The ICO exists to empower you through information.

Step 1 of 4: Documentation

1.1 Information you hold

More information

You should organise an information audit across your business or within particular areas. One person with in-depth knowledge of your working practices may be able to do this.

This will identify the data that you process and how it flows into, through and out of your business, for example to any agreed sub processors or back to the controller.

Remember, an information flow can include a transfer of information from one location to another. For example, the information may stay within your business yet a transfer takes place because the department or other office is located elsewhere (off site).

Having audited your information, you should then be able to identify any risks.

More information

Once you have completed your information audit, you should document your findings, for example in an information asset register.

Doing this will also help you to comply with the UK GDPR’s accountability principle, which requires you to show how you comply with the UK GDPR principles, for example by having effective procedures and guidance for staff.

You must record:

  • the name and details of your business, each controller you are acting on behalf of, and the controllers’ representative (if relevant), your representative and the data protection officer);
  • categories of the processing carried out on behalf of each controller;
  • details of transfers to third countries including documentation of the transfer mechanism safeguards in place, if applicable; and
  • where possible, a general description of technical and organisational security measures.

If you have less than 250 employees you only need to keep these records for processing activities that:

  • are not occasional;
  • could result in a risk to the rights and freedoms of individuals; or
  • involve the processing of special categories of data or criminal conviction and offence data.

You may be required to make these records available to the ICO on request.