Records of processing and lawful basis
Why is this important?
It’s a legal requirement to document your processing activities. Taking stock of what information you have, where it is and what you do with it makes it much easier for you to improve your information governance and comply with other aspects of data protection law (such as creating a privacy notice and keeping personal data secure). It is a clear way to show what you are doing in line with the accountability principle and we may require you to provide these records to us. Your processing won’t be lawful without a valid lawful basis so you must justify your choice appropriately.
At a glance – what we expect from you
- Data-mapping
- Records of processing activities (ROPA)
- ROPA requirements
- Good practice for ROPAs
- Documenting your lawful basis
- Lawful basis transparency
- Consent requirements
- Reviewing consent
- Risk-based age checks and parental/guardian consent
- Legitimate Interest Assessment (LIA)
Data mapping
Your organisation frequently carries out comprehensive data mapping exercises, providing a clear understanding of what information is held and where.
Ways to meet our expectations:
- Your organisation carries out information audits (or data mapping exercises) to find out what personal data is held and to understand how the information flows through your organisation.
- You keep the data map up to date and you clearly assign the responsibilities for maintaining and amending it.
- You consult your staff to make sure that there is an accurate picture of processing activities, for example by using questionnaires and staff surveys.
Have you considered the effectiveness of your accountability measures?
- Would staff say that there was an effective process in place to identify what personal data is held across the organisation?
- Could staff explain their responsibilities and how they are carried out in practice?
- Would the record match what people were currently doing?
Record of processing activities (ROPA)
Your organisation has a formal, documented, comprehensive and accurate ROPA based on a data mapping exercise that is reviewed regularly.
Ways to meet our expectations:
- You record processing activities in electronic form so you can add, remove and amend information easily.
- Your organisation regularly reviews the record against processing activities, policies and procedures to ensure that it remains accurate and up to date, and you clearly assign responsibilities for doing this.
- You regularly review the processing activities and types of data you process for data minimisation purposes.
Have you considered the effectiveness of your accountability measures?
- Would staff say that you have effective processes in place to keep the record up to date, accurate and make sure that the data is minimised?
- Could staff explain their responsibilities and how they carry them out in practice?
ROPA requirements
Your ROPA contains all the relevant requirements set out in Article 30 of the UK GDPR.
Ways to meet our expectations:
- The ROPA includes (as a minimum):
- your organisation’s name and contact details, whether it is a controller or a processor (and where applicable, the joint controller, their representative and the DPO);
- the purposes of the processing;
- a description of the categories of individuals and of personal data;
- the categories of recipients of personal data;
- details of transfers to third countries, including a record of the transfer mechanism safeguards in place;
- retention schedules; and
- a description of the technical and organisational security measures in place.
- You have an internal record of all processing activities carried out by any processors on behalf of your organisation.
Have you considered the effectiveness of your accountability measures?
- Would staff say that you have effective processes in place to keep the record up to date, accurate and make sure that the data is minimised?
- Could staff explain their responsibilities and how they carry them out in practice?
Good practice for ROPAs
Your organisation’s ROPA includes links to other relevant documentation, such as contracts or records as a matter of good practice.
Ways to meet our expectations:
- The ROPA also includes, or links to, documentation covering:
- information required for privacy notices, such as the lawful basis for the processing and the source of the personal data;
- records of consent;
- controller-processor contracts;
- the location of personal data;
- DPIA reports;
- records of personal data breaches;
- information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018 (DPA 2018); and
- retention and erasure policy documents.
Have you considered the effectiveness of your accountability measures?
- Do staff understand how to access other relevant documentation linked to the ROPA?
- Is it easy for staff to access relevant documentation from the ROPA?
- Could staff explain this process and how it impacts their role?
Documenting your lawful basis
You document and appropriately justify your organisation’s lawful basis for processing personal data in line with Article 6 of the UK GDPR (and Articles 9 and 10, if the processing involves special category or criminal offence data).
Ways to meet our expectations:
- Your organisation selects the most appropriate lawful basis (or bases) for each activity following a review of the processing purposes.
- You document the lawful basis (or bases) relied upon and the reasons why.
- If your organisation processes special category or criminal offence data, you identify and document a lawful basis for general processing and an additional condition for processing this type of data (or in the case of criminal offence data, you identify the official authority to process).
- In the case of special category or criminal offence data, you document consideration of the requirements of Article 9 or 10 of the UK GDPR and Schedule 1 of the DPA 2018 where relevant.
- Where Schedule 1 requires it, you have an appropriate policy document including:
- which Schedule 1 conditions you are relying upon;
- what procedures you have in place to ensure compliance with the data protection principle;
- how you will treat special category or criminal offence data for retention and erasure purposes;
- a review date; and
- details of an individual assigned responsibility for the processing.
