The GDPR requires all organisations to keep a record of their processing activities. If you have fewer than 250 employees, then you needn’t keep such comprehensive records.

The GDPR requires the following information in a record of processing to be kept:

  • The details of the Data Controller or Data Processor and any representatives (Data Protection Officer)
  • The categories of processing activities performed
  • Information involving Cross-Border Data Transfers
  • A general description of the security measures in place in respect of the processed data

It’s important to list what data you collect and for what reason you collect it. For example, to hire staff or to supply goods or services to customers. This then leads to you being able to determine and publish what the lawful basis is for capturing that data (there are 6 and you need to articulate which you are using). From this point on, you will identify such things as at what point in the process you collect the data, how often you refresh it, how long you keep it and how you keep it secure.

It’s also a good idea to create a map of the data flow within your organisation. This will visually show the way data enters your organisation, where it goes and by what means, where it is stored and how it is disposed of. This allows the identification of vulnerabilities in security and creates opportunities to develop more efficient internal processes.

Let us help you create your data inventory and map!

Contact us for a personalised quotation for a complete record of processing.

Can we help?

×