Documenting your Data Processing Activities

Understanding GDPR and Data Accountability

The General Data Protection Regulation (GDPR) and the Data Protection Act (2018) emphasise one core principle - accountability. For digital health companies, this means you must demonstrate compliance and show that you handle personal data responsibly. One of the most important elements of this accountability is documenting your data processing activities.

This can seem daunting, but it’s actually a crucial step to ensure your compliance and protect individuals' privacy. By following best practices for data documentation, you not only achieve legal compliance but also strengthen your overall data security processes.

Why Documenting Your Data Processing Activities Matters

For organisations working within or alongside the NHS, demonstrating compliance with both UK GDPR and the NHS Data Security and Protection Toolkit (DSPT) is essential.

These evidence items highlight what’s expected:

• NHS DSPT Evidence Item 1.1.2: Does your organisation maintain an up-to-date list of how it holds and shares personal and sensitive data?
• NHS DSPT Evidence Item 1.1.3: Does your organisation have a clear, accessible privacy notice?

How to Document Your Data Processing Activities

To align with both NHS DSPT and UK GDPR requirements, the most efficient approach is to prepare three key documents:

1. Information Asset Register (IAR) - Know your data.
2. Record of Processing Activities (ROPA) - Document your data processing.
3. Privacy Notices - Tell people how their data is used.

Let’s explore each step in detail.

Step 1: Know Your Data - The Information Asset Register (IAR)

Before you can protect data, you need to understand what data you hold.
An Information Asset Register (IAR) provides a complete inventory of all personal and sensitive data within your organisation.

Your IAR should include:

• The type of data (e.g., health, financial, or demographic).
• Who owns it within your organisation.
• Where it is stored and shared.
• Retention periods and disposal methods.

This foundational step ensures full visibility of your data landscape and forms the basis for all other GDPR documentation.

How to create an Information Asset Register (IAR)

Step-by-step guide to creating an Information Asset Register for GDPR and the NHS Digital Security Protection Toolkit (DSPT)​​​​‌‍​‍​‍‌‍‌​‍‌‍‍‌‌‍‌‌‍‍‌‌‍‍​‍​‍​‍‍​‍​‍‌​‌‍​‌‌‍‍‌‍‍‌‌‌​‌‍‌​‍‍‌‍‍‌‌‍​‍​‍​‍​​‍​‍‌‍‍​‌​‍‌‍‌‌‌‍‌‍​‍​‍​‍‍​‍​‍​‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‍‌‌‍‍‌‌​‌‍‌‌‌‍‍‌‌​​‍‌‍‌‌‌‍‌​‌‍‍‌‌‌​​‍‌‍‌‌‍‌‍‌​‌‍‌‌​‌‌​​‌​‍‌‍‌‌‌​‌‍‌‌‌‍‍‌‌​‌‍​‌‌‌​‌‍‍‌‌‍‌‍‍​‍‌‍‍‌‌‍‌​​‌‌‍​‍‌‍​‌‌‍‌‍‌‍​​‍​​‍​​​‌‌‍‌‍​‍‌​‌​​‌‌‍‌​​‌​​‍‌​‌​‌‍‌‍‌‍​‌‍​‍​‍‌​‍​​​​‌‍​​‌​​‍‌‌‍‌‌​‌‌‌‍​‌‌‍‌​‌‍‌‍​‍​​‍​‌‍​‌​​‍‌‍‌‍‌‍​‍​‌​‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌​​‌‍‌​‌‌​​‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‍‌​‌‍‌‌‌​‌‍​‌​‍‌‍‍‌‌​​‌‌​‌‍‍‌‌‍‌‍‍​‌‍​‍‌‍​‌‌​‌‍‌‌‌‌‌‌‌​‍‌‍​​‌​‍‌‌​​‍‌​‌‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‌‍‍‌‌‍‌​​‌‌‍​‍‌‍​‌‌‍‌‍‌‍​​‍​​‍​​​‌‌‍‌‍​‍‌​‌​​‌‌‍‌​​‌​​‍‌​‌​‌‍‌‍‌‍​‌‍​‍​‍‌​‍​​​​‌‍​​‌​​‍‌‌‍‌‌​‌‌‌‍​‌‌‍‌​‌‍‌‍​‍​​‍​‌‍​‌​​‍‌‍‌‍‌‍​‍​‌​‍‌‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌​​‌‍‌​‌‌​​‍‌‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‍‌​‌‍‌‌‌​‌‍​‌​‍‌‍‍‌‌​​‌‌​‌‍‍‌‌‍‌‍‍​‍‌‍‌​​‌‍‌‌‌​‍‌​‌​​‌‍‌‌‌‍​‌‌​‌‍‍‌‌‌‍‌‍‌‌​‌‌​​‌‌‌‌‍​‍‌‍​‌‍‍‌‌​‌‍‍​‌‍‌‌‌‍‌​​‍​‍‌‌

