Once you have completed your information audit, you should document your findings, for example in an information asset register.
Doing this will also help you to comply with the GDPR’s accountability principle, which requires you to show how you comply with the GDPR principles, for example by having effective procedures and guidance for staff.
You must record:
* the name and details of your business, each controller you are acting on behalf of, and the controllers’ representative (if relevant), your representative and the data protection officer);
* categories of the processing carried out on behalf of each controller;
* details of transfers to third countries including documentation of the transfer mechanism safeguards in place, if applicable; and
* where possible, a general description of technical and organisational security measures.
If you have less than 250 employees you only need to keep these records for processing activities that:
* are not occasional;
* could result in a risk to the rights and freedoms of individuals; or
* involve the processing of special categories of data or criminal conviction and offence data.
You may be required to make these records available to the ICO on request.