As per Art 30 of the GDPR, controllers have the obligation to maintain a record of processing activities. This record should contain information about the processing, including categories of data, groups of data subject, the purpose of the processing and the data recipients. This obligation is not only aimed for controllers but also for data processing. To note, organizations with fewer than 250 employees are exempt from this obligation, but only if the processing is not likely to result in risks to the rights and freedoms of the data subject, if no sensitive data is processed or if the processing is only occasional. In all other cases, the obligation applies to all companies, regardless of their size. “Occasional processing” is a broad term and should be treated carefully, as it is possible that processing of data like salary calculations or CRM be regular and not occasional. Furthermore, in the event of a data breach, the records of processing activities will most likely be a central focus for the data protection authorities. Not keeping these records is subject to a fine of 10 million euros, or 2% of the annual turnover, whichever is higher.