A guide to GDPR Article 30 – Records of Processing Activities


What are you doing with my data?!

Under the GDPR, if you process data more than occasionally, you’re going to need to keep some pretty detailed records about what you’re doing with your data.

Article 30 of the GDPR says that every data controller and processor must keep “records of processing activities.”

Now, this doesn’t mean that you need to be recording that on 28th February, you changed Mr Smith’s address from 14 Gerbil Avenue to 21 Hamster Road. So, what do you need to record?

Well, first, a few basics. The GDPR has different requirements depending on whether you’re a Controller or a Processor.

Are you a Controller or a Processor?

Here’s how to tell: if you’re the ones who decide what purpose data is being collected for, or how it’s being collected, that makes you a controller. If you’re just doing the processing on behalf of, and under instruction from, some other organisation, that makes you a data processor.

Don’t forget that it’s more than likely that many organisations will be both controller and processor – controlling some data, and processing other, or both controlling and processing some data.

The following requirements apply to both data controllers and data processors.. You must record:

  1. Your company’s details, and the contact details of your Data Protection Officer (if you have one), and, if your company is not itself within the EU, your designated representative in the EU.
  2. A general description of the security measures you’ve implemented, both technical (such as encryption) and organisational (such as restricting who has access to your systems), in order to protect the data
  3. If you’re ever transferring data outside the EEA, you’ll need to document where you’re transferring data to, and the safeguards in place to protect that data (there’s a whole section in the GDPR regarding international transfers of data – if this affects you, you should be Googling GDPR Articles 44 to 50. Other search engines are available, apparently.)

At that point, things differ depending on what role you have.

So you’re a controller…

If you’re the controller, as it’s you that determines the purpose of the data processing, you’ll need to describe that purpose.

Additionally, you will also need to record the types of people whose data you’re working with, and the types of data you’re working with.

Perhaps if you’re running a doctor’s surgery, your record of processing activity might state that you’re recording information about patients of the surgery, and that the categories of data being processed include:

  • essential contact information
  • next of kin details
  • detailed health information
  • genetic information
  • information about a patient’s personal circumstances, such as family ties or lack thereof

Alternatively, if you’re recording processing activity at an insurance company you might state that you’re processing records of

  • Your clients, including home-owners, drivers, owners of electronic gadgets and equipment, and others requiring insurance
  • People who are not clients, but who have direct interaction with your clients, such as third parties in the event of accidents, or legal professionals offering advice to your clients

And you might record that the data being processed includes

  • Personal contact details
  • Driving history
  • Claims history
  • Financial information, including late payments of premiums
  • Medical history, for those patients who have medical insurance

…and so on.

If you’re a controller, you’ll also need to record the types of recipients to whom you’re going to be disclosing data, including any that are abroad, as discussed earlier.

This might include other insurers, credit reference agencies, other medical establishments or supervisory bodies.

Finally, If you’re a controller, you’ll need to document the length of time you plan to keep each category of data before erasing it.

So you’re a processor…

Firstly, congratulations – you’re not going to have to record those things listed in the section about controllers…. But, the bad news is that there are a number of things that need to go in your documentation instead.

Firstly, if you’re a processor, you need to record the names and contact details of the controller on behalf of which you’re processing data.  You’ll need to record details of the controller’s DPO, if they have one, and their representative, if they’re not based in the EU.

Whilst this might sound simple at first glance, the average processor (such as a marketing agency, a database design company, a web advertising company and so on) will no doubt be processing data on behalf of numerous clients. And these details must be recorded for every controller on behalf of which the processor is processing data.

Processors must also document the categories of processing being carried out on behalf of each controller. The GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” – so that’s quite a set of boxes you’ll need to tick. I’d suggest an “all of the above” box might be needed…

Can I keep oral records in the grand tradition of my parents, and my parents’ parents, and my parents’ parents’ parents?

