Table of Contents
The UK General Data Protection Regulation (UK GDPR) sets out stringent rules around how organisations may process personal data. Many organisations must maintain records of their data processing activities in a ‘Record of Processing Activities’ document. It is vital to update these records to reflect various changes in a company’s data processing activities. This article will explore what a Record of Processing Activities is and when you should update it.
What Does a Record of Processing Activities Mean Under Data Protection Laws?
To comply with the UK GDPR rules, most organisations must document their data processing activities. This applies to data controllers and processors, although data controllers have more rigorous obligations.
A Record of Processing Activities is a document that sets out various information about your use of personal data.
For example, a Record of Processing Activities will generally lay out information including:
- what personal data your business processes;
- the purpose for using personal data;
- what your lawful basis is for processing that data;
- who personal data is transferred to;
- whether personal is transferred outside of the UK; and
- how personal data is secured.
Most businesses need a Record of Processing Activities. There is, however, a limited exemption for companies that employ less than 250 employees. If your business has less than 250 employees, you will only need to document processing activities that:
- are not occasional;
- are likely to result in risk to the rights and freedoms of individuals; or
- involve special categories, criminal convictions and offence data (susceptible under UK GDPR).
Despite this exemption, it is highly advisable that you document your data processing activities. The ICO (the UK data protection regulator) recommends this as good practice.
The document does not have to be a set format, but it must contain vital information about the types of personal data your organisation holds and how it processes it.
Should I Update My Processing Records?
A Record of Processing Activities is crucial for UK GDPR compliance. It is not a document you should complete at one stage and then file away. Rather, it should be revisited and reviewed periodically to ensure it is accurate and up to date.
As well as carrying out regular reviews, there are various trigger points at which you should check to ensure that your Record of Processing Activities is up to date, and if needed, update it.
For instance, you should review and update your records when there are changes in your data processing. For example, when you change the periods for retaining personal data, transfer personal data to different international companies, or change the types of personal data you collect. This can be very common in practice, as businesses frequently change their service offerings, which could impact the types of personal data they process and why.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What Are Some Practical Examples of When I Need to Update My Processing Records?
1. Introduction of a New Paid Service
If you introduce a new paid service, this means you will collect new types of personal data from your customers, including their bank details. As such, you need to update your processing records.
2. Commencing Work With a New US-Based Subprocessor
You may decide to start to work with a new subprocessor located in the US. As such, you need to edit your processing records to reflect this. Further, you also need to identify which international data transfer safeguard method you are using. This is in connection to your sharing personal data with this third party.
3. Introduction of New Safety Safeguards
You may decide to introduce new security standards. If so, you need to change the technical and organisational measures you have recorded in your processing records.
4. Purposes of Processing Personal Data Changes
You may decide to change the purposes for processing personal data. For example, you may decide to collect your customer contact information for marketing purposes. In this event, you will need to update your records accordingly.
5. Extended Retention of Personal Data
In certain circumstances, you may decide to change how long you keep certain types of personal data. As such, you will need to update your records accordingly to define the new retention periods.
6. Changes in Laws or Regulatory Guidance
The government may decide to change laws or regulatory guidance regarding maintaining Records of Processing Activities. In this event, you will need to revisit and possibly amend your records. You need to ensure they are still compliant.
Why is Updating Processing Records Important?
It is vital to ensure that your Record of Processing Activities is entirely accurate and up to date. The UK ICO’s guidance states that keeping these records is not a one-off exercise. Further, the information within them must reflect the current situation regarding your data processing. As such, the regulator recommends treating this record as a ‘living document’ that is updated when needed. Regular reviews are important to help achieve this.
This factsheet sets out how your business can become GDPR compliant.
Key Takeaways
Maintaining records of your data processing is essential under the UK GDPR rules. A Record of Processing Activities is vital and can help demonstrate your accountability. It is crucial to regularly review and update your processing records to accurately capture any changes in your data processing practices over time. For instance, your record may need to be updated to reflect new categories of personal data you start to collect or amended data retention periods. By continuously reviewing and updating your Record of Processing Activities, you will be able to demonstrate your accountability and commitment to UK GDPR compliance and maintain an accurate understanding of your data processing as a business from time to time.
If you need help determining if your record of processing activities needs to be updated, contact our experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.
