4. Records of Processing Activity

A short guidance note explaining the GDPR obligations on organisations to maintain internal records of their data processing activities.

What does the law require?

The GDPR introduces a new requirement for organisations with more than 250 employees to maintain internal records of their data processing activities. If your agency has less than 250 employees, you will still be required under the GDPR to maintain records of activities related to “higher risk” processing or processing of sensitive personal data (such as health records or information regarding criminal convictions).

The records must include a range of information set out in the GDPR, such as the purposes of the processing, the categories of personal data and recipients to whom the data have been or will be disclosed, envisaged time limits for erasure of the different categories of data, and details of your agency’s data security measures.

The ICO can request agencies to make the records available to it at any time on request.

What do you actually need to do?

There is currently some uncertainty about the scope of the record keeping requirement under the GDPR. As at the date of this IPA Guidance, there is currently no detailed guidance from the ICO in this area. However, it is clear that agencies will need to maintain some sort of internal record of their data processing activities in one form or another.

You should therefore think about documenting what personal data your agency holds, where it came from and who you share it with or alternatively ensure that you know where this information is stored within your agency and ensure it is easily accessible. It may be that you can take advantage of existing systems (such as HR systems and databases) for the purposes of demonstrating that appropriate records are being maintained.

Depending on the volume and complexity of your agency’s data protection operations, it may be worthwhile conducting some sort of information audit across your agency or within certain business areas (such as HR). Doing this will also help you to comply with the GDPR’s “Accountability” principle referred to in the Accountability and Governance section of the IPA's GDPR Top Ten Practical Steps Guidance, which requires you to be able to show how your agency complies with the data protection principles, for example by having effective policies and procedures in place.

How can the IPA help?

As mentioned above, there is currently some uncertainty about the scope of the record keeping requirement under the GDPR. As at the date of this IPA Guidance, there is currently no detailed guidance from the ICO about what is specifically required. The IPA may therefore publish additional guidelines for agencies in due course once there is further regulatory guidance in this area.