- You identify the lawful basis before starting any new processing.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the need to identify a lawful basis for processing personal data?
- Can they identify an appropriate lawful basis?
- Are they aware of the additional requirements to protect special category and criminal offence data?
Lawful basis transparency
You make information about the purpose of the processing and the lawful basis publicly available. This is easy to locate, access and read.
Ways to meet our expectations:
- You make information about the purposes of the processing, your lawful basis and relevant conditions for processing any special category or criminal offence data publicly available in your organisation's privacy notice(s).
- You provide information in an easily understandable format.
- If there is a genuine change in circumstances, or if your lawful basis must change due to a new and unanticipated purpose, you inform individuals in a timely manner and record the changes.
Have you considered the effectiveness of your accountability measures?
- Would customers agree that your privacy notice is easy to find, access and understand?
Consent requirements
If your organisation relies on consent for the processing of personal data, you comply with the UK GDPR’s consent requirements of being:
- specific;
- granular;
- prominent;
- opt-in;
- documented; and
- easily withdrawn.
Ways to meet our expectations:
- Consent requests:
- are kept separate from other terms and conditions;
- require a positive opt-in and do not use pre-ticked boxes;
- are clear and specific (not a pre-condition of signing up to a service);
- inform individuals how to withdraw consent in an easy way; and
- give your organisation’s name as well as any third parties relying on consent.
- You have records of what an individual has consented to, including what they were told and when and how they consented. The records are thorough and easy for relevant staff to access, review and withdraw if required.
- You have evidence and examples of how consent is sought from individuals, for example online forms or notices, opt-in tick boxes or paper-based forms.
Have you considered the effectiveness of your accountability measures?
- Do staff agree that the records of consent are easy to access, understand and review?
- Do customers say that you make it easy to understand and manage consent?
Reviewing consent
You proactively review records of previously gathered consent, which demonstrates a commitment to confirming and refreshing the consents.
Ways to meet our expectations:
- You have a procedure to review consents to check that the relationship, the processing and the purposes have not changed and to record any changes.
- Your organisation has a procedure to refresh consent at appropriate intervals.
- Your organisation uses privacy dashboards or other preference management tools to help people manage their consent.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the process to review consents?
- Is the procedure easy to find, access and understand?
- Do individuals say it was easy to manage their consent preferences?
Risk-based age checks and parental or guardian consent
Your organisation has effective systems in place to conduct risk-based age checks and, where required, to obtain and record parental or guardian consent.
Ways to meet our expectations:
- Your organisation makes reasonable efforts to check the age of those giving consent, particularly where the individual is a child.
- You have a reasonable and effective procedure to determine whether the individual in question can provide their own consent, and if not, an effective way to gain and record parental or guardian consent.
- When providing online services to children, your organisation has risk-based age checking systems in place to establish age, with an appropriate level of certainty based on the risks to children's rights and freedoms.
- When providing online services to children, if the child is under 13, you have records of parental or guardian consent which are regularly reviewed, and you make reasonable efforts to verify that the person giving consent has parental responsibility. You give particular consideration when a child reaches the age of 13 and is able to provide their own consent.
Have you considered the effectiveness of your accountability measures?
- Do staff and individuals agree that you have a reasonable and effective way to conduct risk-based age checks, gain parental or guardian consent and review what’s in place?
Legitimate interest assessment (LIA)
If your organisation’s lawful basis is legitimate interests, you have completed an appropriate LIA prior to starting the processing.
Ways to meet our expectations:
- The LIA identifies the legitimate interest, the benefits of the processing and whether it is necessary.
- The LIA includes a 'balancing test' to show how your organisation determines that its legitimate interests override the individuals’ and considers the following issues:
- Not using people's data in intrusive ways or in ways which could cause harm, unless there is a very good reason.
- Protecting the interests of vulnerable groups such as people with learning disabilities or children.
- Whether you could introduce safeguards to reduce any potentially negative impact.
- Whether you can offer an opt-out.
- Whether you require a DPIA.
- You clearly document the decision and the assessment.
- You complete the LIA prior to the start of the processing.
- You keep the LIA under review and refresh it if changes affect the outcome.
Have you considered the effectiveness of your accountability measures?
- Do staff say that the LIAs are clear and comprehensive?
- Is the review process effective?
Further reading
ICO guidance:
- Documentation
- Lawful basis for processing
- Lawful basis for processing - consent
- Lawful basis for processing – Legitimate interests
- Special category data
- Criminal offence data
- Children
- Age Appropriate Design Code of Practice
- ICO template: Appropriate Policy Document
- ICO tool: Lawful basis interactive guidance tool
External guidance:
- The National Archives: Find out what information you have