Data Protection Toolkit - Document your processing activities
Article 30 of the GDPR outlines the records of processing activities that controllers and processors need to maintain in a written and electronic format.
This means that where you are collecting, storing, sharing, using or transferring some sort of personal data, you consider and record the details of how it meets the data protection principles. This is so that the processing can be shown to be compliant with the Regulation.
It is also a legal requirement to provide these records to the Information Commissioner's Office if they ask you for them, so make sure that they're complete, accurate and that you know where they are.
Unless you're a particularly large community or voluntary organisation (with more than 250 employees) you a required to document only your regular activities, as well as any processing of particularly sensitive information.
So, if there are instances where you process personal data but it's a one-off ("occasional") you don't need to document it, unless it involves special category or criminal convictions data.
The level of detail required is not overwhelming. You don't need to make extensive records of all the actions that you take with the data. The documentation is more for providing a summary of what's involved in each case. Of course, if you find it useful for your own record-keeping purposes, you can go in to much more detail.
The Regulation says only that the records should be in a written and electronic form. The most straighforward way is to keep a spreadsheet with the details of the types of personal data you process.
The full accounts are not required to be publicly accessible, though much of the type of information that you're recording here will go in to your privacy notice (in clear and plain language) so that data subjects have the background they need to make informed choices, and to demonstrate your transparency.
You should maintain these records to cover the processing activities that you do after the 25 May 2018. If you cease to undertake an activity, keep the record but note that you've stopped and when. And if you start a new activity or use some of the personal data that you have already in a substantially new way as part of your regular activities, then you should also record that.
For controllers, Article 30(1) specifies:
- name and contact details for the controller - in most cases, you! It seems obvious, but it's a specified by Article 30. If someone else is the controller, make sure that's included.
- brief description of the data subjects. Categorise into groups like employees, regular clients, business contacts, etc.
- types of personal data (category), noting in particular if any special category data is included.
- what the data is used for (purpose). If you can't identify a purpose for having some personal data, you really shouldn't have it.
- the lawful basis you have identified for the processing activity. If you haven't already thought about this in depth, this will take some more time.
- how the data is obtained. Is it from the person, or somewhere else?
- who the data is shared with (recipients). If you can be more specific about who, even better.
- how long it's held for. Either you have a definite time limit (e.g. years, months, days) or a retention policy that informs when something will be deleted.
- briefly, your security measures. Don't put too much detail - that might be of interest to hackers!
If you do transfer data to any country outside of the EEA, you need to record that. Familiarise yourself with Chapter 5 of the GDPR if this is the case as there are legal obligations you need to be aware of.
Though Article 30 doesn't actually say that you need to record the lawful basis, it's a good practice nonetheless. This means you can be clear with yourself on the most important data protection principle (fair and lawful processing), and can see if there's any gaping holes in compliance.
If you're a processor in the case of a set of personal data, you only need to record a few things, but record them you must. Article 30(2) tells you what they are.
We've created a template Personal Data Register for Controllers to help you get started. The spreadsheets contains fields to fill in to meet the requirements for documentation.
- First, consider all of the different ways in which you process personal data. Try to break this down into distinct categories of data. If you're a medium or larger organisation and this seems like a huge task, consult with your colleagues in various business areas to make sure that all the knowledge is covered, or undertake an information audit.
- For each of the activities identify if you are the controller (your organisation makes the decision on the means and purposes of the processing) or the processor (if you process personal data on behalf of a controller).
- Don't forget that the record needs to cover all personal data that you have - your staff, volunteers, any donors, business contacts, people who've applied for jobs, and visitors to your website, as well as the people who your charitable work helps.
- For each of your data subjects start to break down the data that you have on them into categories. For example, for your own employees you'll have their contact details, payroll, bank, tax, pension, attendance and performance details.
- The level of granularity is important. It may be that you use the same category of data for more than one purpose. In this case, record the details for each purpose. If there are distinctions within how one type of data is used, don't try to fit it all in one line - break it down.
Keep this register under review. If your organisation starts new processing activities, or changes the purpose of its current activities, then update the register.
Alternatively, use the ICO's templates for controllers or processors.
You can take your own approach to keeping written electronic records if you'd like to do things your own way. They don't have to be in a spreadsheet format the way these templates are, but make sure that the information required by Article 30 paragraphs (1) and (2) - for controller or processor where relevant - is included.