Documentation
-
The Data (Use and Access) Act 2026 got Royal Assent on 19 June 2025. All the provisions affecting data protection law and the Privacy and Electronic Regulations Communications are now in force. The Department for Science and Innovation (DSIT) has set out the commencement plans. You can find more details on the Gov.uk website.
This guidance discusses documentation in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding to help you apply documentation in practice. DPOs and those with specific data protection responsibilities in larger organisations are likely to find it useful.
If you haven’t yet read documentation in brief in the Guide to GDPR, you should read that first. It sets out the key points you need to know, along with practical checklists to help you comply.
Contents
What is documentation?
Who needs to document their processing activities?
- Do all organisations need to document their processing activities?
- What about small and medium-sized organisations?
What do we need to document under Article 30 of the GDPR?
Should we document anything else?
- Are there other things that need documenting?
- Should we document anything for our privacy notice?
- What about consent?
- Is there anything else we should document?
How do we document our processing activities?
- How should we prepare?
- What steps should we take next?
- How should we document our findings?
- What should we document first?
- Is there a template we can use?
- What if we have an existing documentation method?
- Do we need to update our record of processing activities?