Records of processing activities

Article 30 of the Applied GDPR requires that records of processing activity are created and maintained. Where records of processing activities are mandated, they must be made available to the Commissioner on request. Failure to maintain records of processing where mandated can result in action by the Commissioner, including a fine of up to £1,000,000.

Who does this requirement apply to?

Any controller or processor with more than 250 staff must create and maintain records of processing activities.

Where there are fewer than 250 staff, records of processing activities must be maintained if:

What must be included?

Article 30 specifies that records of processing activities must contain the following information:

Although there are narrow exceptions from the mandatory requirement to maintain “records of processing activities”, other obligations in the Applied GDPR still require demonstrable compliance and evidence of review. The information included in records of processing activities is also required for:

  1. providing transparency information to data subjects
  2. integrity and confidentiality (establishing the relevant technical and organisational measures including security measures for personal data and the implementation of data protection policies)
  3. accountability for compliance with the principles
  4. undertaking data protection impact assessments
  5. ensuring data protection by design and by default
  6. demonstrating compliance to a supervisory authority
  7. reporting data breaches

All the obligations listed above apply to controllers and  those at points 2, 4, & 7 apply to processors. The obligation to maintain records of processing activities, should not, therefore, be considered in isolation from other responsibilities and obligations where a detailed knowledge of the processing activities is required. It seems almost inevitable, therefore, that some form of record about the processing is kept by all controllers and processors.

Guidance on records of processing activities can be found in the "Closer Look" guide below.