click "Yes" below.


Please enter your question below

Send Your Question

Please enter your name and email address so than we can send you a response

Thank You!

Technical issue

Thank you for sending us your question. We will contact you shortly to discuss this.

Sorry, there is a technical issue. Please contact us by telephone: 0203 637 6374