Record keeping and accountability

The GDPR places a greater emphasis on the documentation that organisations must keep to demonstrate their compliance with the obligations under the GDPR. Both data controllers and data processors should review their approach to data governance and ensure that they have clear policies in place covering both their own internal compliance and any contracts or other arrangements which they have in place concerning the sharing of data with other organisations.



The GDPR introduces new provisions that elevate the significance of the accountability and transparency principles which were introduced by the DPA. From a practical perspective this is likely to mean organisations require more policies and procedures.

In order to comply with the accountability and transparency principles, the ICO is encouraging organisations to:

  • Implement appropriate technical and organisational measures that ensure and demonstrate compliance. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies
  • Maintain relevant documentation on processing activities
  • Take steps to minimise data capture and data processing
  • Use pseudonymisation where possible
  • Use Data Protection Impact Assessments where appropriate

One of the first steps which businesses should take to ensure their compliance with the accountability and transparency principles is to carry out an information audit and document what personal data they hold, where it came from and who it is shared with.   Our 5-step approach is designed to help you through this process, please get in touch if you would like to learn more. 


Record keeping

The GDPR contains comprehensive record keeping obligations which apply to organisations with more than 250 employees and organisations with less than 250 employees which are engaged in ‘high risk’ processing, such as: processing personal data that could result in a risk to the rights and freedoms of an individual, or processing of special categories of data or criminal convictions and offences.


Information which needs to be recorded includes:

  • The names and details of any relevant data controllers, Data Protection Officers and other representatives
  • A description of the categories of personal data which is collected / processed
  • The purposes of the data processing
  • The recipients of personal data
  • Details of transfers to third countries including documentation of the transfer mechanism safeguards in place (such as BCRs and data transfer contracts, for more information, see “International Data Transfers”)
  • Data retention policies
  • Details of the technical and organisational security measures in place to ensure the personal data is protected.