The Act does not require data controllers to complete a personal data inventory.
However, the Act requires data controllers to register with the Information Commissioner. Registration requires the submission of registration particulars, which include a description of the personal data being, or to be, processed by or on behalf of the data controller and the category or categories of the data subject to which they relate a description of the purpose or purposes for which the personal data are being or are to be processed.
In registering with the Information Commissioner, the data controller will need to describe the personal data it is processing, which includes signatures; the data controller will need to outline the category or categories of the data subject(s) to which this personal data relates and describe the purpose(s) for which the signatures are being processed.
In addition to registration please also note that data controllers will also be required to submit within ninety (90) days after the end of a calendar year data protection impact assessment.
This will include the following information:
- a detailed description of the envisaged processing of the personal data and the purposes of the processing, specifying, where applicable the legitimate interest pursued by the data controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms, of data subjects;
- the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Act, considering the rights and legitimate interests of data subjects and other persons concerned.