Why record keeping is the cornerstone of data protection

January 2025

Records of Processing Activities

No one ever wrote a thriller about record keeping. Denzel, Keanu, Keira and Brad are not required on set. But here’s why we should give it due attention.

Put simply, without adequate records it’s difficult to demonstrate compliance with data protection legislation (GDPR and UK GDPR). Records are core to meeting the accountability principle, i.e. being ready and able to demonstrate evidence of compliance.

Let’s step back for a moment. Each organisation needs to know what personal data they hold, where it’s located and what purposes it’s being used for. Only then can you be sure what you’re using it for is fair and lawful, and gain confidence you’re meeting other GDPR obligations.

To put it another way, how confident is your organisation in answering the following questions?

  • Do we know what personal data we hold, it’s sensitivity and all the systems it’s sitting on – including data shared with third parties?
  • Do we know all purposes for processing?
  • Have we determined an appropriate lawful basis for each purpose? And are we meeting the specific requirements for that basis?
  • When handling special category data, have we also identified a special category condition?
  • Have we confirmed how long we need to keep the data for each purpose?

All of the above feed into transparency requirements, and what we tell people in our privacy notices.

In my opinion, you can’t answer these questions with confidence unless you map your organisation’s use of personal data and maintain a central record. This may be in the form of a Records of Processing Activity (RoPA).

Okay, so the absence of data protection records might only come to light if your organisation is subject to regulatory scrutiny. But not putting this cornerstone in place could result in gaps and risks being overlooked – which could potentially materialise into a serious infringement.

In my view, a RoPA is a sensible and valuable asset for most organisations. I fully appreciate creating and maintaining a RoPA can feel like a Herculean task, especially if resources are overstretched. That’s why we often recommend taking a proportionate and achievable approach, focussing on special category data use and higher risk activities first. Then build on this foundation when you can.

RoPA requirements under GDPR & UK GDPR

The requirements apply to both controllers and processors and include keeping records covering:

  • the categories of personal data held
  • the purposes of processing
  • any data sharing
  • details of transfers to third countries, including a record of the transfer mechanism safeguards in place;
  • retention periods
  • the technical and organisational measures used to protect the data

and more…

Do you employ less than 250 people?

If so, record keeping requirements may be less stringent. But you’ll still be required to maintain a RoPA if:

  • your processing of personal data is not occasional
  • your processing is likely to result in risk to the rights and freedoms of individuals
  • you process special category data (e.g. health data, ethnicity, trade union membership, biometrics and more)
  • you process personal data relating to criminal convictions and offences.

You can read more about the requirements in ICO records of processing guidance.

Benefits of Record Keeping (RoPA)

Here are just some of the benefits you can get from your RoPA.

1. Understanding the breadth and sensitivity of your data processing.

2. Visibility of where data protection risks lie. This will help establish priorities and focus efforts to tackle key risks.

3. Confidence your activities are lawful and meet specific regulatory requirements.

4. Tackle over retention of data – it’s a common challenge. By establishing your purposes for processing personal data, you can determine how long you need to keep that data. Then you can take practical steps to delete any data you no longer need.

5. Transparency – An up-to-date RoPA feeds into your privacy notice, making sure the information you provide accurately reflects what you are really doing.

6. Data breaches – Your RoPA should be the ‘go to’ place if you suffer a data breach. It can help you to quickly identify what personal data may have been exposed and how sensitive the data is, which processors might be involved and so on. Helping you to make a rapid risk assessment (within 72 hours) and helping you make positive decisions to mitigate risks to protect individuals.

7. Supply chain – Keeping a record of your suppliers (‘processors’) is a key aspect of supplier management along with due diligence, contractual requirements and international data transfers.

8. Privacy rights – If you receive a Data Subject Access Request, your records can help to locate and access the specific data required to fulfil the request. If you receive an erasure request, you can quickly check your lawful basis for processing and see if the right applies, and efficiently locate what systems the data needs to be deleted from.

Tips to get started

Here are a few very quick tips on how to commence a RoPA project or breathe new life into an outdated spreadsheet you last looked at in 2018!

Who?

No DPO or data protection team can create and maintain these records their own – they need support from others. Enlist the support of your Senior Leadership Team, as you’ll need them to back you and drive this forward.

Confirm who is or should be is accountable for business activities which use personal data within all your key business functions – the data owners. For example, Human Resources (employment & recruitment activities), Sales & Marketing (customer/client activities), Procurement (suppliers), Finance, and so on. Data owners are usually best placed to tell you what data they hold and what it’s currently used for, so get them onside.

What?

Make sure you’re capturing all the right information. The detail of what needs to be recorded is slightly different if you act as a controller or processor (or indeed both). If you need to check take look at the ICO guidance on documentation.

When?

There’s always some new system, new activity and/or change of supplier, isn’t there? You should aim to update your records whenever you identify new processing or changes to existing processing – including identifying when you need carry out a Data Protection Impact Assessment or Legitimate Interests Assessment. Good stakeholder relations can really help with this.

In conclusion, record keeping might not win many Oscars, but it really is the cornerstone of data protection compliance. Adequate records, even if not massively detailed, can be really beneficial in so many ways, not just if the ICO (or another Data Protection Authority) comes calling.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.