What’s new under the GDPR?

  • The documentation of processing activities is a new requirement under the GDPR.
  • There are some similarities between documentation under the GDPR and the information you provided to the ICO as part of registration under the Data Protection Act 1998.
  • You need to make sure that you have in place a record of your processing activities by 25 May 2018.

What is documentation?

  • Most organisations are required to maintain a record of their processing activities, covering areas such as processing purposes, data sharing and retention; we call this documentation.
  • Documenting your processing activities is important, not only because it is itself a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the GDPR.

Who needs to document their processing activities?

  • Controllers and processors each have their own documentation obligations.
  • If you have 250 or more employees, you must document all your processing activities.
  • There is a limited exemption for small and medium-sized organisations. If you have less than 250 employees, you only need to document processing activities that:
    • are not occasional; or
    • could result in a risk to the rights and freedoms of individuals; or
    • involve the processing of special categories of data or criminal conviction and offence data.


What do we need to document under Article 30 of the GDPR?

You must document the following information:

  • The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
  • The purposes of your processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of your technical and organisational security measures.

Should we document anything else?

As part of your record of processing activities, it can be useful to document (or link to documentation of) other aspects of your compliance with the GDPR and the UK’s Data Protection Bill. Such documentation may include:

  • information required for privacy notices, such as:
    • the lawful basis for the processing
    • the legitimate interests for the processing
    • individuals’ rights
    • the existence of automated decision-making, including profiling
    • the source of the personal data;
  • records of consent;
  • controller-processor contracts;
  • the location of personal data;
  • Data Protection Impact Assessment reports;
  • records of personal data breaches;
  • information required for processing special category data or criminal conviction and offence data under the Data Protection Bill, covering:
    • the condition for processing in the Data Protection Bill
    • the lawful basis for the processing in the GDPR
    • your retention and erasure policy document.

How do we document our processing activities?

  • Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is.
  • You can find out why personal data is used, who it is shared with and how long it is kept by distributing questionnaires to relevant areas of your organisation, meeting directly with key business functions, and reviewing policies, procedures, contracts and agreements.
  • When documenting your findings, the records you keep must be in writing. The information must be documented in a granular and meaningful way.