“Due to the possible risks, the ICO expects controllers to take all necessary precautions to protect this data and we have published new guidance to help you do this.”
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/special-category-data/
“Many of the DPA 2018 conditions require you to have an appropriate policy document in place. This is a short document that should outline your compliance measures and retention policies with respect to the data you are processing.”
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/documentation/
Appropriate policy document template:
https://ico.org.uk/media/for-organisations/documents/2616286/appropriate-policy-document.docx
Full blog article
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/11/why-special-category-personal-data-needs-to-be-handled-even-more-carefully/