How should Data Protection/GDPR advice be documented?
How should Data Protection/GDPR advice be documented?
GDPR advice should be recorded alongside the decision it informs, with context and rationale.
Why this matters
Advice without evidence carries little weight during investigations.
Which types of decision
There could be various decisions or assessments, such as:
- Risks and DPIAs
- Subject Requests
- Incidents and breaches
- Complaints
- Due Diligence on suppliers
What to document
- The advice given
- When it was given
- Who received it
- How it influenced the decision
Who should document it
Typically the DPO or compliance function, independently of delivery teams.
Evidence of good practice
Advice logs linked directly to outcomes.