I am taking a look at the “Documentation of processing activities” at the moment. The requirements seem quite clear, what I am not entirely clear about is the way, we can get receive e.g. the sign-off from our (very many) data controllers, their DPO data, confirmation of data processing agreement etc. Does all of this need to be written (on paper)? Are digital forms acceptable? What digital forms are good? ParentPay have about 9000 customers, all of which are data controllers, and who we process data for. Would it be sufficient to ask them to “tick a box” in an online form, and confirm who their DPO is? Or does that process need to be somewhat more robust? Would we need to apply a form of proof of identity before accepting their submission?
As I understood from your query the company you are representing is mainly acting as a data processor on behalf of various controllers. This means that you should have contracts or other binding documents in place with the controllers with specific data protection clauses (or Data Processing A greements). Most of the information you need to fill in the Inventory of Processing Activities (the processor sheet) should be found in the documents mentioned above, documents that are signed by both controller and processor. Since you will use the information within these signed documents you don`t need any sign off from the controllers.
Also notice that EU GDPR article 30 requirements relate to the accountability obligation of controllers and processor as well and it is meant to abolish the need to notify data processing activities to a local supervisory authority (albeit not actually file those records with the supervisory authority) thus you need to prove that you comply with these obligations to the Supervisory Authorities and fail to comply would lead to your company being sanctioned and not the controller. This would make the sing off from the controllers useless both from your or your controllers point of view.
As on how to organize the Inventory of Processing Activities, this is up to you and the company you represent depending on the business you are running and the sheer number of controllers. I would suggest either having an inventory for each controller or, if you perform the exact processing activities for multiple controllers, you could have one inventory for such groups.