Create a record of your processing activities

By |2017-11-22T07:59:53+00:00November 20th, 2017|Categories: GDPR|Tags: , |

I wrote an article about 2 months ago with some practical guidance on how to start complying with GDPR.

Since I published the guidance, a number of people have said it really helped them get their head straight and get some clarity around the first logical steps that they needed to take.

Step 1 recommends that you get a basic understanding of what GDPR is. My earlier article suggests ways for you to do this. Needless to say, I can help you in various ways.

This week, I’ll talk a little more about step 2: Writing down what you do with personal data.

In my original article, I recommended that you do the following:

“Open an Excel spreadsheet (or find a blank whiteboard) and start writing down the types of things your organisation does with the personal data of customers, employees and any other groups of individuals (e.g. suppliers, prospects).

Think about:

How you get the data [Gather]

Where you store it [Store]

What you use it for [Process]

Who else you give it to [Disclose]

How long you keep it and/or when you delete it [Retention]”

Why do I suggest doing this?

1. You need to demonstrate how you comply with GDPR

Accountability is a key piece of GDPR. Not only do you need to do the right thing. You also need to provide evidence of this. You’re non-compliant unless you can prove your compliance.

A key element of accountability is having a formal ‘Record of Processing Activity’ (detailed in Article 30 of GDPR).

The information you are capturing in this Excel sheet or on this whiteboard is the foundation for this.

Legally, a ‘Record of Processing Activity’ is only mandatory for organisations with 250 or more staff, assuming (Article 30, paragraph 5):

  1. Your processing does not present a risk to the rights & freedoms of individuals (and what processing does not present some sort of risk?)
  2. Your processing is only occasional
  3. Your processing does not involve special categories of data (aka sensitive data such as racial or ethnic background, political opinions, health, religious or philosophical beliefs, sexual life or orientation etc) or criminal convictions or allegations.

However, even if you can exclude yourself from the obligation, I recommend that you still create such a record.

Firstly, regardless of size, you still need to demonstrate your compliance. You still need to be accountable. How can you do this if you can’t show the processing that you do?

But there are other benefits. I’ll only discuss two here.

2. You can’t be sure that what you do is compliant if you don’t know what you do.

It’s a pretty obvious statement really.

You need to write down what you do before you can assess this against the key elements of GDPR.

3. To assess how you comply without losing your sanity, you need a reliable & comprehensive single view of your processes.

To be compliant with GDPR, you will probably need to put new internal procedures in place to handle the requests you could frequently receive from individuals. You will also need to perform formal impact assessments of any processing that may be perceived as a high risk to individuals.

This is a lot of work and you will need to involve a number of your staff.

The last thing you need is ongoing debates between these staff members about what processes exist and whether they involve personal data. The debates will delay your compliance work. You can’t afford delays.

You need a reliable and single version of the truth about what you are doing with personal data.

Get the list of processes down on paper early to reduce the debates later.

I hope this helps.


If you don’t know where to start, read more about how I can help.

About the Author:

Hi, I am Sam Glynn of Code in Motion. I hold various data protection certifications (CIPP/E, CIPM, CDPO) and regularly train future DPO's on behalf of the IAPP. I help businesses that are struggling to comply with data protection rules. I provide pragmatic guidance using plain English.