Article 30 outlines what a record should include: who you are, what data you process, why you process it, who you share it with, and how long you keep it. It’s less about paperwork and more about making your data flows explicit.

For a small team, a spreadsheet is enough. Each row can represent one processing purpose. Keep columns for data categories, systems used, and retention. If you can explain the purpose and the data in one sentence, you are on the right track.

If your organization has fewer than 250 employees, GDPR allows some exceptions, but the safest path is to keep a minimal record anyway. It costs little and reduces future uncertainty.

• One purpose per row.
• Clear retention period.
• Owners for each data flow.