Keeping records
[ch 1: page 9]Article 30 of the GDPR places a specific duty on both data controllers and data processors to keep the following records. The records must be in writing and in electronic form. They must be made available to the supervisory authority (the ICO) on request.
Note that this does not apply to organisations employing fewer than 250 people, unless: the processing is likely to risk the rights and freedoms of data subjects; it is more than occasional; it includes special categories of data, or personal data relating to criminal convictions and offences.