Skip to main content

Step 7: Keep a record

Step 7: Keep a record

Once the data in use and the processes for gathering the data are understood, there is a requirement to keep a record of each. The GDPR introduces a key principle for organisations to be accountable for their data processing activities, this means that it is essential to have this detail captured in a processing register.
The processing of personal data is the activity where you gather, transfer or do something with the data, such as events registration, passing this data to the event facility and contacting the registrants with detail of the event.

The GDPR Data Inventory is available for use by Executive Committees to capture this detail.

When recording the processing activities, it is key to align each of these to a pre-defined justified purpose, known as the lawful basis for processing. There are 6 of these that align to personal data (name, address, email etc…) and eleven for sensitive (special category) data (ethic origin, medical conditions etc…).

There are a number of these, however it will usually materialise that only a few will be required, examples of these are highlighted below;

Personal data

  • Consent of the data subject Should be used for communications preferences or consent for the use of photographic images (however legitimate interest may also be appropriate for photography, further guidance can be found here.
  • Processing is necessary for the performance of a contract Should be used for the personal data gathered and processed as part of a member joining
  • Processing is necessary for compliance with a legal obligation Should be used for the retention of records as part of accident reporting
  • Necessary for the purposes of legitimate interests pursued by the controller or a third party Should be used for the passing of a waiting list from one local Scout Group to another, this is for personal data only (name, address, email etc…)

Sensitive (special category data)

  • Explicit consent of the data subject Should be used if you are required to transfer the data to a third party, such as for an event
  • Processing is necessary to protect the vital interests of a data subject Should be used in an emergency situation where you need to pass data to a medical professional
  • Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members Should be used for the sensitive (special category) data gathered and processed as part of a joining member or event registration, where the data is not passed on to a third party.

When choosing the lawful basis behind the processing activity its worth noting that both legitimate interest and consent allow the data subject to rescind their permission for the processing activity, if you are able to do so. The full list of lawful basis can be downloaded here.

If legitimate interest is the chosen lawful basis for processing, then it is important to maintain a record of this activity. It is also important that the record shows how the decision was made that legitimate interest balances. To assist you can use the Legitimate Interest Assessment Tool.