Under GDPR, there is a requirement on data controllers to explicitly document their processing activities.
The Information Commissioner’s Officer recommend that a good way to start is by doing an information audit or data-mapping exercise to clarify what personal data your organisation holds and where. It is important that people across your organisation are engaged in the process; this can help ensure nothing is missed when mapping the data your organisation processes. It is equally important to obtain senior management buy-in so that your documentation exercise is supported and well resourced.
