GDPR Documenting Processing Activities
Article 30 of the EU General Data Protection Regulation (GDPR) contains explicit provisions that require organisations to maintain internal records of their data processing activities.
This obligation reflects the increased importance of accountability and the need to ensure (and demonstrate) that your organisation processes personal data in line with the GDPR.
Most organisations must document their processing activities to some extent. Both data controllers and data processors have their own documentation obligations, but controllers are required to keep more extensive records than processors.
The scope of the exemption from documentation is still under consideration. Under the current guidance, organisations with 250 or more employees will be required to document all their processing activities. Smaller organisations must do so where the processing is not occasional, where it is likely to result in a risk to the rights and freedoms of data subjects or where it includes special categories of data. The latter largely refers to what is currently termed 'sensitive personal data' under the Data Protection Act 1998, but also includes genetic and biometric data when this is processed in order to uniquely identify an individual. Similar extra safeguards apply to the processing of personal data relating to criminal convictions.
The Information Commissioner's Office (ICO) has published detailed guidance on documentation. This explains how maintaining up-to-date records of data processing activities can assist in complying with other elements of the GDPR, such as drafting privacy notices, responding to access requests and ensuring the personal data you hold is relevant, accurate and secure. Knowing precisely what data you hold will also support good practice in data governance and increase business efficiency.
The ICO's guidance on documentation can be found on the ICO website.
The GDPR comes into effect on 25 May 2018.