A golden thread throughout the GDPR is the need to be able to demonstrate compliance. Being able to demonstrate compliance depends on good record keeping, whether in written, aural (sound clips), visual (photographs) or other forms. GDPR has 34 references to the need to be able to show compliance. As examples, consider the following:
As almost an overview of the need to show compliance, articles such as 5.2 and 24.1, and Recital 74 require data controllers to be able to demonstrate that processing is performed in accordance with GDPR.
Then there are specific cases: For marketers, Recital 42 requires data controllers (businesses that decide what processing to do using customer data vs data processers that are businesses that are given instructions about what to do with customer data, like outsourced contact centres) to be able to provide proof that (explicit) consent was given.
In the interests of fair and transparent processing, Recital 60 requires that the methods of data processing be communicated to the data subjects, which would most likely take the form of documentation.
Then recitals like 83 require both controllers and processors to evaluate the privacy and security risks involved in their data processing, and to ensure that those risks are mitigated. Not only this, Recital 78 requires controllers to adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. These policies and measures are again a form of documentation.
GDPR is rich in its requirement for proof and evidence of compliance. Does your documentation meet the standards required by GDPR?