Your record of processing activity: what it is, and why having one will make your life so much easier
I've written before about the key steps you need to take to get your business in order from a GDPR point of view.
One of those steps — the record of processing activty — is a key starting point.
What is a "record of processing activity"?
The record of processing activity — or "Article 30 record", as it is sometimes known — is the list of what personal data you have, what you do with it, and some key legal information.
Why should I have one?
For most companies, the short answer is "because the GDPR says you must".
However, even if that was not the case (and it is not the case for absolutely everyone), I'd still recommend you have one. Why? Because it makes compliance with other parts of the GDPR much easier if you have all the relevant information in one place.
In particular, having a reliable record of processing makes preparing your transparency information — such as your privacy notices — so much easier.
If you ask me to help you with privacy notices (and you're very welcome to ask if you need a hand — I've lots of experience with them), my first question will be whether you have a good record of processing activity. If you don't, this task is much harder.
Who doesn't have to have one?
My suggestion is that, whatever the law says, you should have one. In the vast, vast majority of cases, it is going to make your life easier.
But, if that doesn't persuade you it's worth doing, legally, if you employ fewer than 250 people, you do not need a record of processing unless any one or more of the following apply.
If any one applies, you need that record, no matter how many of how few staff you have:
- your processing is likely to result in a risk to the rights and freedoms of data subjects:
- your processing is not "occasional".
- This is the one which is likely to catch a lot of organisations, because things like mailing lists, customer databases, and HR records are not "occasional": they'll be a routine part of your business.
- your processing includes "special category" data (such as health-related information) or personal data relating to criminal convictions and offences
What should be in my record of processing?
The bare minimum
At a minimum, your record of processing should set out:
- what data you are processing, why you are processing it, and the "lawful basis" under the GDPR
- a description of the people to whom the data relate
- recipients to whom the personal data have been or will be disclosed
- if you are transfering the personal data to a country outside the EEA (or making it available for access from a country outside the EEA), what country / countries they are, and what safeguards you have in place
- your retention period (for how long you will keep the data)
- what security you have in place to protect the data
This is the legal bare minimum. If you don't have this information and you are required by the GDPR to have a record of processing, you're not meeting your obligations. In the event of a complaint, it would be so easy for the Information Commissioner's Office to say "so, show us your record of processing", and not being able to demonstrate even the minimum standard would be a poor start.
Making it even more useful
Going beyond the bare minimum, you can make your life easier in the long run by including some additional information:
- the source of the data – where you got it from
- if your lawful basis for processing is "legitimate interests", what your (or the data subject's, or third party's) interest is
- if you are processing "special category" data, such as health-related information, the additional condition you have in place to permit you to do that
- whether you are carrying out automated decision-taking and, if so, whether it has a legal or similarly significant effect
Really pushing the boat out
You could go even further than this if you wanted (and if it is warranted). For example, if what you are doing is reliant on an exemption under the Data Protection Act 2018, you might want to document what the exemption is, and some information about it.
You could also get fancy, and link out from your record of processing to supporting documentation, such as copies of contracts, legitimate interests assessments, or privacy impact assessments for the activity. In other words, moving from a simple record of processing into a repository of all key information relating to your data processing activity.
This all sounds complicated. Is there a template?
If you don't know what this means, a simple rule of thumb is this:
- if you are deciding what data you are going to process, why you are doing it, and how you are doing it — for example, you are doing something to run your own business — or you are doing it because the law requires you to do it, chances are you are a controller in respect of that processing
- if someone else is making the decisions, or you are doing something as part of a service to a customer or for someone else's benefit, chances are you are a processor in respect of that processing
Can I forget about it once I've done it?
Your record of processing should be a living document — you need to keep it up to date.
Whenever you change what you do with personal data — start a new process, stop a process, make changes to a process, and so on — you should update your record of processing, so that it remains accurate.
If you can, make this part of your overall governance processes, so that no-one forgets to do this. And, chances are, updating your record of processing will kick off sub-processes of its own, including updating your transparency information (such as your privacy notices).