You have an obligation to be accountable under the General Data Protection Regulation (GDPR) i.e. being responsible for, and being able to prove, compliance with the GDPR. Having written records and other documents will help you achieve this.
Documenting processing activities
Businesses with fewer than 250 employees only need to document processing activities that:
- are not occasional; or
- could result in a risk to the rights and freedoms of the tenant whose information is being processed; or
- involve the processing of special categories of data (previously called sensitive data) or criminal conviction and offence data.
You must document the following information for the above processing activities:
- The name and contact details of your organisation (and where applicable) other controllers, your business's ICO representative and your data protection officer.
- The purpose and lawful basis of your processing.
- A description of the categories of individuals being processed.
- The categories of recipients of the personal data.
- Details of your transfers of personal data to other organisations and countries outside the EEA (being Norway, Liechtenstein, Iceland and all the countries in the EU) including documenting the transfer mechanism safeguards in place.
- Retention schedules.
- A description of your technical and organisational security measures.
Documents and records
Examples of other documents that will help you achieve your duty of accountability, include:
- Records of processing activities. The Information Commissioner's Office (ICO) has a template you can use to do this.
- The privacy notices given to tenants.
- A data protection policy.
- Records of any consents you've obtained.
- Any contracts you have with external reference agencies that you have shared the tenant information with (it should state how they will use and protect the tenant's personal information).
The ICO may request you to provide your records. The records, which should reflect your current processing activities, should be kept up to date and in writing. They can be held electronically. See the ICO website for more information.