Records of Processing

What exactly do we mean by Record of Processing?

Records of Processing covers anything that we do with data, and as you can see from the above example from a single Recruitment process this can be wide ranging.

Read on below to see what Records of Processing GDPR Mentor allows you to manage, hopefully this will provoke some thought as you execute your GDPR Assessment...

Create, Read, Update, Deleted (CRUD)

Firstly we have the traditional processing types that we typically think about. These are the basic functions any system or process documentation might consider when we start looking at Records of Processing.


This is the first point of data being created in a system. You also need to understand where the data came from to allow you to create the new record.


Under GDPR read is considered a processing record, if you have read only access to a system then this access must be recorded.


Once you have searched (Read) for information, you then make changes to the record.


Delete should be recorded as a processing record, both when done on an ad-hoc basis, as a response to Right to Erasure or inline with your Retention policies

Moving data in, out and around the organisation

Before we Create data, we need to receive it from somewhere, we then Send this to others and then what integrations between systems do you have working behind the scenes?


Where does the data come from that comes into your company? Who is sending it, who is the Controller/Processor and do they have consent to share this information with you. What is the mechanism to receive the data, is this secure?


Once you have the data, how do you share it with others? Are you sending Documents, Files or just information in an Email? Are you sending information back to the Data Subject, to a Third Party or just Internally?


Do you have automated processes running that move data between systems? Maybe you have a Data Warehouse of Master Data Management solution. Perhaps you transmit data to a 3rd party (Payroll?) automatically, all these movements of data need to be recorded and assessed.

Manually moving data between systems

GDPR considers any mechanism for storing data in scope, be this an Excel spreadsheet, CSV, PDF or even a printed document. Often these are generated by exporting/downloading/printing data from source systems. Each of these actions are considered a Record of Processing.

Download / Export

If you are running an Export or hitting a Download button to move data from one system into a Spreadsheet, PDF or any other electronic document and this document contains Personal Information then this activity and the resulting file needs to be logged.


If you are printing documents: CV's, Employment Contracts, Restaurant list with Allergies, Patient Medical Record, Payslip, Event report with Special Access requirements (the list goes on) then these paper documents are in scope. The generation of these documents, where they are stored etc. all needs to be recorded.

GDPR Mentor allows you to manage all of the above, and record Legal Basis, Consent, Retention, execute Technical Assessments, Third Party Assessments and more.

Contact Us for a demo, where we can demonstrate the above features, and show you how you can quickly get started and be on the path to gaining benefit from GDPR in a matter of days.


  1. Pingback: What employee data do you process for GDPR

Leave Comment

Your email address will not be published. Required fields are marked *