Unfortunately, the Composite Legal Documents service will be closing on the 1st May 2024, and you will no longer be able to access this site from that date. If you have any legal documents saved in your Composite Legal Documents account, we recommend that you download them and save them onto your computer as soon as possible.

Business Services
Law Guide

Documenting processing activities

You have an obligation to be accountable under the UK General Data Protection Regulation (UK GDPR) i.e. being responsible for, and being able to prove, compliance with the UK GDPR. Having written records and other documents will help you achieve this.

Documenting processing activities

Businesses with fewer than 250 employees only need to document processing activities that:

  • are not occasional; or
  • could result in a risk to the rights and freedoms of the tenant whose information is being processed; or
  • involve the processing of special categories of data (previously called sensitive data) or criminal conviction and offence data.

You must document the following information for the above processing activities:

  • The name and contact details of your organisation (and where applicable) other controllers, your business's ICO representative and your data protection officer.
  • The purpose and lawful basis of your processing.
  • A description of the categories of individuals being processed.
  • The categories of recipients of the personal data.
  • Details of your transfers of personal data to other organisations and countries outside the EEA (being Norway, Liechtenstein, Iceland and all the countries in the EU) including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of your technical and organisational security measures.

Documents and records

Examples of other documents that will help you achieve your duty of accountability, include:

  • Records of processing activities. The Information Commissioner's Office (ICO) has a template you can use to do this.
  • The privacy notices given to tenants.
  • A data protection policy.
  • Records of any consents you've obtained.
  • Any contracts you have with external reference agencies that you have shared the tenant information with (it should state how they will use and protect the tenant's personal information).

The ICO may request you to provide your records. The records, which should reflect your current processing activities, should be kept up to date and in writing. They can be held electronically. See the ICO website for more information.

Back to top

Our use of cookies

We use necessary cookies to make our site work. We would also like to set some optional cookies. We won't set these optional cookies unless you enable them. Please choose whether this site may use optional cookies by selecting 'On' or 'Off' for each category below. Using this tool will set a cookie on your device to remember your preferences.

For more detailed information about the cookies we use, see our Cookie notice.

Manage cookie preferences

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Functionality cookies

We'd like to set cookies to provide you with a better customer experience. For more information on these cookies, please see our cookie notice.