Documentation
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
At a glance
- You must maintain internal records of processing activities.
- If a processor is acting on your behalf, the processer must also maintain a record of processing activities they are carrying out.
- You and any associated processor may be required to make these records available to the Information Commissioner on request.
In brief
What do I need to record?
You must maintain internal records of processing activities including:
- your name and details (and where applicable those of other controllers, your representative and data protection officer);
- purposes of your processing;
- description of the categories of individuals and categories of personal data;
- categories of recipients of personal data;
- details of transfers to third countries including documentation of the transfer mechanism safeguards in place;
- your retention schedules; and
- a description of your technical and organisational security measures.
If a processor is acting on your behalf, the processer must also maintain a record of processing activities they are carrying out including:
- the name and contact details of the processor (and where applicable, of other processors, their representative and data protection officer);
- the categories of processing carried out on your behalf;
- details of transfers to third countries where explicitly instructed, including documentation of the transfer mechanism safeguards in place and identification of that third country; and
- a description of technical and organisational security measures.
You and any associated processor may be required to make these records available to the Information Commissioner on request.