Step 2: Document Your Processing Activities - The Record of Processing Activities (ROPA)

Once you know what data you have, the next step is to understand how it’s used. The Record of Processing Activities (ROPA) serves as your roadmap for all data flows.

Your ROPA should explain:

• Where data originates (sources).
• Where data is sent (recipients).
• The purpose and legal basis for processing.
• Security measures in place to protect data.

Maintaining an accurate ROPA helps demonstrate your compliance with Article 30 of the GDPR and builds transparency for audits or regulatory reviews.

How to create a Record of Processing Activities (ROPA)

Learn how to create and maintain a Record of Processing Activities (ROPA) to meet GDPR and NHS DSPT compliance. Includes practical steps, lawful basis guidance, and a free ROPA template for digital health companies.

Step 3: Tell People - Privacy Notices

One of the most crucial aspects of GDPR compliance is transparency. Your privacy notice must clearly inform individuals about how you collect, use, and share their personal information.

A privacy notice should:

• Outline the data collected and why.
• Explain how long data will be retained.
• Describe individuals’ rights under GDPR.
• Include contact details for data protection queries.

Clear, accessible privacy notices foster trust and accountability with users and partners alike.

Privacy notices - GDPR guide for digital health companies

Step-by-step guide to creating a Privacy Notice for GDPR and the NHS Digital Security Protection Toolkit (DSPT)​​​​‌‍​‍​‍‌‍‌​‍‌‍‍‌‌‍‌‌‍‍‌‌‍‍​‍​‍​‍‍​‍​‍‌​‌‍​‌‌‍‍‌‍‍‌‌‌​‌‍‌​‍‍‌‍‍‌‌‍​‍​‍​‍​​‍​‍‌‍‍​‌​‍‌‍‌‌‌‍‌‍​‍​‍​‍‍​‍​‍​‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‍‌‌‍‍‌‌​‌‍‌‌‌‍‍‌‌​​‍‌‍‌‌‌‍‌​‌‍‍‌‌‌​​‍‌‍‌‌‍‌‍‌​‌‍‌‌​‌‌​​‌​‍‌‍‌‌‌​‌‍‌‌‌‍‍‌‌​‌‍​‌‌‌​‌‍‍‌‌‍‌‍‍​‍‌‍‍‌‌‍‌​​‌‌‍‌‍​​‌​‍​​​​​‌‍‌‍‌​‌‍​‌​‌​‍‌​​​‍​‌‍​‍‌‍​‌​‍‌​‌​‌‍‌​​‌​​‌‌​‍‌​‍‌​‌‌​​‌​‌​​‍‌​‌‍​​‍​‌‍‌‍‌‌‌‍​‌‌‍​‌‌‍‌‍‌‍​‍​‌‌‌‍‌​​​‍​​​​‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌​​‌‍‌​‌‌​​‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‍‌​‌‍‌‌‌​‌‍​‌​‍‌‍‍‌‌​​‌‌​‌‍‍‌‌‍‌‍‍​‌‍​‍‌‍​‌‌​‌‍‌‌‌‌‌‌‌​‍‌‍​​‌​‍‌‌​​‍‌​‌‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‌‍‍‌‌‍‌​​‌‌‍‌‍​​‌​‍​​​​​‌‍‌‍‌​‌‍​‌​‌​‍‌​​​‍​‌‍​‍‌‍​‌​‍‌​‌​‌‍‌​​‌​​‌‌​‍‌​‍‌​‌‌​​‌​‌​​‍‌​‌‍​​‍​‌‍‌‍‌‌‌‍​‌‌‍​‌‌‍‌‍‌‍​‍​‌‌‌‍‌​​​‍​​​​‍‌‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌​​‌‍‌​‌‌​​‍‌‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‍‌​‌‍‌‌‌​‌‍​‌​‍‌‍‍‌‌​​‌‌​‌‍‍‌‌‍‌‍‍​‍‌‍‌​​‌‍‌‌‌​‍‌​‌​​‌‍‌‌‌‍​‌‌​‌‍‍‌‌‌‍‌‍‌‌​‌‌​​‌‌‌‌‍​‍‌‍​‌‍‍‌‌​‌‍‍​‌‍‌‌‌‍‌​​‍​‍‌‌

