How to keep your record of data processing activities (or GDPR article 30) up-to-date


Improve your processes with this useful template

Data is a constantly evolving entity and maintaining your ongoing compliance with GDPR requires you, amongst other responsibilities, to keep an up-to-date record of your personal data processing activities, also known as your GDPR Article 30.

For almost a year however, things on the GDPR front were somewhat quiet. Six months after the deadline, a Deloitte survey showed that only 33% of companies planned to continue investing in embedding privacy.

Before the deadline struck, the business world went into overdrive. In their attempt to demonstrate compliance before May 28th 2018, organisations scrambled to identify their data, map personal data inventories and blast out endless emails to customers asking them to ‘opt-in’. On average, British companies spent £1.3 million to ensure their GDPR compliance.

The deadline hit and…



For months, nothing really happened. The hype started to subside and people wondered whether the Information Commissioner’s Office (ICO) was bluffing with its threat of 4% fines.

But then…

The thing many thought would never happen, did happen. Two significant fines were slapped on British Airways and Marriott in quick succession, totalling nearly £300m. It was a stark reminder of how serious the GDPR is, and a demonstration that the ICO means business.

And given the ripple effect of the fines imposed so far, organisations are once again making a priority of getting their GDPR house in order.

The trouble is, if you are revisiting your processes, how do you know whether they are good enough?

To help provide that clarity around what you need to do to review and improve your record of data processing activity, we’ve created this helpful template…

Step 1

Step 2: Review your data processing rules


With a list of the data you hold, it’s time to establish the rules for processing that data. These rules can broadly be split into 3 categories:

  • What data should not be processed where?
  • What data should be deleted and when?
  • What data poses an unacceptable risk to the business?

To create these rules, analyse your personal data inventory above. Think about the types of processing that could pose privacy, security, and business risks to your organisation. And write them down in prose form, as shown below:


What Shouldnt be processed


What data should be deleted


Unacceptable risk

 Top tip!

Don’t feel like this initial list has to be exhaustive. Start by highlighting the highest risk rules first and figure out how to prioritise and enforce them. This initial work then forms the basis for you to justify your monitoring and compliance activities.


Step 3: Review compliance monitoring


The GDPR places emphasis on implementing ‘comprehensive but proportionate’ controls to monitor and protect personal data.

The simplest way to do this is to list out your rules for managing personal data (that you identified above), and then write down your ideal monitoring controls. Following that, list what you do currently. Once you have your ideal controls you can document the difference, and create a roadmap for closing the gap between the two in the future:

Step 3


Step 4: Think…’how can technology make this process easier?’


As with all GDPR processes, your record of data processing activities needs to be constantly reviewed, and periodically updated. But actioning and monitoring your data is hard if you are relying on manual methods only.

Our research indicates that managing personal data only becomes more complex as your business grows bigger. Over half of organisations with more than 500 employees identified over 50 personal data processes, increasing to 1,000 processes when there are over 1,000 employees.

Trying to manage that manually means that you’re never going to have an accurate picture of the data you hold (Step 1), or know when your data processing rules are broken (Step 2).


Therefore, deploying technology that understands and helps your organisation manage your data is vital if you’re to remain compliant with GDPR, since it allows you to:

  • Review your personal data inventory by showing you what structured AND unstructured personal data is really being held in your data estate.
  • Run searches for potentially hidden personally identifiable information in your data.
  • Set data processing policies and rules using the technology.
  • Create automated workflows that alert you when a rule is broken.
  • Quickly satisfy requests for personal data from individuals.

Compliance monitoring is easier with intelligent information discovery technology

Start discovering your data today

Why don’t you set up a time for one of our experts to give you a demo that’s relevant to your business challenges and we will show you how Exonar can help?

Book a demo today

 “Exonar is developing best-of-breed technology for its customers but only because the team is going the extra mile on a daily basis - whatever you need, Exonar is there. It’s the best experience I’ve had of working with a solution provider in over 20 years.”

Dave Parker, Group Head of Data Governance, Arrow Global