Once you have completed your information audit, you should document your findings, for example in an information asset register.
Doing this will also help you to comply with the GDPR’s accountability principle, which requires your business to be able to show how you comply with the GDPR principles, for example by having effective procedures and guidance for staff.
If you have less than 250 employees then you must keep records of any processing activities that:
* are not occasional;
* could result in a risk to the rights and freedoms of individuals; or
* involve the processing of special categories of data or criminal conviction and offence data.
If you have over 250 employees, you must record the following information:
* name and details of your business (and where applicable, of other controllers, your representative and data protection officer);
* purposes of the processing;
* description of the categories of individuals and categories of personal data;
* categories of recipients of personal data;
* where applicable, details of transfers to third countries including documentation of the transfer mechanism safeguards in place;
* retention schedules; and
* a general description of technical and organisational security measures.
You may be required to make these records available to the ICO on request.