Maintaining a Register of Data Processing Activities

by Sam Wainwright

 

Depending on the size of your business, the GDPR may require you to maintain a register of data processing activities; but what activities should you record and does this apply to you? It can be daunting to know where to start in finding out what GDPR requirements apply to your business; therefore, it can be easy to get the wrong idea.

The problem

There is a misconception that the GDPR requirement to maintain a register of data processing activities only applies to businesses with over 250 employees. After some enquiries made to the UK’s data protection authority; the ICO, it appears that this is not the case!

Companies with under 250 employees need to maintain a register of ‘non-irregular’ (why can’t they just say ‘regular’?) processing activities, for example: collecting employee’s emergency contact details.

Companies with over 250 employees need to maintain a register of both irregular and non-irregular processing activities. An irregular processing activity is any processing activity outside of your usual business practice, for example, if an online casino (which has a requirement to collect your email address to provide their service) was to send you an email to advise you of a new line of business that they had started.

The solution

All businesses must maintain a register of non-irregular data processing activities, and the ICO has a page dedicated to help you comply with this requirement: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/documentation/how-do-we-document-our-processing-activities/

This page has a useful guide to help you capture and document your data processing activities, and the required additional data (such as purpose and data category) of the activity, to comply with the GDPR.