Documentation under the GDPR – the ICO goes on the record

 
March 13, 2018

Article 30 of the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, places an obligation upon data controllers and processors to keep internal records of data processing activities. The data protection supervisory authority for the UK, the Information Commissioner’s Office (ICO), has recently published detailed guidance on these record-keeping requirements. The ICO suggests that keeping records of processing will be beneficial to organisations, providing an assurance as to the “quality, completeness and provenance” of personal data as well as helping to develop more effective and streamlined business processes. Record-keeping will also help organisations demonstrate their compliance with the GDPR more generally – part of the principle of accountability which is so important under the GDPR. The key points from the guidance are summarised below. 

Why? 

Article 30 of the GDPR requires controllers of personal data to maintain a record of processing activities for which they are responsible. Although under current data protection legislation data controllers in the UK must provide some detail of processing activities when they register with the ICO, this obligation goes much further. Data processors are also required to maintain a record of all categories of processing activities carried out on behalf of a controller. 

What? 

The different types of information that must be recorded by data controllers are as follows: 

  • name and contact details of the controller and (where applicable) the joint controller, controller’s representative, and the data protection officer; 
  • purposes of the processing; 
  • categories of data subject and personal data; categories of recipients to whom the personal data has been or will be disclosed; 
  • transfers of personal data outside the EEA and the safeguards in place (if applicable); 
  • envisaged time limits for erasure of different categories of data (where possible); and 
  • a general description of the controller’s technical and organisational security measures (where possible). 

Article 30 also sets out the categories of information which a processor is required to keep which are similar to, but not as extensive, as those for data controllers. 

It is not necessary to proactively provide this information to the ICO but it may be necessary to make it available on request, for example, for an investigation. 

Who?

All data controllers and processors are required to keep records. However, organisations with fewer than 250 employees do not need to keep records in respect of processing activities that: 

  • are occasional; 
  • are unlikely to result in a risk to the rights and freedoms of individuals; and 
  • do not involve special category data or criminal conviction and offence data. 

In its guidance, the ICO uses the example of an insurance company with only 100 staff which processes the following types of data to explain in what situations keeping a record will be necessary: 

Type of processing / Need to keep a record? / Why? 

  • Processing in the context of claims, sales and HR / Yes / This is regular processing 
  • Occasional internal staff engagement survey / No / This is not regular processing 
  • Infrequent profiling of its customer database for the purposes of insurance-risk classification / Yes / Processing could be intrusive and result in risks to individuals’ rights and freedoms 
  • Equal opportunities monitoring (including data about ethnicity and health) as part of a recruitment campaign / Yes / Processing involves special category data 

In practice, most organisations, no matter what their size are likely to have some record-keeping obligations. The ICO suggests that even if it is not mandatory to keep data processing records, it is good practice to do so because it will assist organisations manage data more effectively and comply with other aspects of the GDPR. For example, there is a large degree of overlap between the information that organisations must provide to individuals when collecting their personal data and the information set out in the record-keeping requirements. Good records will help organisations to provide the requisite information to data subjects. 

The Article 29 Working Party is currently considering the scope of the exemption for small and medium sized organisations and the ICO may update its guidance to reflect the outcome of these discussions.

How? 

If an organisation already has an established document governance framework in place, this may be combined with records of data processing activities, provided they contain all of the information specified in Article 30. 

For those who have no record-keeping practice in place currently, a three stage process is suggested by the ICO: 

  1. distribute a questionnaire to areas of the organisation which process personal data to ascertain, for example, why they use personal data, how long they keep it and with whom they share it; 
  2. meet with the business functions to gain a better understanding of how the different parts of the organisation use data; and 
  3. locate and review policies, procedures, contracts and agreements which will feed into the documentation exercise and facilitate a comparison between intended and actual processing activities. 


Records must be in writing but can be in electronic or paper form. However organisations choose to document their processing activities, it must be done in a granular and meaningful way. The ICO has published templates for controllers and processors which contain both mandatory and optional sections. 

When? 

Records should be in place by 25 May 2018. The ICO says they should be updated on a regular basis to ensure that they remain accurate and up-to-date. It is unclear what this means but it is likely to depend on the size of the organisation and the volume and complexity of the processing operations. It would be advisable for organisations to update their records on at least an annual basis, particularly given the need to advise data subjects of any changes to processing with an updated Privacy Notice.

Subscribe to Dechert Updates