Part 8: Records Management & Lawful Basis

Accountabilityis one of the 7 Principles under the GDPR (General Data Protection Regulation). To ensure businesses comply with their accountability obligations, the ICO has now created a framework that breaks down the key elements of accountability in data protection.

As part of an ongoing series of blogs, CVG Solutions will be guiding you through the ICOs 10 framework categories, taking a closer look at the importance of each aspect and how to adhere to them.


As an organisation, you are legally required to document your data processing activities. You must include the type of data categories, where the information is stored, how it is used and the legal basis for processing. It is important to note that your data processing will not be lawful without a valid lawful basis, so you must demonstrate how you are complying with the accountability principle and you can justify your choice appropriately.

To give an idea of what that looks like in practice, this section is broken down into 10 categories:

Data Mapping:

As always, clarity is key, so you must be thorough when carrying out data mapping exercises.

These are essential for understanding what personal data is held and how that data flows through your organisation. Try using questionnaires and staff surveys to ensure an accurate understanding of processing activities.

Record of processing activities (RoPA):

Based on the data mapping exercises your RoPA should be formal, documented, comprehensive and, of course, accurate. They should be in electronic form, so they can be quickly and easily accessed, amended or removed. They should be regularly reviewed and updated by a designated team or individual.

RoPA requirements:

The RoPA must contain all the information required by Article 30 of the UK GDPR (contact CVG Solutions for a simplified breakdown of the minimal requirements that are laid out in Article 30). A record must be kept of all processing activities undertaken by the processor.

Good practice for RoPAs:

As a matter of good practice, your RoPA should include, or have links to, documentation regarding privacy notices, consent (informed, unambiguous and freely given), DPIAs, controller-processor contracts, data breaches, data sharing agreements, retention and erasure policies and so on.

Documenting your lawful basis:

Choose the most appropriate lawful basis for each processing activity and be sure that justification is documented before processing begins. Always document an appropriate condition when processing special category data (personal data that is sensitive in nature and therefore requires further protection).

GDPR specifically defines ‘special category data’ as personal data that details the following:

  • criminal offences
  • political opinions
  • racial or ethnic origin
  • religious or philosophical beliefs
  • trade union membership
  • genetic or biometric data
  • health
  • sex life or sexual orientation

Lawful basis transparency:

Information regarding the purpose of the processing and the lawful basis should be made publicly available, clearly stated and easy to access. Be sure to promptly inform data subjects of any amendments made to the lawful basis. All information must be presented in a format that is easy to understand.

Consent requirements:

If your organisation relies on consent for the processing of personal data you must make sure that is in line with the GDPR consent requirements:

  • Specific
  • Informed
  • Freely given
  • Unambiguous
  • Easily withdrawn

Records of consent must be easily amendable.

Reviewing consent:

Procedures should be in place so that records of consent can be regularly reviewed and refreshed.

Risk-based age checks and parental or guardian consent:

Your organisation needs to make concerted efforts to check the age of the individuals giving consent so you can assess their ability to give the consent themselves. There should also be a means of obtaining parental or guardian consent, which should be recorded and reviewed regularly.

Legitimate interest assessment (LIA):

‘Legitimate interests’ is one of the six lawful bases for processing personal data (organisations are required to have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle). If your organisation’s lawful basis is legitimate interests, an LIA must be carried out before the processing begins. They too should be clearly documented and reviewed regularly.

Your organisation will be able to clearly demonstrate accountability with a RoPA that contains all the relevant information, which is also beneficial for completing DSARs, identifying risks and informing privacy notices.

———For any changes to data protection and transferring policies as a result of Brexit, or for a full breakdown of what privacy information includes, get in touch with CVG Solutions and we can help guide you through everything you need to know and ensure you meet all the requirements laid out by the ICO.

Check back for monthly updates and information regarding the ICO Accountability Framework. In April, we’ll be taking a closer look at Risks and Data Protection Impact Assessments. You can also read our other blogs in the series on:

Leadership & Oversight (Part 1) 

Training & Awareness (Part 2)

Transparency (Part 3)

Contracts and Data Sharing (Part 4)

Records Management & Security (Part 5)

Policies & Procedures (Part 6)

Individual’s Rights (Part 7)

If you require any further help, guidance, information or clarification, you can contact CVG Solutions at, or call us on 01775 660-506.

CVG Membership

As a brand new addition to CVG Solutions, we launched a membership option last year. Sign up for announcements and updates as they happen, so you don’t miss out on future entries of our Guide to the ICO Accountability Framework blog series.


Records of Processing and Lawful Basis Checklist

Not entirely sure whether your organisation is complying with the regulations laid out by the ICO? No problem, just use this checklist to see where you might be going wrong:

  • Would staff say that there was an effective process in place to identify what personal data is held across the organisation?
  • Would the record match what people were currently doing?
  • Would staff say that you have effective processes in place to keep the record up to date, accurate and make sure that the data is minimised?
  • Could staff explain their responsibilities and how they carry them out in practice?
  • Are staff aware of the need to identify a lawful basis for processing personal data?
  • Can they identify an appropriate lawful basis?
  • Are they aware of the additional requirements to protect special category and criminal offence data?
  • Would customers agree that your privacy notice is easy to find, access and understand?
  • Do staff agree that the records of consent are easy to access, understand and review?
  • Do customers say that you make it easy to understand and manage consent?
  • Are staff aware of the process to review consents?
  • Is the procedure easy to find, access and understand?
  • Do individuals say it was easy to manage their consent preferences?
  • Do staff and individuals agree that you have a reasonable and effective way to conduct risk-based age checks, gain parental or guardian consent and review what’s in place?
  • Do staff say that the LIAs are clear and comprehensive?
  • Is the review process effective?

About the Author

Cristina is recognized as a leader in the GDPR industry and has 25+ years of experience working for large international corporations. During this time Cristina has acquired an extensive knowledge and practical application of data protection, risk management and compliance.   Cristina uses all of her expertise in helping her clients of all sizes to improve their understanding of the GDPD, how it can strengthen their brand, and how it can support them to drive business growth.  Cristina is the creator of the ‘GDPR 3 Stages Maturity Lifecycle’ and of the ‘GDPR Toolkit’.  Click here to know more.