Introduction to this document

Record of personal data processing activities

Use our document to keep a written record of your processing activities for employee-related personal data as required by the GDPR. Your record must incorporate certain minimum information.

Processing record

There’s a specific obligation in the EU General Data Protection Regulation (GDPR), which came into force in the UK on 25 May 2018, to maintain a written record of your processing activities, to include:

  • names and contact details of the data controller, i.e. the business, any joint controller, your representative and the data protection officer (if applicable)
  • a description of the categories of personal data
  • the purposes of the processing
  • a description of the categories of data subjects
  • a description of the categories of recipients to whom the personal data has been or will be disclosed
  • where applicable, information about transfers to non-EEA countries or to international organisations (including details of appropriate safeguards applied)
  • where possible, the envisaged time limits for erasure of the different categories of data
  • where possible, a general description of the technical and organisational security measures adopted.

Our Record of Personal Data Processing Activities includes columns for you to insert information on all these matters. We’ve also usefully included some common examples of the types of employee personal data that you’re likely to process, such as basic personal information and contact details, recruitment records, employment contracts, financial and tax information, disciplinary, grievance and capability records, appraisals, leave and absence records and termination of employment documentation. However, our examples are not intended to be exhaustive, so you will need to include such additional or amended information in your own record as is relevant to your data processing activities. We’ve also included some guidance notes to further help you with completing the columns. Once you’ve completed your record, do regularly review it to ensure it continues to accurately reflect your data processing activities.

Lawful processing

Processing of personal data, and special categories of personal data and data on criminal convictions and offences, is only lawful where you have a legal basis for it and these bases are set out in the GDPR. You don’t have to specify which legal basis for processing that you’re relying on in your record of processing activities, but we have included two columns for this (one for personal data and one for special categories of personal data or data on criminal convictions and offences) as it ensures that you’re clear about what your legal basis is, helping you to comply with the GDPR’s “accountability” requirements relating to the lawfulness of processing.