Do all organisations need to document their processing activities?
Most organisations must document their processing activities to some extent. Both controllers and processors have their own documentation obligations, but controllers need to keep more extensive records than processors.
Organisations with 250 or more employees must document all their processing activities.
What about small and medium-sized organisations?
The GDPR provides a limited exemption for small and medium-sized organisations. If you employ fewer than 250 people, you need only document processing activities that:
- are not occasional (e.g., are more than just a one-off occurrence or something you do rarely); or
- are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals); or
- involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of the GDPR).
Example – processing that is not occasional
An insurance company has 100 staff. Among other things, it regularly processes personal data in the context of processing claims, sales and HR. Although the company has fewer than 250 staff, it must still document these types of processing activities because they are not occasional. However, some of the company’s processing activities occur less frequently. For instance, it occasionally carries out an internal staff engagement survey. The company doesn’t do this particular processing activity very often, so it need not document it as part of its record of processing activities.
Example – processing that is likely to result in a risk to the rights and freedoms of individuals
The same company carries out several other processing activities on an infrequent basis. For instance, it occasionally does profiling on its customer database for the purposes of insurance-risk classification. Rare though this is, the company must still document it. This is because creating inferred data through profiling can be intrusive and result in risks to individuals’ rights and freedoms.
Example – processing that involves special category data or criminal conviction and offence data
From time to time, the insurance company also does recruitment campaigns. For these, it collects information on applicants’ health and ethnic origin for equal opportunities monitoring. The campaigns are rare but the company must still document this processing activity because it involves processing special category data.
Even if you need not document some or all of your processing activities, we think it is still good practice to do so. Keeping records on what personal data you hold, why you hold it and who you share it with will help you manage the data more effectively and comply with other aspects of the Regulation.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.
WP29 published a position paper on Article 30(5) (the exemption for small and medium-sized organisations), which has been endorsed by the EDPB.