Records for GDPR Compliance

What’s types of records must businesses keep to satisfy the GDPR?

There is a difference between the types of records SMEs and larger firms must keep, but only if you process data occasionally.

If you have fewer than 250 employees

You must hold internal records for your processing activities and where data is being processed.

Businesses with more than 250 employees

Must keep more detailed records - name of data protection officer (DPO), why your organisation processes data, details on the types of data held, who this is shared with, foreign transfers outside of the EU, retention schedules, a description of technical and organisational security measures, the list goes on.

An SME that handles data regularly

To manage reputation and risk effectively you should adhere to the requirements of a 250+ employee business, as a matter of best practice. In support of this recommendation the GDPR states that these extra records keeping duties apply to a SME if ‘the processing it carries out is likely to result in:

  • a risk to the rights and freedoms of data subjects,
  • the processing is not occasional,
  • the processing includes special categories of data, or
  • personal data in relation to criminal convictions and offences.’


For more answers to your questions take a look at this Whitepaper for SMEs: GDPR for small businesses. Here you will find helpful information and practical steps for working towards compliance. To access this Whitepaper Sign Up to Gravicus Osprey where you will also get
5 Free Data Protection Impact Assessments (DPIAs) with Osprey DPIA as well as access to our Resource Centre.


Telephone: 0203 858 0636

Email:  info@


Simply smart data management with Osprey