What do Data Controllers and Data Processors have to document?

Posted on: 31st January 2018

Document

 

Now that we’ve covered the difference between a Data Controller and a Data Processor we look at what responsibilities both controllers and processors have when it comes to documenting certain information.

This information below is collected from the official ICO website, you can read more about the official guidelines here.

Your document can simply be put together using Microsoft Word, in a similar fashion to a Privacy Policy, for example. So long as this document is either saved in your documents on your PC or printed off and filed away in a folder.

document
An example of the style you can document your information

What do Data Controllers have to include in the Document?

  • Your organisation’s name and contact details.
  • If applicable, the name and contact details of your data protection officer. A data protection officer is a person designated to assist with GDPR compliance under Article 37 and having a DPO is a requirement in some circumstances.
  • If applicable, the name and contact details of any joint controllers. Joint controllers are any other organisations that decide jointly with you why and how personal data is processed.
  • If applicable, the name and contact details of your representative. A representative means another organisation that represents you if you are based outside the EU, but you monitor or offer services to people in the EU.
  • The purposes of the processing, explaining why you use personal data, e.g. customer management, marketing, recruitment.
  • The categories of individuals – the different types of people whose personal data is processed, e.g. employees, customers, members.
  • The categories of personal data you process – the different types of information you process about people, e.g. contact details, financial information, health data.
  • The categories of recipients of personal data. Recipients relate to anyone you share personal data with, e.g. suppliers, credit reference agencies, government departments.
  • If applicable, the name of any third countries or international organisations that you transfer personal data to – this refers to any country or organisation outside the EU.
  • If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations. An exceptional transfer is a non-repetitive transfer of a small number of people’s personal data, which is based on a compelling business need, as referred to in the second paragraph of Article 49(1) of the GDPR.
  • If possible, the retention schedules for the different categories of personal data – retention schedules refer to how long you will keep the data for. This may be set by internal policies or based on industry guidelines, for instance.
  • If possible, a general description of your technical and organisational security measures – your safeguards for protecting personal data, e.g. encryption, access controls, training.

 

What do Data Processors have to include in the Document?

This list is similar to the Data Controller requirements, with a few differences. If you are a processor for the personal data you process, you need to document the following:

  • Your organisation’s name and contact details.
  • If applicable, the name and contact details of your data protection officer – a person designated to assist with GDPR compliance under Article 37.
  • The name and contact details of each controller on whose behalf you are acting – the organisation that decides why and how the personal data is processed.
  • If applicable, the name and contact details of your representative – another organisation that represents you if you are based outside the EU but you monitor or offer services to people in the EU.
  • If applicable, the name and contact details of each controller’s representative – another organisation that represents the controller if they are based outside the EU, but monitor or offer services to people in the EU.
  • The categories of processing you carry out on behalf of each controller – the types of things you do with the personal data, e.g. marketing, payroll processing, IT services.
  • If applicable, the name of any third countries or international organisations that you transfer personal data to – any country or organisation outside the EU.
  • If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations. An exceptional transfer is a non-repetitive transfer of a small number of people’s personal data, which is based on a compelling business need, as referred to in the second paragraph of Article 49(1) of the GDPR.
  • If possible, a general description of your technical and organisational security measures such as your safeguards for protecting personal data, e.g. encryption, access controls, training.

Need help getting your head round GDPR? Get in touch! For more GDPR Bitesize information, visit our news page.