When do small organisations have to keep a record of processing activities?

September 13, 2017

If you process personal data as an organisation, it is often mandatory under the General Data Protection Regulation (GDPR) to keep a record of processing activities. A misunderstanding that exists among a lot of people is that the obligation of a record of processing activities only applies to bigger companies. This is not true. Also smaller organisations need to comply with this obligation.

It is not only an obligation to maintain a record of processing activities. Additionally, it is an indispensable measure to get an overview of all the data processing and to maintain an overview of the data processing activities within your organisation. Only with a clear overview of your processing activities can you make steps towards privacy compliance. How can you otherwise effectively respond to a request of access or erasure by the data subject? As an organisation, it is important to know when you meet the requirements of the record of processing activities to be able to avoid high fines.

The GPDR states that organisations with less than 250 employees are not required to maintain a recording of processing activities, unless the organisation processes data which is:

  1. likely to result in a risk for data subjects;
  2. not occasional;
  3. data on criminal records, or the processing includes special categories of data, such as data about health or religion.

If you only process data occasionally, you are not obliged to maintain a record of processing activities. An example of an occasional processing is a marketing department which sends a notification on an address change of the organisation to all the clients. Only processing activities which happen occasionally (once or twice a year) are excluded from the record of processing activities.

This means that most of the smaller organisations must comply to the record of processing activities, as most of the smaller organisations do not only process data occasionally, but on a structural scale. For example, the data processing when hiring new employees or the customer service telephone traffic constitutes processings on a structural scale. As an organisation, you need to be up-to-date with all the processing activities within your organisation. Furthermore, it is important to be informed of all the obligations under the GDPR that apply to your organisation to avoid surprises.

Director Germany