Appendix D - Data Process Record




Purpose of data collection/processing:

Data Collection

What information are we collecting?

Does any of this data relate to children?

Volume of customer data:

How are we collecting the information?

What is the frequency of collection?

What type of personal data is it? (Personal/Sensitive)

What is the approximate split of data types?

Storing, Accessing, and Deleting

Where is the information stored?

Who has access to the information?

How easy is it to access the information?

What security measures are in place to protect the information/restrict access?

What is the process of accessing the information?

How long show we be holding the data for [Retention]?

What is the current process for deletion?

Data Sharing

Who is the likely recipient of the data [Who do we share it with]?

What are the processes for sharing data?

Do we publish the data?

Do we collect data from elsewhere (internal/external)?

Do other departments collect data that would enhance this process?

Do we transfer the data to a third country?

GDPR Checks Admin review by Auditor

Can we deliver the service without the data?

Is the request for data lawful under GDPR?

Is the data used for automated decision making?

Do you Undertake any profiling?

Is consent required?

Does a private notice exist? If no, is one required?








Audit and Action plan agreed

Name and Signature





Service Manager




Data Protection Officer






Improvement Action Plan



Audit Area

Area of improvement


Responsible officer