GDPR Readiness Documentation Scheme

Before processing personal data the processing activities need to be identified, assessed, and documented before using a product, process, service or AI system. In some instances, this information must be made available to the supervisory authority on request so that it might serve to monitor a data controller’s processing operations. There is also an obligation to provide data subjects with certain information at the time when personal data are obtained from the data subject, or in response to a data subject request.

In order to demonstrate compliance with the pre-processing documentation obligation, the controller must prepare, inter alia:

• description of the processing activity including data flows and interfaces
• notifications to data subject notification
• responding to data subject requests
• purpose specification
• legitimate interest justification
• necessity and proportionality justification
• risk assessments
• data protection policies
• data protection by design and default
• documentation of current technical and organisational measures
• contract with data processors
• obligations imposed on sub-processors
• information made available by the data processor to the data controller
• contracts with natural persons acting under the authority
• documentation of suitable safeguards for international transfers
• tests, assessments and evaluations of the effectiveness of technical and organisational measures
• internal breach register
• DPIA process description.