£199.99 £139.99 for one year of Unlimited learning. Offer ends on 14 November 2022 at 23:59 (UTC). T&Cs apply

Find out more
Keeping records and ensuring security
Skip main navigation

Keeping records and ensuring security

How to keep records of processing activities and ensure data security as determined under the GDPR? Dr Bo Zhao discusses this topic.
Calculator and documents
© University of Groningen

Based on Article 30, controllers have to maintain records of all processing activities. These records need to be in writing (including in electronic form) and have to be made available to the competent supervisory authority upon request.

Controllers can be exempted from this obligation when they have no more than 250 employees, except in cases where the processing may give rise to a risk to data subjects’ rights and freedoms, if the processing is not occasional, if the processing includes special categories of personal data (Article 9) or if the data relate to criminal convictions and offences (Article 10).

Records need to include:

  • The name and contact details of the controller;
  • The purposes of the processing,
  • Categories of data subjects, personal data and recipients;
  • Information regarding data transfer outside the EU;
  • The envisaged time limits for erasure;
  • A general description of the technical and organisational security measures.

Technical and organisational measures

Under Article 32, controllers have the obligation to take technical and organisational measures to achieve a level of security appropriate to potential risk. When taking these measures, they need to consider the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Examples of such measures include:

  • Pseudonymisation and encryption;
  • Ensuring the ongoing confidentiality, integrity, availability and resilience of processing system and services;
  • The ability to restore the availability and access to personal data in a timely manner in case of physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of the processing.

Both controllers and processors have to take measures to ensure that persons acting under their authority (employees for example) will not process personal data, unless they are acting under instructions or if it is required by EU and Member State law.

© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education