Once you have completed your information audit, you should document your findings, for example in an information asset register.
Doing this will also help you to comply with the GDPR’s accountability principle, which requires your business to be able to show how you comply with the GDPR principles, for example by having effective procedures and guidance for staff.
If you have less than 250 employees then you must keep records of any processing activities that:
* are not occasional;
* could result in a risk to the rights and freedoms of individuals; or
* involve the processing of special categories of data or criminal conviction and offence data.
If you have over 250 employees, you must record the following information:
* name and details of your business, each controller on behalf of which you are acting, and (where applicable), of the controllers’ representative, your representative and data protection officer);
* categories of the processing carried out on behalf of each controller;
* where applicable, details of transfers to third countries including documentation of the transfer mechanism safeguards in place; and
* where possible, a general description of technical and organisational security measures.
You may be required to make these records available to the ICO on request.