All personal data that you hold should be documented and you should make a record of where it came from and who you share it with. You may need to organise an information audit across the business.


The GDPR requires you to maintain records of your processing activities.  If you have any inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records.


You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with. You should document all data processing activities. Doing this will also help you to comply with the GDPR’s accountability principle, which requires businesses to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.


At least some of this work is likely to have been done for the purposes of pre GDPR Data Protection Act compliance and once you have done the initial work to comply with the new legislation, ongoing compliance will be far less onerous.