The GDPR requires that you keep continuous records of activities within your organisation and you need to ensure compliance is being maintained by regularly updating them. Keeping documented evidence of how you are striving to keep compliant is something you should design into your entire business operations.
Detailed information on data audit exercises you perform that document what personal data your hold, what you do with it and who you share it with. These should be done at intervals as changes take place in terms of data processing. Information collated from individuals or departments should be kept on record and should always reflect current processing activities.
The lawful bases for collecting and processing of personal data which have been clearly identified. These will be different for each category or data your business interacts with.
A Privacy Notice, effectively the public statement of how your organisation complies with the data processing principles of the GDPR.
A Data Retention Policy outlining the rules your business employs for the retention of data.
Consent forms that are completed to provide evidence that you have obtained permission from data subjects to use their personal data. In addition, you should keep written information on how you manage ongoing consent.
DPIA (Data Protection Impact Assessment) documentation, a register of all the DPIAs that have been undertaken and all the risk documentation produced when identifying and mitigating risks to data security.
Written contracts with every third-party processor used including contractual documents for the processing and/or transferring of data between controller and processors.
A listing of all the processing activities your company or organisation undertakes. This is a mandatory requirement in the following circumstances:
An appropriate Data Protection Policy which is an internal document that can be accessed by employees. It should outline and demonstrate the controls put in place by the company to protect data.
An Information Security Policy describing the technology employed by the company and the controls in place to protect all the data assets stored.
Data Breach Response and Notification Procedures (to Supervisory Authority and a separate one to data subjects), used in the event of a personal data breach and a register of any breaches experienced over time. This should be in the form of a set of breach notification templates that serves to identify, report, manage and resolve a data breach.
