Record of data processing activities

The data processing record is at the core of the GDPR. It identifies your personal data processing activities and allows you to monitor compliance.

The record is designed to ensure full protection of the personal data processed by your organisation, and to help you protect individual rights and freedoms.

Article 30 of the General Data Protection Regulation requires that public and private organisations keep a record of their data processing activities.

The goal of this record is to make organisations accountable, and to allow them to demonstrate compliance.

All data controllers and their processors are required to keep a record of their processing activities. Organisations with fewer than 250 employees may be exempt from this obligation.

Data mapping allows you to monitor your compliance and regularly update the record of processing activities. The record allows organisations to take stock of their compliance and to take actions to ensure it is maintained.

It allows your organisation to respond to any situation, and will help you in the essential task of protecting the rights of data subjects and their privacy.

To build a faithful record of your personal data processing activities, you must be methodical and organised. All processing activities must be listed and described in detail. This means identifying each processing activity, determining whether it concerns sensitive data, describing its purposes, persons and/or entities involved (Data Protection Officer, Data Controller, service providers, etc.), whether there are data transfers and what their legal basis is (consent, contract, etc.), where the collected data comes from, and more.

For best results, you are advised to begin by mapping your data processing activities.