In addition to having a clear and detailed policy in place, it is also important to put in place agreements with parties with whom personal data are being exchanged.
More often than not, companies and organisations make use of various services that encompass the processing of data.
Examples from an information technology perspective include web and email hosting, cloud services such as Dropbox and iCloud, email services like MailChimp and Flexmail.
Also, HR processes entail the exchange and processing of employee information, such as social security funds, insurance companies, car leasing companies, etc.
Also here, the GDPR puts in place general requirements, which need to be translated and adapted into concrete documents which will cover such data processing activities.