Data Protection Toolkit - Document your processing activities
Article 30 of the GDPR outlines the records of processing activities that controllers and processors need to maintain in a written and electronic format.
This means that where you are collecting, storing, sharing, using or transferring some sort of personal data, you consider and record the details of how it meets the data protection principles. This is so that the processing can be shown to be compliant with the Regulation.
It is a legal requirement to provide these records to the Information Commissioner's Office if they ask, so make sure that they're complete, accurate, up-to-date, and that you know where they are.
Unless you're a particularly large community or voluntary organisation (with more than 250 employees) you a required to document only your regular activities, as well as any processing of particularly sensitive information.
So, if there are instances where you process personal data but it's a one-off ("occasional") you don't need to document it, unless it involves special category or criminal convictions data.
The level of detail required is not overwhelming. You don't need to make extensive records of all the actions that you take with the data. The documentation is more for providing a summary of what's involved in each case. Of course, if you find it useful for your own record-keeping purposes, you can go in to much more detail.
The Regulation says only that the records should be in a written and electronic form. The most straightforward way is to keep a spreadsheet with the details of the types of personal data you process.
The full accounts are not required to be publicly accessible, though much of the type of information that you're recording here will go in to your privacy notice (in clear and plain language) so that data subjects have the background they need to make informed choices, and to demonstrate your transparency.
You should maintain these records to cover the processing activities that you undertake after 25 May 2018. If you cease an activity at some point in the future, keep the record but note when you stopped. And if you start a new activity or use some of the personal data that you have already in a substantially new way as part of your regular activities, then you should also record that.
For controllers, Article 30(1) specifies that for each processing activity you should record:
- brief description of the data subjects. You can categorise groups such as employees, regular clients, business contacts, etc.
- types of personal data (category), noting in particular if any special category data is included.
- what the data is used for (purpose). If you can't identify a purpose for having some personal data, you really shouldn't have it.
- the lawful basis for the processing activity. If you haven't previously considered this, it might take some more time to determine.
- how the data is obtained. Is it from the person themselves, or somewhere else?
- who the data is shared with (recipients). The types of recipients, but if you can be more specific and name the organisation, even better.
- how long it's held for. Either you have a definite time limit (e.g. years, months, days) or a retention policy that informs when something will be deleted.
- briefly, your security measures. Don't put too much detail as it might be of interest to hackers!
As well as this, your record should include the name and contact details for the controller—in most cases, that will be your own organisation. It might seem as if this would be obvious, but it is specifically required to be included in the register. If there is a joint controller for some of the data, make sure that other organisation's information is also included.
If you transfer data to any non-EU member country (known as a 'third country'), you need to record that in this register as well as describing the safeguards involved—as the personal data will be processed somewhere that is not governed by a similar data protection framework. Familiarise yourself with Chapter 5 of the GDPR if this is the case, as there are legal obligations you need to be aware of.
Though Article 30 doesn't actually say that you need to record the lawful basis, it's a good practice nonetheless. This means you can be clear with yourself on the most important data protection principle (fair and lawful processing), and can see if there's any gaping holes in compliance.
If you're a processor in the case of a set of personal data, you only need to record a few things, but record them you must. Article 30(2) tells you what they are.
We've created a Personal Data Register for Controllers template to help you get started. The spreadsheets contains fields to fill in to meet the requirements for documentation.
- First, consider all of the different ways in which you process personal data. Try to break this down into distinct categories of data. If you're a medium or larger organisation and this seems like a huge task, consult with your colleagues in various business areas to make sure that all the knowledge is covered, or undertake an information audit.
- For each of the activities identify if you are the controller (your organisation makes the decision on the means and purposes of the processing) or the processor (if you process personal data on behalf of a controller).
- Don't forget that the record needs to cover all personal data that you have—your staff, volunteers, any donors, business contacts, people who've applied for jobs, and visitors to your website, as well as the people who your charitable work helps.
- For each of your data subjects start to break down the data that you have on them into categories. For example, for your own employees you'll have their contact details, payroll, bank, tax, pension, attendance and performance details.
- The level of granularity is important. It may be that you use the same category of data for more than one purpose. In this case, record the details for each purpose. If there are distinctions within how one type of data is used, don't try to fit it all in one line—break it down.
Keep this register under review. If your organisation starts new processing activities, or changes the purpose of its current activities, then update the register.
Alternatively, use the ICO's templates for controllers or processors.
You can take your own approach to keeping written electronic records if you'd like to do things your own way. They don't have to be in a spreadsheet format the way these templates are, but make sure that the information required by Article 30 paragraphs (1) and (2) - for controller or processor where relevant - is included.
The ICO has produced detailed guidance on documenting process activities as part of their Guide to the GDPR.