What should be in our Information Asset Register?

If you are a controller for the personal data you process, you need to document the following:

  • Your organisation’s name and contact details.
  • The name and contact details of your data protection officer – a person designated to assist with GDPR compliance under Article 37
  • The name and contact details of any joint controllers – any other organisations that decide jointly with you why and how personal data is processed
  • The purposes of the processing – why you use personal data, e.g. customer management, marketing, recruitment
  • The categories of individuals – the different types of people whose personal data is processed, e.g. employees, customers, members.
  • The categories of personal data you process – the different types of information you process about people, e.g. contact details, financial information, health data.
  • The categories of recipients of personal data – anyone you share personal data with, e.g. suppliers, credit reference agencies, government departments.
  • The name of any third countries or international organisations that you transfer personal data to – any country or organisation outside the EU.
  • If possible, the retention schedules for the different categories of personal data – how long you will keep the data for. This may be set by internal policies or based on industry guidelines, for instance.
  • A general description of your technical and organisational security measures – your safeguards for protecting personal data, e.g. encryption, access controls, training.