Need help? Call 0345 838 4074 Register Login

Documenting processing activities

You have an obligation to be accountable under the General Data Protection Regulation (GDPR) i.e. being responsible for, and being able to prove, compliance with the GDPR. Having written records and other documents will help you achieve this.

Documenting processing activities

Businesses with fewer than 250 employees only need to document processing activities that:

  • are not occasional; or
  • could result in a risk to the rights and freedoms of the tenant whose information is being processed; or
  • involve the processing of special categories of data (previously called sensitive data) or criminal conviction and offence data.

You must document the following information for the above processing activities:

  • The name and contact details of your organisation (and where applicable) other controllers, your business's ICO representative and your data protection officer.
  • The purpose and lawful basis of your processing.
  • A description of the categories of individuals being processed.
  • The categories of recipients of the personal data.
  • Details of your transfers of personal data to other organisations and countries outside the EEA (being Norway, Liechtenstein, Iceland and all the countries in the EU) including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of your technical and organisational security measures.

Documents and records

Examples of other documents that will help you achieve your duty of accountability, include:

  • Records of processing activities. The Information Commissioner's Office (ICO) has a template you can use to do this.
  • The privacy notices given to tenants.
  • A data protection policy.
  • Records of any consents you've obtained.
  • Any contracts you have with external reference agencies that you have shared the tenant information with (it should state how they will use and protect the tenant's personal information).

The ICO may request you to provide your records. The records, which should reflect your current processing activities, should be kept up to date and in writing. They can be held electronically. See the ICO website for more information.

What is the law guide

The Desktop Lawyer law guide aims to present the law to you in a comprehensive yet jargon-free and easy-to-read format. Our law guide is constantly kept up to date with changes in business and family law by our team of in house solicitors, and includes information across all the legal jurisdictions in the UK.

Our law guide is free to use. Where we provide documents related to this area of law, or where they may help you with any legal issue in this area, they will be listed to the right of this message.

Explore law guide