Appendix B Relevant organisational documents

Organisations should maintain the following documents, which detail the relevant procedures and policies:

Risk register

Details key risks, risk owners, mitigating steps and both severity and possibility. Severity measures how critical the impact of a potential risk may be, and possibility relates to the likelihood of the risk occurring. For example, a server-room fire may be classed as 'high severity' and 'low possibility', since the result may be catastrophic, but it is unlikely to occur.

Data retention policy

Documents how long data should be stored and backed up, both onsite and offsite. Describes who is responsible for data removal and how data is identified as being 'out of date.

Data breach procedure

Describes the process to follow when a breach is identified or reported to the organisation. Should include contact details of the associated regulatory bodies, timescales and stakeholders who are responsible for carrying out the plan.

Data compliance statement

Describes how the organisation is compliant with data protection laws. This document should also include details of how users can ask for their data to be removed, and the process for subject-information requests, should the company support this.

Data processing details

Documents what personal data and client data are held and the reason for processing that data.

Roles and responsibilities of the data handling representative

Document detailing the roles and responsibilities of the data handling representative.

Data backup and recovery process

Documents which servers, applications and physical files are backed up, how often and the process by which the files are archived. Contact details of the relevant offsite recovery centres, and the process by which the data can be recovered and tested, should also be stored.

Business continuity document

References the data backup and recovery processes, but should also include details about physical infrastructure such as telephony, PC and email access instructions in the event of a major disaster that renders either the building, IT infrastructure or key personnel unavailable.