This page contains the transcript of a web chat we had with a member of the ICO team.
The team members have been really helpful and very gracious in allowing us to publish these transcripts. We are duty bound to point out that the information included will be the view of the agent and could of course be subject to the misunderstandings that can arise from a purely written conversation. The actual General Data Protection Regulation should always be regarded as the ultimate source of truth.
Initial Question: What constitutes "not occasional" processing as per GDPR A30(5)
Tom: OK, so, to clarify my understanding, if a small business is processing any type of personal data frequently, it has a responsibility to keep records of that data processing, is that right?
ico_rachels: Yes. That's correct.
Tom: So, swinging back to a question from earlier, what constitutes 'not occasional'?
ico_rachels: But as advised previously, I can't expand on what our understanding of 'occasional' and 'frequent' processing would be as no guidance has not been issued by us or by the Article 29 Working Party.
Tom: lol, understood!
Tom: Do we have any idea of an order of magnitude? Hours/Days/weeks/months?
ico_rachels: If you interpret it under a standard dictionary interpretation, occurring refers to 'infrequent' or 'irregular' processing. However, I'm not in a position where I can advise you more clearly than this, I'm afraid.
Tom: Completely fair enough. on a related note, in the case of a breach, would the ICO look more forgivingly upon a small organisation if it kept these records, even though it was not required to do so? I.e. would personal data processing record keeping be considered best practice by the ICO?
Tom: I'm wondering if the best recommendation to customers is just to put the record keeping in place regardless.
ico_rachels: I believe it would be considered best practice - providing it was feasible to do so. However, if there is no legal obligation, there is no requirement for them to do so.
Tom: Final question, as before is it ok to publish this on our site? I'd probably just take the bit from "Yes. I agree with your intepretation" about ten lines back onwards
Tom: Sorry, meant from "OK, so, to clarify my understanding" onwards
ico_rachels: Yes, certainly. You may need to make it clear that our live chat service provides general advice.
Tom: Will do, it also
contains a caveat against each transcript that it is the view of the agent and could of course be subject to the misunderstandings that can arise from a purely written conversation.
ico_rachels: I see. Thank you for clarifying that. I hope that information is helpful to you.
Tom: I'm just rounding up the questions I'm getting from lots of different businesses. Yes, very helpful thank you. Have a good evening