Table of Contents
If you act as a data processor in the United Kingdom, you have a range of privacy law obligations. Under the UK General Data Protection Regulation (UK GDPR), one essential obligation is to maintain a ‘Record of Processing Activities’ in certain circumstances. This article will explore whether a processor needs to maintain a Record of Processing Activities and some critical points regarding this documentation.
Do Data Processors Need a Record of Processing Activities?
Many organisations that process personal data must record their data processing activities to comply with UK GDPR rules.
This obligation applies to both controllers and processors. However, data controllers have stricter obligations and need more detailed information in their records.
A Record of Processing Activities is a record which documents how an organisation uses personal data.
For example, a Record of Processing Activities includes various critical information such as:
- what personal data an organisation processes;
- why personal data is processed;
- who personal data is shared with; and
- how personal data is secured.
There is a limited exemption for organisations with less than 250 employees. These organisations technically only need to document their processing activities, which are not occasional or could risk individual freedoms or involve special categories of data, such as criminal convictions. However, the ICO still recommends keeping these records as best practice.
The ICO recommends that companies update their ROPAs regularly to reflect any changes in how they use personal data.
What Should a Data Processor Note About Processing Records?
As a data processor, it is crucial to maintain robust documentation for specific processing activities. Additionally, it is sensible to include a link to the contracts with your controller customers within your Record of Processing Activities.
This factsheet sets out how your business can become GDPR compliant.
As a processor, your Record of Processing Activities should include specific information including but not limited to the following:
- the name and contact details of your business, each represented controller, your representative (if applicable), and the Data Protection Officer (if applicable);
- categories of processing activities you conduct in your business;
- facts regarding transfers of personal data to countries outside of the UK; and
- a description of the security measures implemented to safeguard personal data.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Nature of Records
These records must be in writing and should be made available to a supervisory authority upon request.
In practice, a processor may process personal data on behalf of many different customers. If this is true, a processor may consider consolidating its processing activity records with all data controllers. You can record this within a single document, as shown in the UK ICO’s processor documentation template.
It is vital to regularly review and ensure these records remain up to date. For effectiveness, electronic storage of the Records of Processing Activities can facilitate easy data processing updates.
What Are The Benefits of Recording Processing Activities?
Maintaining a Record of Processing Activities as a processor presents several key benefits.
For example:
- using a Record of Processing Activities will help your business demonstrate its accountability and commitment to compliance with the UK GDPR rules;
- a Record of Processing Activities will provide a central reference point for your data processing activities, which can help you address and identify any other areas for compliance. For instance, if a controller asks where their data is sent, you can quickly review this documentation to source the required information; and
- you can tell your controller customers you maintain robust records, including a Record of Processing Activities, which can help instil confidence in your business as a data processor. This is particularly important in the context of a controller’s due diligence on data processors. It can also help enhance your reputation as a trusted supplier who takes data privacy obligations seriously.
In practice, a supplier handling heavy volumes or high-risk personal data on behalf of customers can find completing a Record of Processing Activities difficult. However, a processor must get this right. If you need clarity on your obligations or how to complete a Record of Processing Activities, you should seek legal advice from an experienced data protection lawyer.
Key Takeaways
Record keeping is a crucial obligation under the UK GDPR rules. A Record of Processing Activities is essential to help processors comply with this obligation. It will help processors keep up to date with the types of personal data they process and why. Further, maintaining a Record of Processing Activities will help demonstrate compliance with the UK GDPR rules.
If you need help with UK GDPR compliance advice, our experienced data, privacy, and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.