Keeping appropriate records of processing activities means keeping a record that contains all the information set out in Article 30(1) (a)-(g) of the GDPR.

 

These records have to be kept by most data controllers under the GDPR.

 

CQS practices have an additional requirement of keeping a record of the lawful basis on which they are processing each category of data set out in Article 30(1)(c).

 

For processing of data to be lawful at least one of the grounds set out in Article 6 (1) (a)-(f) must be met; for processing of special categories of personal data as defined in Article 9(1) to be lawful, one of the grounds in Article 9(2)(a)-(j) must be satisfied.

 

The record of the lawful basis for processing may be kept as part of the Article 30 record. Article 30(1)(f) requires data controllers where possible to keep, as part of the record, the envisaged time limits for erasure of the different categories of data. CQS regards this obligation as important and there is a high expectation that it should be possible to identify envisaged time limits for most categories of data. Where it is not, CQS practices should provide a clear justification.

 

The requirements for the provision of information to data subjects are set out in Articles 13 and 14 of the GDPR.

 

Assessors may request a copy of these records and confirm that it has been completed in respect of each of the requirements set out in 30(1)(a)-(g).

 

Any apparent omissions may be clarified with the DPO or other person responsible for data protection compliance.

For assistance and training on GDPR and Core Practice Management Systems please contact us on GDPR@woolvenandbrown.co.uk