It’s standard practice and a legal requirement in most organisations to keep documentation on the details of data sharing and data retention.
Documenting this information is an effective way of demonstrating that you comply with the General Data Protection Regulation (GDPR) and reinforces that you can be trusted with information and data security.
Although the documenting of processing activities is new under GDPR, if you have registered with the Information Commissioner’s Office under the Data Protection Act 1998, you will be familiar with the types of documentation they request.
The arrival of GDPR means that when an organisation registers with the ICO, they will no longer need to provide that information. They should simply make it available to the ICO if it is requested. The main emphasis will be on accountability.
As we touched on earlier, documentation is a legal requirement, but this good practice can be used in a number of ways, including improving your business efficiency and data governance.
Handling subject access requests is made a whole lot easier when you have accurately documented the personal data of your employees, customers and suppliers. When it comes to reviewing your processing activities, documentation will help you make sure that you are only holding relevant data.
If you run a small or medium-sized business then there is an exemption in place in the GDPR. This means that if you employ less than 250 people you only need to document data processing activities that are:
At the time of writing, the ICO noted:
“The Article 29 Working Party (WP29) is currently considering the scope of the exemption from documentation of processing activities for small and medium-sized organisations.
“WP29 includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.
“If necessary, we will update this guidance to reflect the outcome of WP29’s discussions.”
Accountability is the main principle behind documentation, and much of the GDPR in fact. When you get to grips with that, demonstrating you are complying with your obligations under the GDPR should become second nature – particularly if you are running an information security management system!
A tailored hands-on session based on your needs and goals
100% of our users achieve ISO 27001 certification first time