Use this tracker before rewriting anything. The aim is to update existing documents cleanly, not restart the whole GDPR folder.
| Document | Current version date | Profession-specific update area | Status | Owner |
|---|---|---|---|---|
| Privacy notice | client consultation forms, allergy notes, patch test records, treatment notes, before and after photos, appointment records, invoices, and marketing preferences. | |||
| Client consent form | consultation forms, allergy or skin information, patch tests, treatment photos, portfolio use, marketing consent, and service messages kept separate. | |||
| Complaints process | Data protection complaint route, 30 day acknowledgement, investigation notes, updates, and outcome response. | |||
| Subject access process | Search locations, identity checks, third-party data review, response log, and deadline ownership. | |||
| Retention schedule | consultation cards, patch test records, treatment history, photo consent, complaints, incidents, invoices, and marketing consent records. | |||
| Breach log | Incident details, data involved, people affected, action taken, risk decision, reporting decision, and final outcome. | |||
| Supplier register | Booking, payments, messaging, forms, storage, accounting, website, and any specialist software. |