Is documentation something new?
Yes – documentation is a new requirement under the GDPR. It is mainly about keeping internal records of your processing activities. It reflects the increased importance of accountability and your obligation to ensure (and demonstrate) that what you do with people’s personal data is in line with the GDPR. Article 30 sets out the different types of information you need to document including the purposes of processing, categories of personal data and recipients of personal data.
Don’t we do this already?
There are some similarities between documenting your processing activities under the GDPR and the information you had to provide when registering with the ICO under the Data Protection Act 1998 (the 1998 Act). A key difference is that you no longer need to proactively provide this information to the ICO as part of an annual registration process. However, you may have to make it available to the ICO on request; for example, for an investigation.
What should we do now?
You can use your existing register entry for the 1998 Act as a basis from which to create your record of processing activities. You may wish to do an information audit to get a more comprehensive view of the types of personal data you hold and what you do with it. Your processing activities must be documented in writing and you need to ensure this is in place by 25 May 2018.