Documenting your Data Processing Activities

The General Data Protection Regulation (GDPR) and the Data Protection Act (2018) place a heavy emphasis on accountability. This means that digital health companies must demonstrate they are complying with the law and handling personal data responsibly. One of the key requirements is documenting your data processing activities.

This can seem daunting, but it’s actually a crucial step to ensure your compliance and protect individuals' privacy. Understanding best practices for documenting your data processing will also bring peace of mind about your organisation’s data protection and security posture, and set you up for success for ongoing regulatory compliance.

Whilst there are many approaches to meeting these requirements, in this article we’ll outline the steps you can take to get started, and follow best practices to meet the requirements of the NHS Data Security and Protection Toolkit (DSPT):

NHS DSPT Evidence item 1.1.2 Does your organisation have an up to date list of the ways in which it holds and shares different types of personal and sensitive information?

NHS DSPT Evidence Item 1.1.3 Does your organisation have a privacy notice?

How to document your data processing activities

To meet the requirements of NHS DSPT and UK GDPR, it is easiest to create three documents:

• Step 1: Know Your Data - the Information Asset Register (IAR)
• Step 2: Document Your Processing Activities - the Record of Processing Activities (ROPA)
• Step 3: Tell people - privacy notices

We’ll cover each of these in their own guide with practical steps in creating and maintaining the documents, including templates and examples for digital health companies.

You can find links to each guide below, and we suggest working through these in order.

Step 1: Know your data - Information Asset Register (IAR)

How to create an Information Asset Register (IAR)

Step-by-step guide to creating an Information Asset Register for GDPR and the NHS Digital Security Protection Toolkit (DSPT)

Understanding what information you hold is the first step towards compliance. This is where an Information Asset Register (IAR) comes in.

Step 2: Document your data processing activities - Record of Processing Activities (ROPA)

How to create a Record of Processing Activities (ROPA)

Step-by-step guide to creating a Record of Processing Activities (ROPA) for GDPR Article 30 and the NHS Digital Security Protection Toolkit (DSPT)

Once we know what data we have, we need to think about where our data comes from, where it goes, our legal basis for processing, and security measures in place.

Step 3: Tell people - privacy notices

One of the most crucial aspects of compliance is transparency. The GDPR requires you to inform individuals about how you collect, use, and share their personal data.

Privacy notices - GDPR guide for digital health companies

Step-by-step guide to creating a Privacy Notice for GDPR and the NHS Digital Security Protection Toolkit (DSPT)

Anything Else?

Beyond your IAR, ROPA and privacy notices, you should also document other aspects of your data processing, this includes:

• Consent records: Keep accurate records of individuals' consent to data processing, including the date, method, and scope of consent.
• Data subject rights: Procedures for responding to Data Subject Access requests and individuals making requests about their data to ensure all rights are upheld.
• Personal data breach records: Document any personal data breaches, including the date, nature, impact, and remedial actions taken.
• Data protection by design and default: Outline robust procedures to ensure all aspects of data protection are embedded into business processes.
• Third party suppliers: Record all third party suppliers who process or store personal data on behalf of your organisation and ensure they are operationally compliant with this legislation.
• Information management: Clear information management procedures should cover scope, obligations and a records retention schedule that define how you store, and protect the data assets under your control. This should minimise the amount of data stored, reducing both the likelihood and impact of a data breach.

Your internal documentation of processing activities should be updated and/or reviewed when there is a new or changed processing activity involving personal data.

Get started today

Documenting and keeping track of your data processing activities may seem like a daunting task, but following the steps above will lay solid foundations for the your ongoing compliance journey. Assuric is a compliance platform built from the ground up to simplify your compliance journey and ensure nothing is missed. We can help with:

• Creating, managing, and updating your IAR, ROPA, privacy notices and other documentation.
• Reviewing your documentation and process to ensure it meets requirements
• Complying with other aspects of GDPR, the NHS DSPT and NHS DTAC.

Schedule a call with us today to learn more about how Assuric can help you achieve compliance and protect your organisation.