Documenting your purposes for processing
Overview
You need to have understood and documented your purposes for processing personal information.
Your purposes must be broken down into their core functions against the categories of individuals you collect data on (employees, customers, suppliers, prospects etc).
You will most probably have multiple purposes for processing.
You must not role all your purposes into one. For example, marketing cannot be covered under the purpose of customer orders.
Example
It is important to document your purposes in a granular and meaningful way. For instance, you may have several separate retention periods, each specifically relating to different categories of personal data.
Equally, it is likely that the organisations you share personal data will differ depending on the type of people you hold information on and your purposes for processing the data. The record of your processing activities needs to reflect these differences in order to meet GDPR requirements.
|
Purposes of processing |
Purposes categories |
Categories of individuals |
Categories of personal data |
|
Payroll |
Staff administration |
Employees |
Contact details |
|
Regulatory purposes |
Financial details... |
||
|
To co-ordinate the workforce |
Emergency contacts... |
Contact details... |
|
|
To send emails and other communications; |
Customer orders |
Customers |
Contact details |
|
For billing, account management and other administrative matters; |
Financial details |
||
|
Regulatory purposes |
IP address... |
||
|
To provide, update, maintain and protect our Services, Websites and business; |
Suppliers... |
Contact details |
|
|
to send emails and other communications; |
Financial details |
||
|
for billing, account management and other administrative matters; |
Location... |
||
|
information about our lastest offers |
Marketing |
Customers |
Contact details |
| exclusive discounts |
Lifestyle information |
||
|
industry insights |
Clients... |
Contact details... |
What the regulator says:
GDPR - Records of processing activities - Article 30 (1) - Controllers
"Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility."
GDPR - Principals relation to the processing of personal information - Article 5 (1c) - Controllers
"Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
GDPR - Principals relation to the processing of personal information - Article 5 (2) - Controllers
"The controller shall be responsible for, and be able to demonstrate compliance"
References
- GDPR - Principles relating to processing of personal data- Article 30 - 1
- GDPR - Records of processing activities- Article 5 - 1 (c)
- GDPR - Records of processing activities- Article 5 - 2