Linked to the principle of accountability, record-keeping is a new, key element of the General Data Protection Regulation (GDPR). Article 30 requires data controllers and data processors to keep internal records of data processing activities, including the recording of processing purposes, categories of personal data, data sharing and data retention.
Why it is important to document processes
For legal compliance, organisations must have key documentation available on request, for example, for an ICO investigation. However, doing this can also help you:
- Write your privacy notice: much of what you document is what you need to tell people in your privacy notice
- Respond to subject access requests: knowing what data is held and where will make this more efficient
- Assess your processing activities: this will help with, for example, ensuring that the personal data you hold is relevant, current and secure
- Improve data governance through good practice
- Increase business efficiencies
Who is responsible for maintaining documentation
All organisations of 250 employees or more must document their processing activities. Smaller organisations need only document processing activities if they:
- Are a regular occurrence
- Are likely to result in a risk to the rights and freedoms of individuals – for example, if the activity might be intrusive or affect people adversely
- Involve special category data or criminal conviction and offence data
What documentation must be recorded
Under Article 30 of the GDPR, data controllers and data processors are required to record a very long and specific list of facts surrounding personal data processing. The ICO outlines it here, on its website.
Organisations should also document:
- Controller-processor contracts
- The location of personal data
- Data Protection Impact Assessments (DPIAs)
- Personal data breaches
- Special category data or criminal conviction and offence data
How to get started on GDPR documentation
Start off with an information audit or data-mapping exercise to identify what personal data your organisation holds and where it’s located. Then meet up with all your key business functions so you gain a better understanding of how certain parts of your organisation use data. The next stage is to locate and review policies, procedures, agreements and contracts.
The ICO provides really helpful documentation templates for data controllers and data processors on its website.
For more information on Me Learning’s flexible, online GDPR courses, click here.