The GDPR requires organisations to maintain a detailed record of their processing activities. This requirement applies to organisations that process data for themselves and on behalf of others. The records created need to be made available to the supervisory authority on their request.
Many of the required records will be available already within existing systems, particularly if those are online or computerised systems. Attention should be paid also to those systems of third party and/or cloud providers to ensure records from those systems are also available.
Maintenance of this record is only mandated if one of the following applies:
- Your organisation employs more than 250 FTE
- You process criminal or special categories of personal information
- You regularly process personal information (hourly, daily, weekly or on other regular schedule)
Ensure you are able to obtain an ongoing record of processing activities. This record should contain at least the following:
- the contact details of your organisation and it’s data protection officer and the details of any other organisation processing information on your behalf.
- a description of the categories of data being processed
- who else has received the personal data including where the data has been transferred out of the country
- where information has been transferred out of the country, the safeguards that have been put in place
- the retention period of the data
- a description of the technical and organisational measures in place to protect the data
These records need to be in writing and electronic format.
The Gydeline system will show you which information is needed within this record but you may need to work with your in-house or external IT provider to collate or automate some of these records.
The supervisory authority asks to see your processing record
- Send the supervisory authority or provide access to you existing records. Request and collate records from any third parties.
- GDPR Recitals: 82, 89
- GDPR Articles: 30