The ICO exists to empower you through information.

In detail

Are there other things that need documenting?

There are several other provisions in the UK GDPR and in the  Data Protection Act 2018 (DPA 2018) where documentation is necessary, especially when you are a controller for the personal data being processed. While it is not always a requirement that such information is recorded alongside (or linked from) the record of your processing activities, we think that doing so makes good business sense. It can also help you demonstrate your compliance with other aspects of the Regulation.

Should we document anything for our privacy notice?

By keeping good records as part of your documentation process, you will be better able to draft your privacy notice and have a better understanding and more complete oversight of your processing activities.

There are several similarities between what you must document about your processing activities and what you must tell people in a privacy notice. However, there are some additional information requirements for your privacy notice, as follows:

  • The lawful basis for the processing – one or more of the bases laid out in Article 6(1) of the UK GDPR.
  • If applicable, the legitimate interests for the processing – these are the interests pursued by your organisation or a third party if you are relying on the lawful basis for processing under Article 6(1)(f) of the UK GDPR. You could also include a link to the record of your assessment of whether legitimate interests apply to the particular processing purpose.
  • The rights available to individuals regarding the processing – e.g. access, rectification, erasure, restriction, data portability, and objection. The rights vary depending on the lawful basis for processing. Your documentation can reflect these differences.
  • If applicable, the existence of automated decision-making, including profiling. In certain circumstances you will need to tell people about the logic involved and the envisaged consequences.
  • If applicable, the source of the personal data. This is relevant when you didn’t obtain personal data directly from an individual.

Further reading – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.

WP29 published the following guidelines which have been endorsed by the EDPB:

Guidelines on Transparency

Guidelines on Automated individual decision-making and Profiling

Guidelines on the right to data portability

What about consent?

When relying on consent as your lawful basis for processing, you must be able to demonstrate how and when that consent was obtained. It may be impractical to document each individual consent as part of your record of processing activities. But you can use this record to indicate you are relying on consent for a particular processing activity, and to link to where the consent has been documented. This can help to maintain an effective audit trail. It can also enable to you quickly locate and provide evidence of consent if challenged.

Further reading – ICO guidance

Consent

Further reading – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the UK GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.

WP29 adopted guidelines on Consent, which have been endorsed by the EDPB.

Is there anything else we should document?

Controller-processor contractsif a controller uses a processor to carry out a particular processing activity, a written contract must be in place. Both controllers and processors can use their record of processing activities to link to the relevant contract documents.

The location of personal data – recording where personal data is stored will help you locate information more easily when an individual exercises the right of access to their personal data (e.g. manual records held in HR file, electronic records held on cloud server, electronic records held by data processor).

Data Protection Impact Assessments (DPIAs) – you must carry out a DPIA when what you are doing with personal data is likely to result in a high risk to individuals’ rights and freedoms, particularly when new technologies are involved. You can use your record of processing activities to help flag when a DPIA is required, to keep a track of its progress, and to link to the completed report.

Personal data breaches – one of the requirements regarding personal data breaches is that they must be documented. It is up to you to decide how to do this, but we think it is useful to mark any breaches against your record of processing activities, while also linking to the full breach documentation. This can help you monitor which processing activities the breaches relate to and identify any patterns or potential areas of concern.

Special category data or criminal conviction and offence data – in the UK, the DPA 2018 sets out several conditions for the processing of special category or criminal conviction and offence data. To satisfy several of these conditions, you must have a policy document that details your procedures for complying with the principles in Article 5 of the UK GDPR and sets out your policies for retaining and erasing the special category / criminal conviction and offence data. You must also review and retain the policy document when processing the special category / criminal conviction and offence data, and then for at least 6 months afterwards.

If you process special category data under a condition which requires an appropriate policy document , you must document the following information as part of your processing activities:

  • The condition for processing you rely on in the DPA 2018, as set out in Parts 1-3 of Schedule 1.
  • The lawful basis for the processing – one or more of the bases laid out in Article 6(1) of the UK GDPR.
  • Whether the personal data is retained and erased in line with the accompanying policy document you must maintain – if not, you must detail the reasons why.

Further reading – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.

WP29 published the following guidelines which have been endorsed by the EDPB:

Guidelines on Personal data breach notification

Guidelines on Data Protection Impact Assessments