A big part of GDPR concerns keeping track of what you do via written documentation. In previous posts, we discussed the different roles, responsibilities they have, and under which types of legal basis you can process data. All of this needs to be documented by the controllers and processors, so they can actually show how and why they are processing the data.
The basis of this register is the Data Processing Agreement (DPA) which is a contract between a controller and a processor, or a processor and a sub-processor. This outlines which data can be processed, in what way, and all other conditions regarding the processed data. To be fully compliant with GDPR, the DPA between a processor and a sub-processor should contain the same conditions as the DPA between the controller and the processor.
In practice, this is kind of impossible in some cases, especially when dealing with larger companies. It's not very easy to ask Facebook or Google to change their DPA to be in line with the DPA you've signed with your controller. The GDPR isn't clear on how you should handle these kind of situations right now, but this will probably clearer after a couple of months.
You need to be able to identify if you’re going to process a new kind of personal data or are going to let a new 3rd party process your data. If this is the case, you need to get it registered and approved. To make our lives easier, there are digitized registers available on the market.