GDPR Register – Record of Processing Activities

GDPR requires all firms to maintain a ‘record of processing activities’, often referred to as GDPR Register. Your GDPR Register must contain a list of all processing your firm undertakes on any personal data. The personal data could be those of your customers, staff, suppliers, partners etc. and all should be included in the Register. You should maintain separate registers for those activities where you are the Data Controller and those where you are a Data Processor.

By keeping an internal personal data register, you can achieve two goals at once. Because you record all your personal data activities in the register, you are making the first and most important step in complying with your GDPR obligation for transparency.

Secondly, keeping such a register is also legally required. As soon as you have one customer, supplier or staff member, you must maintain a data register. The regulator will always ask to see your register if they come knocking on your door.
There is no official sample document or model of the data register, but do check your national data privacy authority website for guidelines on format of the register and information the be included.

Alternatively you can join GDPRWise as you can generate your GDPR Register in a single click once you have validated the filled-in dossier we create based on your industry sector and country of registration. Many companies are not yet compliant with the new European privacy rules (GDPR). Some have quickly picked a privacy statement from the internet and put it on their website. But that is not enough to meet the documentation obligation.

What should be in your GDPR register?

First of all, you must include the contact details of the controller. That is the company that is ultimately responsible for the personal data. If you have appointed a Data Protection Officer or GDPR coordinator you need to mention this as well.

Make sure you list :

  • Whose data do you process? (customer, staff, third party,…)
  • What personal data do you process? (name, home address, e-mail address,…)
  • Why do you process the data? (customer invoicing, customer correspondence, staff hiring,…)
  • What legal basis do you use for the processing? (e.g. consent, execution of contract, legitimate interest)
  • With which third parties do you share the data? Third parties inside or outside the EU?
  • How long do you keep the data?
  • What measures do you take to keep the data safe?

Once you have your register, save it in a central GDPR dossier where you collect everything concerning your GDPR requirements. This way you can easily show that you take privacy seriously. Also make sure to update the register regularly, it must always reflect the way your organisation handles data.