Records of Processing Activities

In order to demonstrate compliance with the GDPR, the controller or processor must maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

This requirement does not apply to an enterprise or an organisation employing fewer than 250 persons UNLESS:

the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects;
the processing is not occasional; OR
the processing includes special categories of data (sensitive data) or personal data relating to criminal convictions and offences;

However, data protection authorities do encourage ALL organisations to maintain this report as a matter of good governance.

The GDPR compliance app uses your data mapping input to partially complete your records of processing but you will need to add further details around the security of processing and for this you may need to get assistance from the IT folk. You will also need to provide information if your organisation acts as a processor.

Where an activity is considered a ‘Risk’

Where those processing activities require protection against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. These activities include, but are not limited to profiling; the collection and use of sensitive personal data and the personal data of children.

The impact of this risk to individuals could result in physical or material damage; discrimination, identity theft or fraud; financial loss; damage to reputation; revealing of sensitive details such as political persuasion or even lack of access to individuals’ personal data.

Where an activity is considered ‘High Risk’

Processing activities are likely to require a data protection impact assessment and possible prior consultation with a supervisory authority. Activities including, but not limited to, large scale data processing which could affect a large number of individuals; regular and systematic monitoring; the transfer of personal data to countries which don’t have adequate data protection.

Examples of ‘high-risk’ data processing

‘Large scale data processing’ – the processing of:

patient data in the regular course of business by a hospital;
travel data of individuals using a city’s public transport system (e.g. tracking via travel cards);
real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities;
customer data in the regular course of business by an insurance company or a bank;
personal data for behavioural advertising by a search engine;
data (content, traffic, location) by telephone or internet service providers;

‘Regular and systematic monitoring’

operating a telecommunications network;
providing telecommunications services;
email retargeting;
profiling and scoring for purposes of risk assessment (e.g. credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering);
location tracking, for example, by mobile apps;

Special categories of data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation

The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018

Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.