How detailed should the processing register actually be?

In general terms, detailed, or it depends?

The processing register is often completed per process. The level of detail that you use depends on a number of factors. In any case, it is advisable to use a more detailed elaboration as the data become more sensitive.

In any case, the following must be included in a register:

  • your name and contact details;
  • the name and contact details of parties with whom you have a joint processing responsibility (if applicable);
  • the contact details of your data protection officer (if applicable);
  • the processing purposes;
  • a description of the categories of persons involved;
  • a description of the categories of personal data;
  • the categories of recipients (if applicable);
  • transfers to a third country (if applicable);
  • retention requirements;
  • a general description of the technical and organisational security measures.

If you are going to construct the register, then also take a good look at article 30 GDPR. It contains exactly what has to be in the register.


Is every organisation required to have a register of processing activities?

In daily practice we find that almost every organisation will need to create a register. In theory, there is an exception as GDPR states that you do not have to keep a register if you employ fewer than 250 people, but it is hard to comply with the preconditions:

  • the processing you carry out cannot involve a risk to the rights and freedoms of those involved;
  • the processing must be incidental (note: this one is particularly tough); or
  • there is no processing of a special category of data or personal data in connection with criminal convictions and criminal offenses.

We hardly see organisations to whom this exception is valid. That’s why we think it is safe to assume that most organisations do need a register.