The GDPR contains new and explicit requirements for documenting data processing activities. Documentation under the GDPR relates to an organisation’s record of their processing activities, covering areas such as processing purposes, data sharing and retention. Records must be kept in ‘writing’ (electronic records are acceptable), must be kept up to date and must reflect the current processing activities. These records may need to be made available to the ICO on request.
Documenting our processing activities is important, not only because it fulfils the GDPR legal requirement, but also because it supports good data governance. Good records will help us to demonstrate our compliance with other aspects of the GDPR.
Documentation includes the generic and specific information produced in relation to data processing activities, for example:
- Contracts between Data Controllers and Data Processors
- Data processing agreements and data sharing agreements
- Privacy Notices
- Information Asset Registers
- Data breach reporting and investigation