How should we prepare?

A good way to start is by doing an information audit or data-mapping exercise to clarify what personal data your organisation holds and where. It is important that people across your organisation are engaged in the process; this can help ensure nothing is missed when mapping the data your organisation processes. It is equally important to obtain senior management buy-in so that your documentation exercise is supported and well resourced.

What steps should we take next?

Once you have a basic idea of what personal data you have and where it is held, you will be in good position to begin documenting the information you must record under the GDPR. It is up to you how you do this, but we think these three steps will help you get there:

  1. Devise a questionnaire – you can distribute this to the areas of the organisation you have identified as processing personal data. Use straightforward (jargon-free) questions that will prompt answers to the areas requiring documentation.

Example questions

  • Why do you use personal data?
  • Who do you hold information about?
  • What information do you hold about them?
  • Who do you share it with?
  • How long do you hold it for?
  • How do you keep it safe?
  1. Meet directly with key business functions – this will help you gain a better understanding of how certain parts of your organisation use data.

Example business functions

  • IT staff can help answer questions about technical security measures.
  • Information governance staff should be able to provide information on retention periods.
  • Legal and compliance staff may hold details of any data-sharing arrangements.
  1. Locate and review policies, procedures, contracts and agreements – as well as feeding directly into the documentation exercise, this can help you compare and contrast intended and actual data processing activities.

Example documents

  • Privacy policies
  • Data protection policies
  • Data retention policies
  • Data security policies
  • System use procedures
  • Data processor contracts
  • Data sharing agreements

How should we document our findings?

The documentation of your processing activities must be in writing; this can be in paper or electronic form. Generally, most organisations will benefit from maintaining their documentation electronically so they can easily add to, remove, and amend it as necessary. Paper documentation may be adequate for very small organisations whose processing activities rarely change.            

However you choose to document your organisation’s processing activities, it is important that you do it in a granular and meaningful way. For instance, you may have several separate retention periods, each specifically relating to different categories of personal data. Equally it is likely that the organisations you share personal data with differ depending on the type of people you hold information on and your purposes for processing the data. The record of your processing activities needs to reflect these differences. A generic list of pieces of information with no meaningful links between them will not meet the GDPR’s documentation requirements. 

Example - would not meet GDPR documentation requirements:

Categories of personal data

  • Contact details
  • Financial details
  • Lifestyle information
  • Location
  • IP address...

Categories of individuals

  • Suppliers
  • Employees
  • Emergency contacts
  • Customers
  • Clients...

Categories of personal data

  • Contact details
  • Financial details
  • Lifestyle information
  • Location
  • IP address...

 

Example - would meet GDPR documentation requirements:

Purposes of processing

Categories of individuals

Categories of personal data

Staff administration

Employees Contact details
Financial details...

Emergency contacts...

Contact details...
Customer orders




Customers

Contact details
Financial details
IP address...
Suppliers...

Contact details
Financial details

Location...

Marketing Customers Contact details
Lifestyle information
Clients... Contact details...

 What should we document first?

Start with the broadest piece of information about a particular processing activity, then gradually narrow the scope as you document each requirement under Article 30:

  • Controllers – it makes sense for controllers to begin with a business function – e.g. HR, Sales, Customer Services. Although the GDPR does not require you to document this information, focusing on each function of your business, one at a time, will help to give your record of processing activities a logical structure. Each business function is likely to have several different purposes for processing personal data, each purpose will involve several different categories of individuals, and in turn those categories of individuals will have their own categories of personal data and so on.
  • Processors – although you have less information to document as a processor, it still helps to adopt a ‘broad to narrow’ approach. Start with the controller you are processing personal data for. There may be several different categories of processing you carry out for each controller, and in turn different types of international transfers, security measures and so on.

Documentation using this type of approach should help you create a complete and comprehensive record of your processing activities within which you document the different types of information in a granular way and meaningfully link them together.

Is there a template we can use?

Yes, we have created two basic templates to help you document your processing activities; one for controllers and one for processors. Each template contains a section for the information you must document, and extra sections for information you are not obliged to document under Article 30 but that can be useful to maintain alongside your record of processing activities.         

Using these templates is not mandatory. You can document your organisation’s processing activities in many different ways, ranging from basic templates to specialist software packages. How you choose to maintain your documentation will depend on factors such as the size of your organisation, the volume of personal data processed, and the complexity of the processing operations.

 

What if we have an existing documentation method?

In addition to data protection, organisations are often subject to several other regulations that have their own documentation obligations, particularly in sectors such as insurance and finance. If your organisation is subject to such regulatory requirements, you may already have an established data governance framework in place that supports your existing documentation procedures; it may even overlap with the GDPR’s record-keeping requirements. If so, the GDPR does not prohibit you from combining and embedding the documentation of your processing activities with your existing record-keeping practices. But you should be careful to ensure you can deliver all the requirements of Article 30, if necessary by adjusting your data governance framework to account for them.

Do we need to update our record of processing activities?

Keeping a record of your processing activities is not a one-off exercise; the information you document must reflect the current situation as regards the processing of personal data. So you should treat the record as a living document that you update as and when necessary. This means you should conduct regular reviews of the information you process to ensure your documentation remains accurate and up to date.