The principle of accountability is an essential part of the GDPR. Organisations must not only comply with the Regulation but also be able to demonstrate that they comply. This requires thorough record-keeping. Article 30 sets out the data processing records that you must maintain.
- Your organisation’s name and contact details;
- The purposes of the processing;
- Descriptions of the categories of data subjects and categories of personal data;
- The categories of recipients of personal data;
- Details of transfers to third countries and international organisations, if applicable;
- Envisaged data retention schedules for different categories of data, where possible; and
- A description of the technical and organisational security measures you have implemented.
A data map will help you identify the information your organisation processes, and exactly how it is processed.