The General Data Protection Regulation (GDPR) is nearly upon us and—regrettably—many organisations are still unprepared.
In fact, 55 per cent of organisations still don’t have a structured plan to ensure compliance, according to a recent survey from software suite developer, SAS. Regardless of where your organisation is in the process, it is essential that you don’t overlook the documentation of your processing activities. Because, if you’re disorganised in your efforts, you can be fined up to roughly £8 million or 2 per cent of your annual turnover, whichever may be higher.
To ensure that your organisation’s documentation process is neat, tidy and thorough, it must include the following information:
- The name and contact details of your organisation
- The purposes of your processing
- A description of the categories of personal data
- The categories of recipients of the personal data
- Details of your transfers to third countries, including documenting the transfer mechanism safeguards in place
- Retention schedules
- A description of your technical and organisational security measures
As a best practice, the Information Commissioner’s Office (ICO) also recommends you record the following:
- Information required for your privacy notices, such as the lawful basis and the legitimate interests for the processing
- Records of consent
- Controller-processor contracts
- The location of personal data
- Data protection impact assessment reports
- Records of personal data breaches
Your organisation must document all processing activities if you have at least 250 employees. Otherwise, you only need to provide information about your document processing activities that are not occasional, that could result in a risk to the rights and freedoms of individuals, or that are involved the processing of special categories of data.
Nevertheless, regardless of the size of your organisation, you should take the following steps to prepare your documentation:
- Perform an information audit or data mapping exercise.
- Find out and record why your organisation collects, stores, uses and shares personal data.
Keep a written copy of your records.