PII Processing Inventory and Lawful Basis Policy

The PII Processing Inventory and Lawful Basis Policy defines how an organization maintains its PII Processing Inventory / ROPA and documents the core facts needed to demonstrate accountable processing within the PIMS scope. It applies to all in-scope PII processing activities, including processing performed as a controller, joint controller, processor, or subprocessor. The policy covers processing by business processes, systems, applications, suppliers, processors, subprocessors, and data-sharing recipients, and it applies to new, materially changed, and retired processing. A processing inventory record is defined as a REG02 entry that describes a distinct PII processing activity, including its purpose, role, owner, PII categories, PII principal categories, lawful basis or customer instruction reference, systems, recipients, retention reference, transfer reference, privacy risk status, and review status. A central objective of the policy is to make REG02 the authoritative evidence object for the PII processing inventory and records of processing activities. The policy requires a Process Owner or Business Owner to create a REG02 record before any new PII processing begins and to record the required fields before the activity starts. It also requires the organization’s PIMS role to be classified for each activity, and it links systems, applications, vendors, processors, subprocessors, third-party sharing, and joint controller relationships to the relevant REG02 record. This creates a structured record of processing that can connect to privacy notices, consent, DPIA, risk, supplier, transfer, control, and audit evidence where applicable. For controller activities, the policy requires the specific processing purpose to be documented before PII is collected, used, disclosed, or otherwise processed. The Privacy Lead / PIMS Manager must validate the lawful basis recorded in REG02 before controller processing begins and before any purpose change takes effect. The policy also addresses special situations: consent must link to REG05, legitimate interests must reference REG04, special category PII requires a recorded condition, and criminal conviction or offence data requires an authorization basis. For processor and subprocessor contexts, the policy requires customer instruction references, customer purpose, subject matter, duration, PII categories, and PII principal categories to be recorded before processing begins, with agreement and instruction evidence maintained in REG08. The policy also defines how the inventory remains current. Material processing changes include changes to purpose, lawful basis, PIMS role, PII category, PII principal category, recipient, system, supplier, subprocessor, processing location, transfer, retention rule, security classification, privacy notice, consent dependency, DPIA status, customer instruction, or certification scope. REG02 must be updated within 10 business days of identifying such a change, and privacy risk and DPIA screening must be initiated in REG04 before new or materially changed processing proceeds. The Privacy Lead / PIMS Manager reconciles REG02 against REG01, REG03, REG04, REG08, and REG09 quarterly, while Internal Audit / Compliance Reviewers sample completeness, accuracy, and currency during scheduled reviews. Governance, measurement, exceptions, and enforcement are built into the policy. The Privacy Lead / PIMS Manager submits quarterly inventory health summaries in REG12, records inventory metrics, validates new REG02 records, and maintains minimum field and review cadence rules. Top Management reviews completeness, overdue reviews, major lawful basis issues, and unresolved nonconformities during management review. Exceptions must be requested and assessed in REG12, with expiry dates not exceeding 90 days, and certain exceptions require advice from the Data Protection Officer / Privacy Advisor and approval by Top Management. Enforcement includes recording nonconformities, suspending new processing when evidence is missing, blocking system go-live or supplier onboarding when required linkage is absent, and verifying corrective action effectiveness.