GDPR toolkit


Record of processing activities

Do you have a clear overview of the personal data you are processing?

What you need to know.

A novelty introduced by the GDPR is the obligation of each company to maintain a record of its processing activities. Even SMEs are required to do so, for instance with regard to their customer and personnel management.

Companies must be aware that the record kept of such processing activities serves as the first source of information for the supervisory authority. The record also functions as a company’s primary evidence to demonstrate GDPR compliance. Furthermore, because such a record requires detailed data mapping, it allows companies to assess their processing of personal data as well as their compliance with other obligations under the GDPR.

What you need to do by 25 May 2018. 

In our previous Countdown, we explained the need to identify all of the purposes for which your company processes data. This enables you to identify the different processing activities of your company.

Such processing activities are the basis for your company’s record. Per processing activity that is identified, the record must indicate (as a minimum) the categories of data subjects involved, the categories of personal data processed, the location of the data (storage), the categories of recipients, the retention period and all measures taken with a view to limiting security threats.

With respect to the chosen format, you can resort to several digital GDPR tools. However, an Excel file also suffices, especially if your company processes data on a small scale. Note that the record must be maintained electronically. Inspiration can be drawn from the template provided by the Belgian Commission for the Protection of Privacy (currently only available in Dutch and French).

Be aware that the record is a living instrument and must always be updated for new processing activities.

Please consult our website or contact one of our team members if you have questions or require more information: