Contact us
GDPR records : why and how should they be kept ?

Key points :

  • A GDPR register lists all data processing activities ;
  • It is mandatory for many organisations that handle personal data ;
  • Its contents must be updated as soon as any processing activities change ;
  • It is a management tool designed to secure your data and improve your internal processes.

Are you looking to set up a GDPR register within your organisation? This document enables you to centralise all your personal data processing activities so that you can manage your strategy and remain compliant with your data protection obligations. Reveals explains how to create and maintain a record of processing activities.

What is a data processing register ?

Governed by Article 30 of the General Data Protection Regulation, the record of processing activities (also known as the GDPR record) is an internal document that centralises all the procedures through which your organisation collects, uses and manages personal data. It provides you with a comprehensive overview of your processing activities, enabling you to identify practices that need to be improved and to verify that each procedure put in place is genuinely useful and relevant to your organisation.

It is a key document for ensuring compliance with the principle of accountability. It lists all the measures implemented by your company to comply with the obligations of the GDPR. It is one of the first documents requested during inspections by the CNIL (French Data Protection Authority). It enables you to demonstrate that you comply with European regulations on the protection of personal data.

Note that there are two types of register :

  • A register for data controllers;
  • A register for data processors

If your company is both a data controller and a data processor, you will need to maintain two separate registers. This situation is particularly common among HR firms and IT service providers.

Good to know : you can find a downloadable example of a simplified GDPR processing register on the CNIL website.

Who is required to keep a GDPR record?

In principle, all organisations that collect personal data (from their employees, customers, suppliers, etc.) are required to maintain this record of processing activities. However, the regulations provide for exemptions for organisations with fewer than 250 employees.

Such organisations are actually required to maintain this register when they process data of a sensitive nature (health, biometrics, etc.) that may pose a risk to personal freedom. If you are unsure about the nature of the data you manage internally, the CNIL recommends that you include this information in your register. In fact, if you work in a financial institution, it is still necessary to create and regularly update this document even if you are a small independent organisation (such as a brokerage firm).

What is the value of this document for businesses ?

Comply with GDPR regulations

Since 2018, all organisations collecting data from European residents have been required to comply with the General Data Protection Regulation. When you collect and process personal information (such as your customers’ names and contact details), you must put in place all necessary measures to protect it.

The processing activity register formalises this approach. By documenting exactly why and how each type of information you use is processed, you have a solid basis for demonstrating your compliance.

Identify the data most at risk

Sensitive data requires the implementation of advanced security measures. This will enable you to tailor your approach according to the level of sensitivity.

It is important to ensure that only authorised personnel have access to it. You can also implement advanced security measures, such as encrypting your data or strengthening the security of your servers and IT network.

Check that your data is actually useful to your business

Your organisation is required to comply with the principle of data minimisation. This means that you must only process information that is relevant to the fulfilment of a legitimate, explicit and specific purpose. If certain data is not justified, you must delete it.

Reveals supports you in strengthening your data governance. We help you structure areas of responsibility and implement appropriate management systems. Discover our data governance advisory services to structure and manage your data.

How do you create a record of processing activities ?

You are free to create a record either in electronic or paper format. However, it must include certain essential information.

The data controller’s record

Your record lists all processing activities in the form of individual entries.

Each entry must include the following details:

  • The name of the processing activity;
  • The name and contact details of the data controller responsible for the processing activity, as well as those of the company’s Data Protection Officer (DPO), where applicable;
  • The purposes of the processing activity (specifying the primary purpose and any secondary purposes);
  • The categories of personal data involved in the processing activity;
  • The categories of data subjects (who the information relates to);
  • The recipients of the data (including processors);
  • The list of security measures implemented to protect the data;
  • Any data transfers carried out;
  • The planned retention periods.

The processor’s record

If you also process your clients’ data, you must maintain a record of categories of processing activities.

Each entry must contain the following information:

  • The name and contact details of your organisation;
  • The name and contact details of your client, their data controller and, where applicable, their representative;
  • The name and contact details of your processors (where applicable);
  • The categories of processing activities concerned;
  • The security measures implemented;
  • Any transfers of data to a third country or international organisation, along with the associated safeguards.

You may supplement this record with any information you consider useful.

How should you maintain and update your GDPR record ?

This record is maintained by the data controller, a processor or the Data Protection Officer (DPO), if the organisation has one.

When creating it, all activities involving the use of personal data should be identified. Within a company, this may include recruitment, HR management, payroll management, customer portfolio management or employee training.

To begin your initial assessment, contact all departments and individuals within your organisation who use personal data. You should also review your website to identify all information collected through online forms.

Next, list all activities involving personal data. You can then complete one entry per activity and gain a clear overview of all processing operations carried out within your organisation.

Finally, assess the risks related to data security in order to implement the necessary actions to remain compliant with the GDPR.

And remember to update this record whenever a process changes. Any modification must be recorded to ensure the accuracy of the document.

Who should this personal data record be shared with ?

This is an internal company record. However, it may be requested by the CNIL as part of a GDPR compliance inspection. During such an inspection, the authority verifies that the procedures in place guarantee the security of personal data during processing.

Implementing a GDPR record is an essential step for any organisation that processes personal data. Beyond regulatory compliance, this document provides a clear overview of your practices, helps identify areas for improvement and strengthens the security of your processing activities. Reveals supports businesses in implementing governance policies tailored to their needs in order to secure and fully leverage their data. Contact us to deploy a control and monitoring framework adapted to your organisation.

Q&A

What GDPR records are mandatory ?

There are two types of data processing records: the record maintained by the organisation collecting the information and the record maintained by processors. Where an organisation performs both roles, it must maintain two separate records.

How often should the record of processing activities be updated ?

It must be updated whenever a data processing procedure changes.

What are the penalties for failing to maintain a processing record ?

If an organisation processing personal data fails to maintain a GDPR record in accordance with European regulations, it may face a fine of up to €10 million or up to 2% of the company’s annual worldwide turnover.