Records of Data Processing
Keeping records of data processing is a requirement under the GDPR, and whilst some small businesses may be exempt, it is good practice to keep track of the data flow in your organisation.
In fact, your records of data processing are arguably one of the most imortant documents in your GDPR compliance programme. They describe all of the personal data that you collect and information about your processing of that data, including why you collect it, your lawful basis for doing so, how long you store it and much more.
We make this complex requirement of the GDPR a straightforward task. Our step-by-step self assessment guides you through the process of building your record of data processing and makes it easy for you to update as often as you need.
Most organisations will need to keep records of data processing.
For small and medium sized businesses, the requirements are more limited. These businesses will need to keep records of any regular data processing (occassional data processing may be excluded), records of any sensitive personal data processing and data processing that could results in a risk to the rights and freedoms of individuals.
At Sovy, we recommend all organisations keep thorough documentation, regardless of their size.
Your records of data processing should include:
- The type of data your process
- Why you process it
- Your lawful basis for storing it
- Where you store it
- How long you store it
- Whether it is subject to automated profiling
- Whether it is transferred to third parties
- Whether it is transferred outside of the EEA
- More information, dependent on the data type of usage
With the self-assessment data processing tool in the Sovy GDPR Privacy Essentials, this is made easy.
Whilst there is no official format for your record of data processing, we recommend that it is:
- In a common, machine readable format, or able to downloaded in a machine readable format