Documentation
Latest updates
19 May 2023 - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.
At a glance
- The UK GDPR contains explicit provisions about documenting your processing activities.
- You must maintain records on several things such as processing purposes, data sharing and retention.
- You may be required to make the records available to the ICO on request.
- Documentation can help you comply with other aspects of the UK GDPR and improve your data governance.
- Controllers and processors both have documentation obligations.
- For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities.
- Information audits or data-mapping exercises can feed into the documentation of your processing activities.
- Records must be kept in writing.
- Most organisations will benefit from maintaining their records electronically.
- Records must be kept up to date and reflect your current processing activities.
- We have produced some basic templates to help you document your processing activities.
Checklists
Documentation of processing activities – requirements
☐ If we are a controller for the personal data we process, we document all the applicable information under Article 30(1) of the UK GDPR.
☐ If we are a processor for the personal data we process, we document all the applicable information under Article 30(2) of the UK GDPR.
If we process special category or criminal conviction and offence data, we document:
☐ the condition for processing we rely on in the Data Protection Act 2018 (DPA 2018);
☐ the lawful basis for our processing; and
☐ whether we retain and erase the personal data in accordance with our policy document.
where required in schedule 1 of the DPA 2018.
☐ We document our processing activities in writing.
☐ We document our processing activities in a granular way with meaningful links between the different pieces of information.
☐ We conduct regular reviews of the personal data we process and update our documentation accordingly.
Documentation of processing activities – best practice
When preparing to document our processing activities we:
☐ do information audits to find out what personal data our organisation holds;
☐ distribute questionnaires and talk to staff across the organisation to get a more complete picture of our processing activities; and
☐ review our policies, procedures, contracts and agreements to address areas such as retention, security and data sharing.
As part of our record of processing activities we document, or link to documentation, on:
☐ information required for privacy notices;
☐ records of consent;
☐ controller-processor contracts;
☐ the location of personal data;
☐ Data Protection Impact Assessment reports; and
☐ records of personal data breaches.
☐ We document our processing activities in electronic form so we can add, remove and amend information easily.
In brief
- What is documentation?
- Who needs to document their processing activities?
- What do we need to document under Article 30 of the GDPR?
- Should we document anything else?
- How do we document our processing activities?
- In detail
What is documentation?
- Most organisations are required to maintain a record of their processing activities, covering areas such as processing purposes, data sharing and retention; we call this documentation.
- Documenting your processing activities is important, not only because it is itself a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the UK GDPR.
Who needs to document their processing activities?
- Controllers and processors each have their own documentation obligations.
- If you have 250 or more employees, you must document all your processing activities.
- There is a limited exemption for small and medium-sized organisations. If you have fewer than 250 employees, you only need to document processing activities that:
- are not occasional; or
- could result in a risk to the rights and freedoms of individuals; or
- involve the processing of special categories of data or criminal conviction and offence data.
What do we need to document under Article 30 of the UK GDPR?
You must document the following information:
- The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
- The purposes of your processing.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data.
- Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
- Retention schedules.
- A description of your technical and organisational security measures.
Should we document anything else?
As part of your record of processing activities, it can be useful to document (or link to documentation of) other aspects of your compliance with the UK GDPR and the UK’s Data Protection Act 2018. Such documentation may include:
- information required for privacy notices, such as:
- the lawful basis for the processing
- the legitimate interests for the processing
- individuals’ rights
- the existence of automated decision-making, including profiling
- the source of the personal data;
- records of consent;
- controller-processor contracts;
- the location of personal data;
- Data Protection Impact Assessment reports;
- records of personal data breaches;
- information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018, covering:
- the condition for processing in the Data Protection Act;
- the lawful basis for the processing in the UK GDPR; and
- your retention and erasure policy document.
How do we document our processing activities?
- Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is.
- You can find out why personal data is used, who it is shared with and how long it is kept by distributing questionnaires to relevant areas of your organisation, meeting directly with key business functions, and reviewing policies, procedures, contracts and agreements.
- When documenting your findings, the records you keep must be in writing. The information must be documented in a granular and meaningful way.
We have developed basic templates to help you document your processing activities.
In more detail – ICO guidance
We have produced more detailed guidance on documentation.
The Accountability Framework looks at the ICO’s expectations in relation to records of processing.
In more detail - European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.
WP29 published a position paper on Article 30(5) (the exemption for small and medium-sized organisations), which has been endorsed by the EDPB.
EDPB guidelines are no longer be directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues