Record of Processing Activities GDPR
Keeping the record of processing activities is a requirement under the GDPR, and whilst some small businesses may be exempt, it is good practice to keep track of the data flow in your organisation.
Do I need to keep records of data processing?
Most organisations will need to keep records of data processing.
For small and medium sized businesses, the requirements are more limited. These businesses will need to keep records of any regular data processing (occassional data processing may be excluded), records of any sensitive personal data processing and data processing that could results in a risk to the rights and freedoms of individuals.
At Sovy, we recommend all organisations keep thorough documentation, regardless of their size.
What information do I need to include in a record of data processing?
Your records of data processing should include:
- The type of data your process
- Why you process it
- Your lawful basis for storing it
- Where you store it
- How long you store it
- Whether it is subject to automated profiling
- Whether it is transferred to third parties
- Whether it is transferred outside of the EEA
- More information, dependent on the data type of usage
With the self-assessment data processing tool in the Sovy Data Privacy Essentials, this is made easy.
Your records of processing activities are arguably one of the most important documents in your GDPR compliance programme. They describe all of the personal data that you collect and information about your processing of that data, including why you collect it, your lawful basis for doing so, how long you store it and much more.
We make this complex requirement of the GDPR a straightforward task. Our step-by-step self assessment guides you through the process of building your record of data processing and makes it easy for you to update as often as you need.