skip to main content
NICVA Northern Ireland Council for Voluntary Action logo
Basket
Your Account
Your Wishlist
Venue Hire
Jobs
Join NICVA
About
About NICVA
Who We Are
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
More About Us
Meet our Team
Our Governance
Our Strategic Plan
Annual Reports
Our Values
Contact NICVA
Our History
Member Directory
Access Expert Support
NICVA News
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Training & Events
Training & Events
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
Training
Events
Accredited Training
Bespoke Training
Our Programmes
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Help & Guidance
Help & Guidance
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
Resource Bank
Setting Up Your Charity
HR
Running Your Charity
Research
Fundraising
Data Compliance
Charity Governance
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Policy & Insight
Policy & Insight
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
Policy
Research
Representation
State of the Sector
Campaigns
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Services
NICVA Services
GrantTracker
Find & track funding.
MediaConnect
Find a journalist or industry expert.
SectorMatters
Find quality business services.
CommunityNI
Find community offered services.
Hire a Venue
Access Expert Support
Document Review & Drafting
Jobs
Jobs & Volunteering
Board Vacancies
Volunteering Opportunities
Advertise a Job With Us
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
News
News
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
List your news
News & Opinion
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Press Releases
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
About
Who We Are
Meet our Team
Our Governance
Our Strategic Plan
Annual Reports
Our Values
Contact NICVA
Our History
Member Directory
Access Expert Support
NICVA News
Training & Events
Training
Events
Accredited Training
Bespoke Training
Our Programmes
Help & Guidance
Resource Bank
Setting Up Your Charity
HR
Running Your Charity
Research
Fundraising
Data Compliance
Charity Governance
Policy & Insight
Policy
Research
Representation
State of the Sector
Campaigns
Services
GrantTracker
MediaConnect
SectorMatters
CommunityNI
Hire a Venue
Access Expert Support
Document Review & Drafting
Jobs & Volunteering
Board Vacancies
Volunteering Opportunities
Advertise a Job With Us
News
News & Opinion
Press Releases
Venue Hire
Jobs
Join NICVA
Home
/
Help & Guidance
/
Resources

Data Protection Toolkit - Document your processing activities

13 May 2018
Back to resources
It is a legal requirement of the General Data Protection Regulation (GDPR) to keep a clear record of your processing activities. This resource explains what to do and provides templates for you to get started.

Contents

  • What you need to do and why
  • What activities need to be documented
  • Where to record your register
  • What you need to record
  • How you do it
  • More information
Back to top

What you need to do and why

Article 30 of the GDPR outlines the records of processing activities that controllers and processors need to maintain in a written and electronic format.

This means that where you are collecting, storing, sharing, using or transferring some sort of personal data, you consider and record the details of how it meets the data protection principles. This is so that the processing can be shown to be compliant with the Regulation.

It is a legal requirement to provide these records to the Information Commissioner's Office if they ask, so make sure that they're complete, accurate, up-to-date, and that you know where they are.

Back to top

What activities need to be documented

Unless you're a particularly large community or voluntary organisation (with more than 250 employees) you a required to document only your regular activities, as well as any processing of particularly sensitive information.

So, if there are instances where you process personal data but it's a one-off ("occasional") you don't need to document it, unless it involves special category or criminal convictions data.

The level of detail required is not overwhelming. You don't need to make extensive records of all the actions that you take with the data. The documentation is more for providing a summary of what's involved in each case. Of course, if you find it useful for your own record-keeping purposes, you can go in to much more detail.

Back to top

Where to record your register

The Regulation says only that the records should be in a written and electronic form. The most straightforward way is to keep a spreadsheet with the details of the types of personal data you process.

The full accounts are not required to be publicly accessible, though much of the type of information that you're recording here will go in to your privacy notice (in clear and plain language) so that data subjects have the background they need to make informed choices, and to demonstrate your transparency.

You should maintain these records to cover the processing activities that you undertake after 25 May 2018. If you cease an activity at some point in the future, keep the record but note when you stopped. And if you start a new activity or use some of the personal data that you have already in a substantially new way as part of your regular activities, then you should also record that.

