Why is documentation important? Is it a legal requirement?

Documenting your processing activities is important for several reasons. First, it is a legal requirement. Although you do not need to proactively provide these records to the ICO, you may have to make the information available on request; for example, for an investigation. As a key element of the accountability principle, documenting your processing activities can also help you to ensure (and demonstrate) your compliance with other aspects of the GDPR. For instance, it can help you with the following things:

  • Drafting your privacy notice – much of the information you have to document is very similar to what you need to tell people in your privacy notice.
  • Responding to access requests – knowing what personal data is held and where it is will help you to efficiently handle requests from individuals for access to their information.
  • Taking stock of your processing activities – this will make it much easier for you to address other matters under the GDPR such as ensuring that the personal data you hold is relevant, up to date and secure.

However, it’s not just about legal compliance with the GDPR; documentation will also help you do the following:

  • Improve data governance – highlighting and addressing data protection matters through documentation will support good practice in data governance. This can give you assurance as to data quality, completeness and provenance.
  • Increase business efficiency – knowing what personal data you hold, why you hold it and for how long, will help you to develop more effective and streamlined business processes.