If you are a controller for the personal data you process, you need to document the following:
- Your organisation’s name and contact details.
- The name and contact details of your data protection officer – a person designated to assist with GDPR compliance under Article 37
- The name and contact details of any joint controllers – any other organisations that decide jointly with you why and how personal data is processed
- The purposes of the processing – why you use personal data, e.g. customer management, marketing, recruitment
- The categories of individuals – the different types of people whose personal data is processed, e.g. employees, customers, members.
- The categories of personal data you process – the different types of information you process about people, e.g. contact details, financial information, health data.
- The categories of recipients of personal data – anyone you share personal data with, e.g. suppliers, credit reference agencies, government departments.
- The name of any third countries or international organisations that you transfer personal data to – any country or organisation outside the EU.
- If possible, the retention schedules for the different categories of personal data – how long you will keep the data for. This may be set by internal policies or based on industry guidelines, for instance.
- A general description of your technical and organisational security measures – your safeguards for protecting personal data, e.g. encryption, access controls, training.