Documenting your purposes for processing

Overview

You need to have understood and documented your purposes for processing personal information.

Your purposes must be broken down into their core functions against the categories of individuals you collect data on (employees, customers, suppliers, prospects etc).

You will most probably have multiple purposes for processing.

You must not role all your purposes into one. For example, marketing cannot be covered under the purpose of customer orders.

Example

It is important to document your purposes in a granular and meaningful way. For instance, you may have several separate retention periods, each specifically relating to different categories of personal data.

Equally, it is likely that the organisations you share personal data will differ depending on the type of people you hold information on and your purposes for processing the data. The record of your processing activities needs to reflect these differences in order to meet GDPR requirements.

Purposes of processing

Purposes categories

Categories of individuals

Categories of personal data

Payroll

Staff administration

Employees

Contact details

Regulatory purposes

Financial details...

To co-ordinate the workforce

Emergency contacts...

Contact details...

To send emails and other communications;

Customer orders

Customers

Contact details

For billing, account management and other administrative matters;

Financial details

Regulatory purposes

IP address...

To provide, update, maintain and protect our Services, Websites and business;

Suppliers...

Contact details

to send emails and other communications;
 

Financial details

for billing, account management and other administrative matters;
 

Location...

information about our lastest offers

Marketing

Customers

Contact details

exclusive discounts

Lifestyle information

industry insights

Clients...

Contact details...

What the regulator says:

GDPR - Records of processing activities - Article 30 (1) - Controllers 

"Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility."

GDPR - Principals relation to the processing of personal information - Article 5 (1c) - Controllers 

"Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

GDPR - Principals relation to the processing of personal information - Article 5 (2) - Controllers 

"The controller shall be responsible for, and be able to demonstrate compliance"

References