Step 4: Maintain Consent Records

Consent plays a major role in data protection, especially for digital health platforms. Detailed consent records should show:

• When and how consent was obtained.
• The specific purpose of consent.
• Any subsequent withdrawal or change in consent.

This documentation protects your organisation from non-compliance claims and ensures ethical data handling.

Step 5: Manage Data Subject Rights

Under GDPR, patients have specific rights - like being able to access, correct, or delete their personal data. Your organisation should have clear and straightforward processes in place for handling these Data Subject Access Requests (DSARs).

This includes documenting:

• How patient requests are received and verified
• The timeframes for responding to each request
• Any refusals and the reasons behind them

Step 6: Record Data Breaches and Security Incidents

No system is completely immune to data breaches, what really matters is how your organisation responds. Keep a clear personal data breach log that records:

• The date and details of the breach
• The impact on any affected patients or individuals
• The steps taken to reduce or prevent further harm

Maintaining these records shows accountability and helps strengthen your overall data protection approach.

Step 7: Ensure Compliance with Third Parties

Many organisations rely on third-party providers for data processing.
Document all suppliers and partners that handle personal data, ensuring they meet GDPR and NHS DSPT standards.

Include:

• Data processing agreements (DPAs).
• Security certifications.
• Audit findings or compliance evidence.

This ensures that compliance extends throughout your data supply chain.

Additional Data Documentation Best Practices

Beyond the key documents (IAR, ROPA, and privacy notices), your data protection framework should include:

• Information management procedures with clear retention schedules.
• Data protection by design and default principles embedded in every process.
• Regular reviews and updates when new processing activities occur.

Consistent maintenance ensures ongoing compliance and operational resilience.

Start Documenting Your Data Processing Activities Today

Documenting and keeping track of your data processing activities may seem like a daunting task, but following the steps above will lay solid foundations for the your ongoing compliance journey. Assuric is a compliance platform built from the ground up to simplify your compliance journey and ensure nothing is missed. We can help with:

• Creating, managing, and updating your IAR, ROPA, privacy notices and other documentation.
• Reviewing your documentation and process to ensure it meets requirements
• Complying with other aspects of GDPR, the NHS DSPT and NHS DTAC.

Schedule a call with us today to learn more about how Assuric can help you achieve compliance and protect your organisation.

Frequently Asked Questions (FAQs)

1. Why is documenting data processing important?
   It helps organisations prove accountability, ensure transparency, and meet regulatory standards like the NHS DSPT.
2. What is the difference between IAR and ROPA?
   The IAR lists what data you hold, while the ROPA explains how and why you process it.
3. How often should documentation be updated?
   You should review and update your documentation whenever there’s a change in how data is processed or shared.
4. Do small digital health startups need to document their data processing?
   Yes. All organisations processing personal data, regardless of size, are required to document their activities under GDPR.
5. Can Assuric help automate documentation updates?
   Yes, Assuric’s compliance platform streamlines updates, notifications, and evidence tracking to maintain compliance efficiently.