Which Data Protection Records Should My Small Business Keep?

Complying with the UK General Data Protection Regulation (UK GDPR) is essential for small businesses. Thorough recordkeeping will help your business fulfil its legal obligations and promote good data governance to protect personal information. Demonstrating accountability is crucial to building trust with your customers and ensuring your business avoids potential fines, and good record-keeping can help with this. This article explores some essential records your small business may need to maintain and their importance for UK GDPR compliance. 

Why is UK GDPR Compliance Important?

Complying with the UK GDPR is vital for a business to avoid regulatory action, including fines that can reach £17.5 million or 4% of its global turnover, whichever is higher.

Compliance, however, is about more than avoiding penalties. It demonstrates that your business values transparency and data security. These are often vital for a small business working hard to develop a good reputation. 

Maintaining detailed records can help improve your internal processes, enhance your data security, and mitigate risks. Comprehensive records help build trust with customers and partners, reinforcing your business’s reputation for responsibility and accountability. 

What Records Should Your Business Maintain?

Even for small businesses, UK GDPR rules are still in force, and compliance is crucial. The specific records and documents you need to maintain will depend on the type of data you process. 

Under the UK GDPR, a business must maintain specific records of its data processing activities. As a data controller, your business will need to document various matters, including:

• organisation and contact information: you should document the name and contact details of your organisation, other controllers involved (if applicable), and your Data Protection Officer (DPO) if your business is required to appoint one;
• purpose of processing: your business should clearly state the purposes for which it processes personal data. This helps demonstrate that you have a lawful basis for processing;
• categories of personal data: you should identify the different categories of personal data that your business processes, such as names, contact information, or financial details; 
• recipients of data: you should document the categories of recipients who will receive personal data, whether internal to your organisation or external third parties, such as data processors; and
• international data transfers: if your business transfers data outside the UK, you should record the details of these transfers, including any safeguards put in place to protect personal data.

Further Examples of Records 

Your business could also consider keeping the following records:

• retention schedules: your business should state how long it retains personal data and ensure that this aligns with your data minimisation and storage limitation obligations under the UK GDPR; and
• security measures: record the technical and organisational measures your business has in place to protect personal data. These could include encryption, pseudonymisation, access controls, and regular security audits.

If your business has fewer than 250 employees, exemptions to recordkeeping requirements will apply only if the processing is occasional, low-risk, does not involve special category data, and does not pose risks to individuals’ rights and freedoms. 

However, these exemptions can be limited in practice, and if your business processes personal data regularly or engages in higher-risk processing, you must still comply with full recordkeeping obligations. As a small business, keeping records of processing activities in any event is best practice, even if they are not legally mandatory for your business.

Which Additional Documentation Should Your Business Keep?

In addition to specific recordkeeping requirements regarding your data processing activities, your business should maintain detailed documentation on several other key aspects of UK GDPR compliance. 

Some of the types of documents required are mentioned in ICO guidance and include but are not limited to:

• Consent Records. If your business relies on consent as a lawful basis for processing data, you must keep detailed records of when and how you obtained consent and any withdrawals of consent;
• Controller-Processor Contracts. When working with data processors, your business must have written contracts that specify the responsibilities of both parties under the UK GDPR, which is mandatory. You should keep these contracts as a crucial part of your documentation; and
• Data Protection Impact Assessments (DPIAs). If your business engages in high-risk processing activities, such as large-scale processing of sensitive data, you must conduct and document mandatory DPIAs. These assessments help identify potential risks to data subjects and outline the steps your business takes to mitigate those risks.

What Optional Documentation Could Your Business Keep?

Your business could also consider keeping the following documentation:

• Data Breach Records. If your business experiences a data breach, you should document the details of all breaches, including how many individuals were affected, the nature of the breach, and the measures you took to address it; and
• Special Category Data. If your business processes special category data, such as health information or criminal conviction data, you must document the lawful basis for processing and outline any additional safeguards you have implemented to protect this data. 

These are examples of some records you may need to keep, but these are not exhaustive. If you need advice on which records and documents your business requires to comply with the UK GDPR rules, you can seek support from a data protection solicitor to guide you. The exact types of records you will need to maintain will depend on your specific business and its processing activities. 

Why Does Proper Recordkeeping Matter?

To ensure compliance with UK GDPR, it is crucial to maintain organised, accurate, and transparent records. Accurate, up-to-date records are essential for demonstrating compliance and responding to enquiries from data subjects or regulators. Additionally, being transparent about your data practices and having evidence readily available can help mitigate risks and build trust with your customers. 

Thorough recordkeeping can offer several significant benefits to your small business. It allows you to demonstrate accountability to regulators, reducing the risk of fines. Should the ICO request to review your records, you must have accurate, comprehensive documentation that shows that your business complies with GDPR obligations.

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Key Takeaways

Maintaining accurate and up-to-date records of your processing activities is a legal requirement under the UK GDPR. Proper recordkeeping also enhances internal data governance, minimises risks, and builds customer trust. By thoroughly documenting privacy practices, you can demonstrate accountability, improve internal processes, and protect your business from penalties. This is extremely important for a small business, which should take active steps to prevent reputational damage and enforcement action. 

If you need assistance with your UK GDPR compliance or have questions about data protection law, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to solicitors to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions