According to GDPR, it is not compulsory when the company has less than 250 workers.
However, there are some exceptions. If an enterprise has fewer than 250 employees, it is always mandatory, no matter how many employees, to keep a record of processing activities, if the data processed:
- Is likely to present a risk to the rights and freedoms of the data subjects
- Is related to convictions and criminal offences
- On a non-occasional basis, includes special categories of personal data (indicated in article 9 of GDPR)
- Racial or ethnic origin
- Political opinion
- Religious or philosophical beliefs
- Union membership
- Processing of genetic data
- Biometric data aimed at uniquely identifying a natural person
- Data concerning health or data concerning the sexual life or sexual orientations of a natural person
The record of processing activities must always be in electronic format. However, it is also valid in written format & must always be up to date.
The record will provide an overview of all data processing activities within the organisation and therefore allow organisations to control what type of data categories are being processed, by whom (which departments or business units) and for what underlying purposes. This knowledge will allow organisations to make internal connections, join efforts or projects with the same or equivalent objectives and/or challenges and result in greater control over data processing activities. This will provide insight into risks and necessary mitigation actions, and will inevitably empower organisations to do more – and in a well-ordered way – with the personal data available.