To demonstrate your compliance with the Regulation, you must maintain the necessary documentation. To continuously ensure the protection of the personal data you processed, you must regularly audit the actions and documentation relating to every phase of the processing operations.
You should in particular have the following records:
THE DOCUMENTATION RELATING TO YOUR PROCESSING ACTIVITIES
- The record of processing activities (for controllers) or categories of processing activities (for processors.) (Article 30)
- The data protection impact assessments carried out for the processing activities which are likely to result in high risks for the rights and freedoms of data subjects.(Articles 35+36)
- The framework for transfers of personal data outside the European Union (in particular standard data protection clauses, binding corporate rules and certification mechanisms). (Articles 44-50)
- The record of all personal data breaches, which must set out the consequences of the breach as well as the remedial action taken. (Articles 33+34)
INTERACTION WITH THE DATA SUBJECTS (Articles 13+14)
- The information to the data subjects.
- The manner in which the consent of the data subject is obtained.
- The procedures in place to enable data subjects to exercise their rights.
THE DOCUMENTATION SPECIFYING THE ROLES AND RESPONSABILITIES OF THE ACTORS INVOLVED
- The contracts with processors (Article 28).
- The internal procedures in the event of a data breach.
- The evidence that data subjects have given their consent, if consent is the lawful condition for processing.
Attention: This is not an exhaustive list and the required documentation may vary from one organisation to another.