Record of personal data processing activities

Use our document to keep a written record of your processing activities for employee-related personal data as required by the UK GDPR. Your record must incorporate certain minimum information.

Processing record

There’s a specific obligation in the UK GDPR, to maintain a written record of your processing activities, to include:

• names and contact details of the data controller, i.e. the business, any joint controller, your representative and the data protection officer (if applicable)
• a description of the categories of personal data
• the purposes of the processing
• a description of the categories of data subjects
• a description of the categories of recipients to whom the personal data has been or will be disclosed
• where applicable, information about transfers to third countries or to international organisations (including details of appropriate safeguards applied)
• where possible, the envisaged time limits for erasure of the different categories of data
• where possible, a general description of the technical and organisational security measures adopted.

Our Record of Personal Data Processing Activities includes columns for you to insert information on all these matters. We’ve also usefully included some common examples of the types of employee personal data that you’re likely to process, such as basic personal information and contact details, recruitment records, employment contracts, financial and tax information, disciplinary, grievance and capability records, appraisals, leave and absence records and termination of employment documentation. However, our examples are not intended to be exhaustive, so you will need to include such additional or amended information in your own record as is relevant to your data processing activities. We’ve also included some guidance notes to further help you with completing the columns. Once you’ve completed your record, do regularly review it to ensure it continues to accurately reflect your data processing activities.

Lawful processing

Processing of personal data, and special category personal data and data on criminal convictions and offences, is only lawful where you have a lawful basis for it and these bases are set out in the UK GDPR. For special category personal data and data on criminal convictions and offences, you also need to have an additional lawful condition for processing. You don’t have to specify which lawful basis or additional lawful condition for processing you’re relying on in your record of processing activities, but we have included two columns for this (one for personal data and one for special category personal data or data on criminal convictions and offences) as it ensures that you’re clear about what your lawful basis or additional lawful condition is, helping you to comply with the UK GDPR’s “accountability” requirements relating to the lawfulness of processing.