Reviewing your data processing activities


To maintain compliance, regular meetings should be taking place to check your processing and data compliance is legal and up to date. 

How you share or store data across your business evolves over time. Team members bringing on new tools or strategies that can lead to new processing and in some case purposes that may not have been documented. If the processor is outside of the country this will need to be documented and the appropriate safeguards applied. 

The services you so use may change their format in such a way that impacts how or where they process personal data.

Regular reviews and policy updates will minimise your data compliance risks.

There are several specified areas where records must be maintained, such as the purposes of processing personal data, data sharing and retention. 


  • Your marketing team decide to switch to MailChimp to deliver their email marketing campaigns.
  • Your sales and marketing team are coordinating their targeting by sharing new leads via google drive. 
  • Your accountant is now using an online accounting program to process payroll.

In each of these examples, you are now carrying out new processing and for new purposes. These must be reflected in your privacy information as soon as possible.

Best practice is to plan ahead before engaging any new tools so as so to ensure your privacy information is always up to date, however, sometimes team members can take o new processes unwittingly. 

For that reason, you are required to regularly review your processing activities to ensure your privacy information accurately reflects your processing activities and purposes.  

What the regulator says

GDPR: Principles relating to the processing of personal data - Article 5 (1b)

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

GDPR: Safeguards and derogations- Article 89(1)

Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject.