http://www.legislation.gov.uk/id/ukpga/2018/12

PART 4Intelligence services processing

CHAPTER 4Controller and processor

General obligations

102General obligations of the controller

Each controller must implement appropriate measures—

(a)

to ensure, and

(b)

to be able to demonstrate, in particular to the Commissioner,

that the processing of personal data complies with the requirements of this Part.