A key requirement of the GDPR describes that an organisation’s processing must be fair, transparent and on a lawful basis. This means creating an auditable documented trail in order to be able demonstrate compliance should ICO inspectors make enquiries to your Data Protection Officer or senior stakeholder performing the role. 

A lawful basis for processing needs to be recorded against each processing purpose the business engages in, with the applicable GDPR Article and paragraph # for both sensitive and non-sensitive personal data types collected. This is usually captured within a GDPR Controller Log. An example of such a template can be provided to get you started.

Not all companies need to produce this document,…..we can help by advising you on this requirement.