Record keeping requirements under GDPR

18 June 2018

On 23 May 2018 the General Data Protection Regulation (GDPR) was effectively integrated into the new Data Protection Act (DPA) 2018. There were significant changes within GDPR which moved the emphasis away from the “best practice” approach of DPA 1988 to a “requirements” approach under GDPR. The documentation of processing activities is a new requirement under the GDPR.

Documenting your processing activities is important, not only because it is itself a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the GDPR.

The GDPR contains explicit provisions about documenting your processing activities. You must maintain records on several things such as processing purposes, data sharing and retention. You may be required to make the records available on request to the Information Commissioner’s Office (ICO) or other appropriate authority for the purposes of an investigation.

The recordkeeping obligation applies to both controllers and processors employing 250 people or more. Processing activities of internal records must be maintained and the following information as a minimum must be recorded:

name and details of the organisation (and where applicable, of other controllers and the data protection officer)
purpose(s) of the processing
description of the categories of individuals
description of the categories of personal data
categories of recipients of personal data
details of transfers to third countries or international organisations including documentation of the transfer mechanism safeguards in place
retention schedules
description of technical and organisational security measures.

There is a limited exemption for small and medium-sized organisations so if you have fewer than 250 employees, you only need to document processing activities that:

are not occasional; or
could result in a risk to the rights and freedoms of individuals; or
involve the processing of special categories of data or criminal conviction and offence data.

Even if you are not obliged to keep records, doing so can only increase the effectiveness of your GDPR compliance processes.

All organisations have to provide comprehensive, clear and transparent data privacy policies.

As part of your record of processing activities, it can be useful to document (or link to documentation of) other aspects of your compliance with the GDPR and the UK’s Data Protection Bill. Such documentation may include:

information required for privacy notices, such as:
- the lawful basis for the processing
- the legitimate interests for the processing
- individuals’ rights
- the existence of automated decision-making, including profiling
- the source of the personal data;
records of consent;
controller-processor contracts;
the location of personal data;
Data Protection Impact Assessment reports;
records of personal data breaches;
information required for processing special category data or criminal conviction and offence data under the Data Protection Bill, covering:
- the condition for processing in the Data Protection Bill
- the lawful basis for the processing in the GDPR
- your retention and erasure policy document.

Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is. You can find out why personal data is used, who it is shared with and how long it is kept by distributing questionnaires to relevant areas of your organisation, meeting directly with key business functions, and reviewing policies, procedures, contracts and agreements.

Records of your processing activities must be kept in writing and this can include an electronic format - the information must be documented in a granular and meaningful way. It may well depend on the size of your business and the volume of processing activities as to whether a spreadsheet format would suffice or whether you need to consider a bespoke package to be tailored to your specific business needs.

The ICO has developed some basic templates to help you document your processing activities.

This article was originally written for Accounting Web (published 18 June 2018).

More news

CIPP quick poll

What pension tasks are you responsible for?

Pension contributions i.e. workplace pensions

Best practise on pensioner payrolls

Talking to your employees about pensions

Good governance around employer decision making on pensions

Managing early retirement in all its forms

Deciding on workplace pensions strategy

Protecting pensions and reassurances about pensions promises

Tasks when changing pension schemes

Pensions tax rules

Other, please provide additional details

*denotes a mandatory field

Record keeping requirements under GDPR

Also of interest

Related news

Devolution: payroll legislation matrix

28 March 2024

New ICO SARs Q&A for employers

27 June 2023

Impact of the data reform bill on payroll professionals

21 June 2022

The CIPP in numbers

9.5k+

2,800+

15k+

10