Back to top

What you need to record

For controllers, Article 30(1) specifies that for each processing activity you should record:

  • brief description of the data subjects. You can categorise groups such as employees, regular clients, business contacts, etc.
  • types of personal data (category), noting in particular if any special category data is included.
  • what the data is used for (purpose). If you can't identify a purpose for having some personal data, you really shouldn't have it.
  • the lawful basis for the processing activity. If you haven't previously considered this, it might take some more time to determine.
  • how the data is obtained. Is it from the person themselves, or somewhere else?
  • who the data is shared with (recipients). The types of recipients, but if you can be more specific and name the organisation, even better.
  • how long it's held for. Either you have a definite time limit (e.g. years, months, days) or a retention policy that informs when something will be deleted.
  • briefly, your security measures. Don't put too much detail as it might be of interest to hackers!

As well as this, your record should include the name and contact details for the controller—in most cases, that will be your own organisation. It might seem as if this would be obvious, but it is specifically required to be included in the register. If there is a joint controller for some of the data, make sure that other organisation's information is also included.

If you transfer data to any non-EU member country (known as a 'third country'), you need to record that in this register as well as describing the safeguards involved—as the personal data will be processed somewhere that is not governed by a similar data protection framework. Familiarise yourself with Chapter 5 of the GDPR if this is the case, as there are legal obligations you need to be aware of.

Though Article 30 doesn't actually say that you need to record the lawful basis, it's a good practice nonetheless. This means you can be clear with yourself on the most important data protection principle (fair and lawful processing), and can see if there's any gaping holes in compliance.

If you're a processor in the case of a set of personal data, you only need to record a few things, but record them you must. Article 30(2) tells you what they are.

Back to top

How you do it

We've created a Personal Data Register for Controllers template to help you get started. The spreadsheets contains fields to fill in to meet the requirements for documentation.

  • First, consider all of the different ways in which you process personal data. Try to break this down into distinct categories of data. If you're a medium or larger organisation and this seems like a huge task, consult with your colleagues in various business areas to make sure that all the knowledge is covered, or undertake an information audit.
  • For each of the activities identify if you are the controller (your organisation makes the decision on the means and purposes of the processing) or the processor (if you process personal data on behalf of a controller).
  • Don't forget that the record needs to cover all personal data that you have—your staff, volunteers, any donors, business contacts, people who've applied for jobs, and visitors to your website, as well as the people who your charitable work helps.
  • For each of your data subjects start to break down the data that you have on them into categories. For example, for your own employees you'll have their contact details, payroll, bank, tax, pension, attendance and performance details.
  • The level of granularity is important. It may be that you use the same category of data for more than one purpose. In this case, record the details for each purpose. If there are distinctions within how one type of data is used, don't try to fit it all in one line—break it down.

  • Keep this register under review. If your organisation starts new processing activities, or changes the purpose of its current activities, then update the register.

Alternatively, use the ICO's templates for controllers or processors.

You can take your own approach to keeping written electronic records if you'd like to do things your own way. They don't have to be in a spreadsheet format the way these templates are, but make sure that the information required by Article 30 paragraphs (1) and (2) - for controller or processor where relevant - is included.

Back to top

More information

The ICO has produced detailed guidance on documenting process activities as part of their Guide to the GDPR.

Back to top

Hubs

  • gdpr

Share

LinkedIn Facebook X Email

More resources

All resources
Data Protection Toolkit - Dealing with a Subject Access Request
31 Jul 2018
Department for Health, Social Services and Public Safety draft budget 2015-16
28 Nov 2014
Reserves policy guidance
19 Jan 2021
MODAL CONTENT HERE

Footer

NICVA Northern Ireland Council for Voluntary Action logo
Facebook
twitter
linkedIn
YouTube
Subscribe to our bulletins
Contact Us
Office
61 Duncairn Gardens,
Belfast, BT15 2GB
Phone
028 9087 7777
Training & Events
Training
Events
Programmes
Bespoke Training
Accredited Training
Services
GrantTracker
CommunityNI
SectorMatters
Venue Hire
MediaConnect
Document Review & Drafting
Join NICVA
About Us
Policy & Insight
Help & Guidance
News
Jobs
Privacy Policy Cookie Policy Accessibility Statement
NICVA Northern Ireland Council for Voluntary Action
Company Number: NI001792
Registered Charity Number: NIC100012
site by Green17