Nope. The GDPR dictates that these need to be written records – INCLUDING in electronic form. That implies in both written and electronic form – although I think you could get away with keeping these records in electronic form, and then printing them as and when required.

When would that be required?

Well, Article 30 says that these records must be made available to the local supervisory authority (the Information Commissioner’s Office in the UK) on demand. So, make sure there’s toner in that printer if they come knocking…

Hang on – I heard I don’t need to do this if we’re a small company

Hmmm… Not so fast. Yes, Article 30 says that these requirements don’t apply to organisations of under 250 employees. But then it says the dreaded word “Unless”.

  • Unless the processing you’re doing results in a high risk to the rights and freedoms of data subjects. So, if you’re that doctor’s surgery, or if you’re a charity with data regarding people who’ve suffered abuse, or you hold information about the financial dealings of your data subjects – you’re probably covered by this requirement
  • Or, unless the data you’re processing includes “special category” data – that’s broadly data relating to health, beliefs, sexual orientation and suchlike (take a look here for a complete list)
  • Or, unless your processing is not “occasional”

And for very many organisations, however small, data is processed far more than “occasionally” these days. So, sorry, but I think you’re likely to have to comply.

But, like much of the GDPR, the best way to approach it is as an opportunity. If you can get ahead of the game, if you can confidently state that you do keep such records, that you do comply with both the letter and the spirit of the GDPR, you’ll almost certainly be in the minority, at least for a good while.

And when your prospective customers come to choose a company they’d trust to do business with, that could really set you apart from the crowd.

Remember – if you or your organisation need training in GDPR, we’re here to help.

Just visit www.theitservice.co.uk/gdpr for more information.

By | 2017-10-17T10:29:19+00:00 October 12th, 2017|GDPR, Training|3 Comments

About the Author:

Andrew Richards is the Managing Director of TheIT Service. His background in training goes back to 2000, and he was involved in IT networking and support beyond that. Now he spends his time living and breathing the GDPR (fun!) and building databases. When not doing these things, he can be found attempting to train his various sheep and chickens.


  1. Ana January 18, 2018 at 1:34 pm - Reply

    We have 60 employees in our company and we don’t process data that can result in a high risk to the rights and freedoms of data subjects. But we do obviously store personal information for administrative, legal, payroll and training reasons. Even though our data is not processed occasionally, would we still have to comply with the GDRP requirements?

    Thanks for your help and for a brilliant insight into what’s coming next!

    • Andrew Richards January 18, 2018 at 3:10 pm - Reply

      Hi Ana
      Yes, I’m afraid so. I was going to ask whether you meant “comply with [ALL] the GDPR requirements” or specifically those requirements relating to the Article 30 requirements. But unfortunately, the answer in either case is “Yes, you have to comply”.
      With the GDPR as a whole, because, well, why wouldn’t you, as an organisation within the EU, processing data of data subjects within the EU.
      And with the Article 30 requirements, because as you said, the processing is not occasional.
      So, sorry to be the bearer of tedious news, but glad you liked the blog article!

  2. mark January 22, 2018 at 2:35 pm - Reply

    Hi, We have a small company with 30 employees and the only data that we process is company information relating to trade accounts such as company address and emails, phone nos etc. We also have a website that customers can request quotes from, here we only store e mail addresses, delivery addresses and billing address, any sensitive payment info is held with our payment merchant. I have a couple of questions though do we need to obtain permission to hold the info of all our existing customers that we have on our current sage accounting system, or is this just going forward with new trade accounts etc. As we are small company of less than 250 do we come under the “unless you data processing is occasional” the question is to define occasional. We don’t hold any sensitive info. Any help would be most appreciate

    Thanks for the article

Leave A Comment

Get in touch now!
Close X

Get in touch today!

Call us now on 020 3397 1333, or pop your details here and we'll get back to you.

Your Name *

Your Email *

Your Phone *

Your Company *

How can we help?