Save content
Have you found this content useful? Use the button above to save it to your profile.
Bookkeeping
iStock_Mapodile

Record-keeping requirements under GDPR

by
18th Jun 2018
Save content
Have you found this content useful? Use the button above to save it to your profile.

GDPR is now in full effect and it contains explicit rules about how you process and secure data. Diana Bruce of the CIPP explains the ins-and-outs. 

On 23 May 2018 the General Data Protection Regulation (GDPR) was effectively integrated into the new Data Protection Act (DPA) 2018. There were significant changes within GDPR which moved the emphasis away from the “best practice” approach of DPA 1988 to a “requirements” approach under GDPR. The documentation of processing activities is a new requirement under GDPR.

Documenting your processing activities is important, not only because it is itself a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of GDPR.

GDPR contains explicit provisions about documenting your processing activities. You must maintain records on several things such as processing purposes, data sharing and retention. You may be required to make the records available on request to the Information Commissioner’s Office (ICO) or other appropriate authority for the purposes of an investigation.

The record-keeping obligation applies to both controllers and processors employing 250 people or more. Processing activities of internal records must be maintained and the following information as a minimum must be recorded:

  • Name and details of the organisation (and where applicable, of other controllers and the data protection officer)

  • Purpose(s) of the processing

  • Description of the categories of individuals

  • Description of the categories of personal data

  • Categories of recipients of personal data

  • Details of transfers to third countries or international organisations including documentation of the transfer mechanism safeguards in place

  • Retention schedules

  • Description of technical and organisational security measures

There is a limited exemption for small and medium-sized organisations so if you have fewer than 250 employees, you only need to document processing activities that:

  • Are not occasional

  • Could result in a risk to the rights and freedoms of individuals

  • Involve the processing of special categories of data or criminal conviction and offence data

Even if you are not obliged to keep records, doing so can only increase the effectiveness of your GDPR compliance processes.

All organisations have to provide comprehensive, clear and transparent data privacy policies.

As part of your record of processing activities, it can be useful to document (or link to documentation of) other aspects of your compliance with GDPR and the UK’s Data Protection Bill. Such documentation may include information required for privacy notices, such as:

  • The lawful basis for the processing

  • The legitimate interests for the processing

  • Individuals’ rights

  • The existence of automated decision-making, including profiling

  • The source of the personal data

  • Records of consent

  • Controller-processor contracts

  • The location of personal data

  • Data Protection Impact Assessment reports

  • Records of personal data breaches

  • Information required for processing special category data or criminal conviction and offence data under the Data Protection Bill, covering: the condition for processing in the Data Protection Bill, the lawful basis for the processing in GDPR and your retention and erasure policy document.

Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is. You can find out why personal data is used, who it is shared with and how long it is kept by distributing questionnaires to relevant areas of your organisation, meeting directly with key business functions, and reviewing policies, procedures, contracts and agreements.

Records of your processing activities must be kept in writing and this can include an electronic format - the information must be documented in a granular and meaningful way. It may well depend on the size of your business and the volume of processing activities as to whether a spreadsheet format would suffice or whether you need to consider a bespoke package to be tailored to your specific business needs.

The ICO has developed some basic templates to help you document your processing activities.

Tags:

Replies (6)

Please login or register to join the discussion.

David Ross
By davidross
20th Jun 2018 11:10

Explicit rules? If only

Thanks (2)
avatar
By Ian McTernan CTA
20th Jun 2018 12:02

You will be required to do a lot of extra unpaid work to help make us less competitive against the rest of the world.

In the meantime, all this work will be utterly useless as anyone with half a brain will be able to locate this information somewhere within a few minutes and if hackers get into your systems all this extra make work will have been an utter waste of time.

I'm sure it's important that we make sure we document all the information we hold on people, but this system is both totally over the top and doesn't really provide any protection at all. More jobs for pen pushing bureaucrats though, and more potential fines for the rest of us trying to actually run a business and make money.

Thanks (9)
avatar
By jonahwhale
20th Jun 2018 12:24

while your contributors all probably comply with all the laws necessary, I feel that these new laws are aimed particularly at SMEs which include leaseholder owned management Companies who do not comply. These laws provide a platform to hold the Directors, Trustees and their Managing Agents to account.

Thanks (1)
avatar
By dgilmour51
20th Jun 2018 13:02

I have had some difficulty explaining to a Builder
a. what a data flow is
b. what a business process is
c. what a controller is
d. what a processor is
As to how to 'write these down on paper' ...
at one point he commented "Why do I need to write all this normal accounting stuff down - you just spent months telling me the tax people say you mustn't write anything down, its all got to go on the electric".
Not quite what I thought I'd been saying - but he has a point.

Thanks (5)
avatar
By tedbuck
20th Jun 2018 15:04

Ian is spot on

This is another monstrous obstacle to people and businesses trading profitably. I should guess that even small firms have lost about 100 man hours over this and probably fruitlessly as it is difficult to envisage there being a correct answer. I suppose it will help unemployment by introducing a number of Data Controller/Manager jobs which will contribute nothing to the economy and will reduce productivity so that some mentally deficient Minister can state portentiously that the Country's productivity has again slipped from what it used to be. And, of course we have the MTD charade to follow which will inevitably lead to more wasted time to give HMRC more data that they have no-one who to understand. So we will have taxpayers wasting even more time waiting on the helplines for help which they won't get from staff who haven't been trained because the Computers understand it so they don't have to.

I hope I'm not sounding cynical but why can't we have intelligence in Government instead of the bunch of idiots we do have.

Thanks (5)
avatar
By tedbuck
20th Jun 2018 15:04

Ian is spot on

This is another monstrous obstacle to people and businesses trading profitably. I should guess that even small firms have lost about 100 man hours over this and probably fruitlessly as it is difficult to envisage there being a correct answer. I suppose it will help unemployment by introducing a number of Data Controller/Manager jobs which will contribute nothing to the economy and will reduce productivity so that some mentally deficient Minister can state portentiously that the Country's productivity has again slipped from what it used to be. And, of course we have the MTD charade to follow which will inevitably lead to more wasted time to give HMRC more data that they have no-one who to understand. So we will have taxpayers wasting even more time waiting on the helplines for help which they won't get from staff who haven't been trained because the Computers understand it so they don't have to.

I hope I'm not sounding cynical but why can't we have intelligence in Government instead of the bunch of idiots we do have.

Thanks (0)