In detail
What do controllers have to document?
If you are a controller for the personal data you process, you need to document the following:
- Your organisation’s name and contact details.
- If applicable, the name and contact details of your data protection officer – a person designated to assist with UK GDPR compliance under Article 37.
- If applicable, the name and contact details of any joint controllers – any other organisations that decide jointly with you why and how personal data is processed.
- If applicable, the name and contact details of your representative – another organisation that represents you if you monitor or offer services to people in the EU.
- The purposes of the processing – why you use personal data, e.g. customer management, marketing, recruitment.
- The categories of individuals – the different types of people whose personal data is processed, e.g. employees, customers, members.
- The categories of personal data you process – the different types of information you process about people, e.g. contact details, financial information, health data.
- The categories of recipients of personal data – anyone you share personal data with, e.g. suppliers, credit reference agencies, government departments.
- If applicable, the name of any third countries or international organisations that you transfer personal data to – any country or organisation outside the UK.
- If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations. An exceptional transfer is a non-repetitive transfer of a small number of people’s personal data, which is based on a compelling business need, as referred to in the second paragraph of Article 49(1) of the UK GDPR.
- If possible, the retention schedules for the different categories of personal data – how long you will keep the data for. This may be set by internal policies or based on industry guidelines, for instance.
- If possible, a general description of your technical and organisational security measures – your safeguards for protecting personal data, e.g. encryption, access controls, training.
Further reading – ICO guidance
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
WP29 adopted guidelines on Data Protection Officers, which have been endorsed by the EDPB.
What do processors have to document?
If you are a processor for the personal data you process, you need to document the following:
- Your organisation’s name and contact details.
- If applicable, the name and contact details of your data protection officer – a person designated to assist with UK GDPR compliance under Article 37.
- The name and contact details of each controller on whose behalf you are acting – the organisation that decides why and how the personal data is processed.
- If applicable, the name and contact details of your representative – another organisation that represents you if you offer services to people in the EU
- If applicable, the name and contact details of each controller’s representative – another organisation that represents the controller if they monitor or offer services to people in the EU.
- The categories of processing you carry out on behalf of each controller – the types of things you do with the personal data, e.g. marketing, payroll processing, IT services.
- If applicable, the name of any third countries or international organisations that you transfer personal data to – any country or organisation outside the UK.
- If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations. An exceptional transfer is a non-repetitive transfer of a small number of people’s personal data, which is based on a compelling business need, as referred to in the second paragraph of Article 49(1) of the UK GDPR.
- If possible, a general description of your technical and organisational security measures – your safeguards for protecting personal data, e.g. encryption, access controls, training.
Further reading – ICO guidance
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
WP29 adopted guidelines on Data Protection Officers, which have been endorsed by the EDPB.