Instead of registering with the ICO every year, organisations will be required to maintain detailed internal records of their processing activities which must include specific information prescribed by GDPR. This is a new requirement and includes information such as: processing purposes; categories and recipients of personal data; retention schedules; and a description of the technical and organisational security measures taken.
The ICO says that, as part of the record of processing activities, it can be useful to document other aspects of compliance with GDPR and the UK’s Data Protection Bill. This includes documentation such as: records of consent; information required for privacy notices; Data Protection Impact Assessment reports; and records of personal data breaches.
Controllers and processors each have their own documentation obligations. See the ICO’s detailed guidance on documentation for the specific information that controllers and processors are required to document. Organisations with 250 or more employees must document all of their processing activities. There is a limited exemption for small and medium-sized organisations, which must still document information in certain circumstances.
The records must be kept in writing and made available to the ICO on request. Practically, this means that they should be easily accessible and in a format which can be easily disclosed to the ICO. The ICO says that the information must be documented “in a granular and meaningful way”. It has produced basic documentation templates to assist controllers and processors. The ICO’s detailed guidance on documentation sets out examples of what would and would not meet GDPR documentation requirements.
Records of processing activities must be in place by 25 May 2018. They will need to be regularly reviewed and updated, particularly after any significant changes to systems, procedures or the introduction of new products and services.
Organisations should: identify who within the business is responsible for collating and updating records and responding to ICO requests; and factor in the cost of any required changes to systems to create records, the cost of regular reviews, and the annual data protection fee payable to the ICO (see our separate briefing for details).
The ICO says that, in addition to ensuring and demonstrating compliance with other aspects of GDPR (such as drafting privacy notices, responding to data subject access requests and taking stock of processing activities), documentation can also improve data governance and increase business efficiency.
The new documentation requirement under GDPR is part of the universal principle of accountability, which requires organisations to demonstrate that their processing of personal data is GDPR-compliant. The ICO recently expanded the accountability and governance pages of its Guide. These set out, among other things, the technical and organisational measures that organisations can (and, in some cases, must) take to meet accountability requirements. Maintaining documentation of processing activities is one of these. Others include: adopting and implementing data protection policies; implementing appropriate security measures; and putting written contracts in place with data processors.