Best practices for GDPR record keeping

Every organization that processes personal data and falls within the scope of GDPR is obligated to keep detailed records of all data processing activities. Described below are some of the essential steps for record keeping

Inventory Your Data

  • Determine the different categories of data subjects whose data is collected by your organization (e.g., employees, account-holders, shoppers)
  • Determine the different categories of personal data stored in your organization databases. (e.g., employee records; browsing history for users)
  • Determine the different categories of personal data stored in third-party databases. (e.g., credit card information stored in Stripe)

Map Your Data

  • Where does each type of data record go from point of collection?
    • Track each step in the process for each data records’ point of collection onward.
    • The journey of a data record should be tracked through the internal organization databases as well as in third-party databases.
  • Identify where, exactly, personal data records is stored in both your internal databases and third-party databases.
    • Where are these servers located geographically?

Assess Your Data Processing Practices

  • Define what types of personal data is critical for your business, delete or cease collection on anything extraneous
  • Define the categories of personal data will your organization keep, and what categories will your organization delete (i.e., work rigorously to minimize the amount of personal data collected)
  • Ensure that all data processing is conducted with consent, and/or falls within the other lawfulness standards outlined in Article 6
    • Example: Your organization may have a legitimate interest in collecting phone numbers if it is shipping orders, even if it may never use a particular data subject’s phone number to process an order
  • Set parameters on how long personal data is to be stored for, and in what format.
  • Identify any gridlock in processing data subject requests

Get started on your data inventory, map, and audit with our GDPR checklist. 

Download the GDPR Checklist



This article is provided for general informational purposes only and is not intended to be legal advice.  By using the article, you agree that the information on this article does not constitute legal or other professional advice. The article is not a substitute for obtaining legal advice from a qualified attorney licensed in your state. The information on the article may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.