At a glance

  • The GDPR contains explicit provisions about documenting your processing activities.
  • You must maintain records on several things such as processing purposes, data sharing and retention.
  • You may be required to make the records available to the ICO on request.
  • Documentation can help you comply with other aspects of the GDPR and improve your data governance.
  • Controllers and processors both have documentation obligations.
  • For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities.
  • Information audits or data-mapping exercises can feed into the documentation of your processing activities.
  • Records must be kept in writing.
  • Most organisations will benefit from maintaining their records electronically.
  • Records must be kept up to date and reflect your current processing activities.
  • We have produced some basic templates to help you document your processing activities.

Checklists

Documentation of processing activities – requirements 

 If we are a controller for the personal data we process, we document all the applicable information under Article 30(1) of the GDPR.

 If we are a processor for the personal data we process, we document all the applicable information under Article 30(2) of the GDPR.

If we process special category or criminal conviction and offence data, we document:

 the condition for processing we rely on in the Data Protection Bill;

 the lawful basis for our processing; and

 whether we retain and erase the personal data in accordance with our policy document.

 We document our processing activities in writing.

 We document our processing activities in a granular way with meaningful links between the different pieces of information.

 We conduct regular reviews of the personal data we process and update our documentation accordingly.

Documentation of processing activities – best practice

When preparing to document our processing activities we:

 do information audits to find out what personal data our organisation holds;

 distribute questionnaires and talk to staff across the organisation to get a more complete picture of our processing activities; and

 review our policies, procedures, contracts and agreements to address areas such as retention, security and data sharing.

As part of our record of processing activities we document, or link to documentation, on:

 information required for privacy notices;

 records of consent;

 controller-processor contracts;

 the location of personal data;

 Data Protection Impact Assessment reports; and

 records of personal data breaches.

 We document our processing activities in electronic form so we can add, remove and amend information easily.

In brief

What’s new under the GDPR?

  • The documentation of processing activities is a new requirement under the GDPR.
  • There are some similarities between documentation under the GDPR and the information you provided to the ICO as part of registration under the Data Protection Act 1998.
  • You need to make sure that you have in place a record of your processing activities by 25 May 2018.

What is documentation?

  • Most organisations are required to maintain a record of their processing activities, covering areas such as processing purposes, data sharing and retention; we call this documentation.
  • Documenting your processing activities is important, not only because it is itself a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the GDPR.

Who needs to document their processing activities?

  • Controllers and processors each have their own documentation obligations.
  • If you have 250 or more employees, you must document all your processing activities.
  • There is a limited exemption for small and medium-sized organisations. If you have less than 250 employees, you only need to document processing activities that:
    • are not occasional; or
    • could result in a risk to the rights and freedoms of individuals; or
    • involve the processing of special categories of data or criminal conviction and offence data.

Please note

The Article 29 Working Party (WP29) is currently considering the scope of the exemption from documentation of processing activities for small and medium-sized organisations.             

WP29 includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

If necessary, we will update this guidance to reflect the outcome of WP29’s discussions.

 

What do we need to document under Article 30 of the GDPR?

You must document the following information:

  • The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
  • The purposes of your processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of your technical and organisational security measures.

Should we document anything else?

As part of your record of processing activities, it can be useful to document (or link to documentation of) other aspects of your compliance with the GDPR and the UK’s Data Protection Bill. Such documentation may include:

  • information required for privacy notices, such as:
    • the lawful basis for the processing
    • the legitimate interests for the processing
    • individuals’ rights
    • the existence of automated decision-making, including profiling
    • the source of the personal data;
  • records of consent;
  • controller-processor contracts;
  • the location of personal data;
  • Data Protection Impact Assessment reports;
  • records of personal data breaches;
  • information required for processing special category data or criminal conviction and offence data under the Data Protection Bill, covering:
    • the condition for processing in the Data Protection Bill
    • the lawful basis for the processing in the GDPR
    • your retention and erasure policy document.

How do we document our processing activities?

  • Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is.
  • You can find out why personal data is used, who it is shared with and how long it is kept by distributing questionnaires to relevant areas of your organisation, meeting directly with key business functions, and reviewing policies, procedures, contracts and agreements.
  • When documenting your findings, the records you keep must be in writing. The information must be documented in a granular and meaningful way.

We have developed basic templates to help you document your processing activities.

In more detail – ICO guidance

We have produced more detailed guidance on documentation.

 

In more detail - Article 29

There are no immediate plans for WP29 guidance on documentation of processing activities under the GDPR, but WP29 is currently considering the scope of the exemption from documentation of processing activities for small and medium-sized organisations.

If necessary, we will update this guidance to reflect the outcome of WP29’s discussions.