The ICO exists to empower you through information.

This guidance discusses documentation in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding to help you apply documentation in practice. DPOs and those with specific data protection responsibilities in larger organisations are likely to find it useful.

If you haven’t yet read documentation in brief in the Guide to GDPR, you should read that first. It sets out the key points you need to know, along with practical checklists to help you comply.

Contents

What is documentation?

What does the GDPR say about documentation?

Why is documentation important?

Who needs to document their processing activities?

Do all organisations need to document their processing activities?

What about small and medium-sized organisations?

What do we need to document under Article 30 of the GDPR?

What do controllers have to document?

What do processors have to document?

Should we document anything else?

Are there other things that need documenting?

Should we document anything for our privacy notice?

What about consent?

Is there anything else we should document?

How do we document our processing activities?

How should we prepare?

What steps should we take next?

How should we document our findings?

What should we document first?

Is there a template we can use?

What if we have an existing documentation method?

Do we need to update our record of processing activities?