Records of processing activities
Article 30 of the Applied GDPR requires that records of processing activity are created and maintained. Where records of processing activities are mandated, they must be made available to the Commissioner on request. Failure to maintain records of processing where mandated can result in action by the Commissioner, including a fine of up to £1,000,000.
Who does this requirement apply to?
Any controller or processor with more than 250 staff must create and maintain records of processing activities.
Where there are fewer than 250 staff, records of processing activities must be maintained if:
- the processing carried out is likely to result in a risk to the rights and freedoms of data subjects (any level of risk); or
- the processing is not occasional (i.e. more than once or twice a year); or
- the processing includes special categories of personal data (Article 9) or personal data relating to criminal convictions and offences (Article 10).
What must be included?
Article 30 specifies that records of processing activities must contain the following information:
- the name and contact details of the controller or processor (and, if applicable, the joint controller/ processor, the controller/processor's representative and the data protection officer);
- the purposes of the processing;
- a description of the categories of data subjects, personal data and recipients;
- details of overseas transfers and the suitable safeguards for the transfers;
- the envisaged time limits for erasure of the different categories of data;
- a general description of the technical and organisational security measures.
Although there are narrow exceptions from the mandatory requirement to maintain “records of processing activities”, other obligations in the Applied GDPR still require demonstrable compliance and evidence of review. The information included in records of processing activities is also required for:
- providing transparency information to data subjects
- integrity and confidentiality (establishing the relevant technical and organisational measures including security measures for personal data and the implementation of data protection policies)
- accountability for compliance with the principles
- undertaking data protection impact assessments
- ensuring data protection by design and by default
- demonstrating compliance to a supervisory authority
- reporting data breaches
All the obligations listed above apply to controllers and those at points 2, 4, & 7 apply to processors. The obligation to maintain records of processing activities, should not, therefore, be considered in isolation from other responsibilities and obligations where a detailed knowledge of the processing activities is required. It seems almost inevitable, therefore, that some form of record about the processing is kept by all controllers and processors.
Guidance on records of processing activities can be found in the "Closer Look" guide below.