Under GDPR the Principles set out in the Data Protection Act 1998 have been reworded, though they have not changed significantly in substance.
The GDPR Principles are:
Lawfulness and Transparency;
Storage Limitation; and
Integrity and Confidentiality.
In addition, an overarching requirement of Accountability has been introduced.
Each Data Controller and Data Processor is expected to have enhanced documentation in relation to all data processing activities that the Information Commissioner’s Office (ICO) can choose to audit at any time.
As made clear on the ICO website, the GDPR contains explicit provisions about documenting data processing activities. Organisations must maintain records on things such as processing purposes, data sharing, and retention, and will be required to make the records available to the ICO on request.
Records must be kept in writing, must be kept up to date and must reflect the organisation’s current processing activities.