A processing register (or Record of Processing Activities) is a structured overview of every way your organisation processes personal data. Under GDPR Article 30, organisations with more than 250 employees must maintain one — but in practice, any startup processing personal data at scale or using AI should have one, as supervisory authorities expect it.
What to document per processing activity:
- Purpose: Why are you processing this data? Be specific — "improving our service" is too vague; "training our recommendation model on anonymised usage patterns" is clear.
- Legal basis: Which of the six GDPR grounds applies? Consent, contract, legal obligation, vital interest, public interest or legitimate interest.
- Categories of data and data subjects: What data (e.g. names, emails, AI interaction logs) and whose (e.g. customers, employees, website visitors)?
- Recipients: Who receives the data? Include processors (cloud providers, AI APIs), subprocessors and any third-party integrations.
- Retention periods: How long do you keep the data for each activity? Link to your data retention policy.
- Security measures: What technical and organisational measures protect this data? Encryption, access controls, pseudonymisation, etc.
Start with a spreadsheet if needed, but move to a structured tool as you grow. The Dutch Data Protection Authority provides a template. Tidal Control maintains your processing register as a living document linked to your controls, policies and data flows.