The UK Information Commissioner’s Office (ICO) has issued additional guidance on the documentation required under the EU General Data Protection Regulation (GDPR), accompanying its existing Guide to the GDPR. The GDPR contains explicit provisions that require firms to maintain internal records of all personal data processing activities. Among other things, records must be kept on processing purposes, data sharing, and retention. Documenting this information is linked to the principle of accountability and will help firms to demonstrate compliance with the GDPR.

The additional guidance is intended to help firms understand why documenting their processing activities is important, who must record, what must be recorded, and how records should be maintained.

If members have any questions or comments, please contact Oliver Robinson.