Use our document to keep a written record of your processing activities for employee-related personal data as required by the UK GDPR. Your record must incorporate certain minimum information.
Processing record
There’s a specific obligation in the UK GDPR, to maintain a written record of your processing activities, to include:
Our Record of Personal Data Processing Activities includes columns for you to insert information on all these matters. We’ve also usefully included some common examples of the types of employee personal data that you’re likely to process, such as basic personal information and contact details, recruitment records, employment contracts, financial and tax information, disciplinary, grievance and capability records, appraisals, leave and absence records and termination of employment documentation. However, our examples are not intended to be exhaustive, so you will need to include such additional or amended information in your own record as is relevant to your data processing activities. We’ve also included some guidance notes to further help you with completing the columns. Once you’ve completed your record, do regularly review it to ensure it continues to accurately reflect your data processing activities.
Lawful processing
Processing of personal data, and special category personal data and data on criminal convictions and offences, is only lawful where you have a lawful basis for it and these bases are set out in the UK GDPR. For special category personal data and data on criminal convictions and offences, you also need to have an additional lawful condition for processing. You don’t have to specify which lawful basis or additional lawful condition for processing you’re relying on in your record of processing activities, but we have included two columns for this (one for personal data and one for special category personal data or data on criminal convictions and offences) as it ensures that you’re clear about what your lawful basis or additional lawful condition is, helping you to comply with the UK GDPR’s “accountability” requirements relating to the lawfulness of processing.