Skip to content
LegalVision UK

What is a Record of Processing Activities?

Avatar photo

By Sej Lamba

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

If you operate a business in the UK, you should be aware of your legal obligations regarding data and privacy. The UK General Data Protection Regulation (‘UK GDPR’) is the law governing the use of personal data. Depending on your business activities and how you use personal data, there are various documents you will need. One of the key documents is a ‘Record Of Processing Activities’. This article will explore what a Record of Processing Activities is and the critical information it should include.

Why is Documentation Crucial For UK GDPR Compliance?

Compliance with the UK GDPR is mandatory for any business using personal data. The law applies to virtually all businesses, as most businesses collect and use some form of personal data. 

Documentation is essential under the UK GDPR because of a critical concept called ‘accountability’. Accountability means you need to be able to demonstrate your compliance with the UK GDPR. Having comprehensive data protection documents can help demonstrate accountability and show that you take UK GDPR compliance seriously. 

In the unfortunate event of an investigation from data protection regulators, showing you have appropriate documents in place could also help limit the damage. For example, documentation may help regulators see your company has worked hard on compliance and has documentation to show for it.

What is a Record of Processing Activities?

To comply with the UK GDPR rules, most organisations must document their data processing activities. This applies to both data controllers and data processors, although data controllers have more stringent obligations. 

A Record of Processing Activities is a document that sets out various information about your use of personal data. For example, a record of processing activities will lay out:

  • what personal data your business processes; 
  • the purpose for using personal data; 
  • your lawful basis is for processing that data; 
  • who personal data is transferred to; 
  • whether personal is transferred outside of the UK; and 
  • how personal data is secured.

Most businesses need a Record Of Processing Activities. There is a limited exemption for businesses that employ less than 250 employees. Businesses with less than 250 employees will only need to document processing activities that:

  • are not occasional; 
  • are likely to result in a risk to the rights and freedoms of individuals; and
  • involve special categories, criminal convictions and offence data. 

Despite this exemption, it is highly recommended that you document your data processing activities. The ICO (the UK data protection regulator) recommends this as good practice.

The document does not have to be in a set format. Still, it must contain various essential information about the types of personal data your organisation holds and how it processes it. 

You should note that completing a Record of Processing Activities is not a one-off exercise – the document must be updated from time to time so that its contents are updated to reflect how you use personal data in practice. You should update your Record Of Processing Activities if you start a new activity involving personal data for the first time or change your data processing activities. It is one of the most critical documents for compliance purposes. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Should a Record Of Processing Activities Include?

A Record of Processing Activities lays out various information, including: 

  • the name and contact details of the relevant controller or processor; 
  • the purposes of data processing; 
  • a description of the categories of data subjects and categories of personal data, such as needing to include the fact that your organisation processes personal data about staff and customers for the purposes of managing its relationship with them; 
  • the categories of third-party data recipients who access your organisation’s personal data, including third-party suppliers with whom personal data is shared; 
  • identification of the country and the safeguards used to secure the transfer for transfers to countries outside of the UK; 
  • data retention periods for the different categories of personal data, including how long you hold particular types of personal data and when they are deleted; and 
  • a description of the technical and organisational security measures used to secure personal data. 
Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Key Takeaways

Keeping records of your data processing is fundamental under the UK GDPR rules. A Record of Processing Activities is a crucial document to help you achieve this. It can help you clearly understand the personal data you use and why and how it flows through your business. You should ensure that this document is regularly updated to reflect changes in how you use personal data from time to time. 

If you need help with data protection requirements, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Corporate Governance 101: Responsibilities For Directors

Online
Learn key responsibilities for new directors to avoid legal risks. Join our free webinar to learn more.
Register Now

Business Divorces: Exiting Directors and Shareholders From Your Company

Online
Removing a board director is not simple. Join our free webinar to understand your options. Register today.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

3 Documents Your Company Needs to Demonstrate GDPR Compliance

4 Common Challenges Your Company Will Face With the GDPR in the UK

Are CCTV Systems Safe for My UK Business to Use Under the GDPR?

Are Email Disclaimers Mandatory for UK Businesses Under the GDPR?

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times