Whether you are starting from scratch, revising existing data protection policies or use templates from a professional provider; documenting your GDPR measures and controls is a labour-intensive task.
While the Regulation and ICO guidance provide sufficient information on what you are expected to document, it can still be overwhelming sifting through the information, identifying mandatory and suggested GDPR documentation requirements. Preparing for the GDPR is about understanding your obligations and implementing the policies, documents and measures that help you to meet and maintain them.
Mandatory & Important GDPR Documents & Records
Some of the GDPR documentation requirements apply to every organisation; while others are dependent on business specifics such as the type of processing, number of employees, risk posed etc.
The GDPR directly states some of the requirements, with others being implied through the Article and Recital text. These include: –
- Data Protection Policy
- Privacy Notice with Article 13/14 Information Disclosures
- Records of Consent from Data Subjects or Parental/Guardian Consent
- Procedures for Subject Access Requests
- Procedures & Notifications for Subject Rights (data portability, erasure, correcting inaccurate data, objecting to, or restricting processing, automated decision-making)
- Retention & Erasure Policy & Schedule
- Procedures for Data Breaches & Notifications
- Procedures for Non-EU Data Transfers & Documented Safeguarding Measures
- Documented Technical & Organisational Measures for Processing Security (i.e. Information Security Policies, Passwords, Encryption Methods etc)
- Records of Processing Activities (where applicable)
- Data Protection Officer Appointment, Duties & Notifications (where applicable)
- Processor Agreements (where applicable)
- Data Protection Impact Assessment Procedures & Records (DPIA) (where applicable)
Useful GDPR Documents & Actions
In addition to the mandatory GDPR documentation requirements, there is also a list of ‘best practice’ documents and records that help to demonstrate your commitment to the GDPR and aid your compliance with the accountability principle. These can include: –
- Information Audit – document the what, where, when, how and who of your personal data
- Privacy Notice Register – keep a record of your Privacy Notices (i.e. customers, website, employees etc), so that last revision date, purpose etc is easy to access
- Access Request Response Templates – make your responses to SAR’s consistent and compliant with pre-formatted response templates that you can use each time
- Staff Training Program – GDPR training, training policies, evaluation forms, assessments of GDPR knowledge & understanding etc
- Internal Audit & Review Policy & Procedures – once you have the compliant policies, procedures and measures in place, you will need to regularly audit, assess and review them for continued compliance, ensuring that they continue to be adequate and fit for purpose
Data Protection Your Way
With so many documentation requirements, many organisations are purchasing customisable policy and procedures templates from GDPR compliance providers, or use alternate templates for their GDPR requirements. While this is a useful and time-saving approach, it is essential that you do not forget the unique factor – YOU!
You must customise or write any GDPR specific documents with your organisation and services in mind. One-size does not fit all in regulatory compliance, so it is important that you read through any procedures, objectives and policies, making sure that they align with your core objectives, ethos and business activities.
Involve employees from the start! Don’t have one person (or a team) preparing and implementing everything and then spring it on your employees when it’s ready. Your staff are the people carrying out your daily activities and have valuable insight into best practice and what procedures they actually follow.
Make your documents and approach comprehensive and relevant! Generic or summarised documents will not serve you or evidence your compliance with the GDPR. Documenting everything now will save time, money and resources in the future.
GDPR Preparation & Compliance
It is important to remember that whilst GDPR documentation, measures and controls are an important part of your preparation and ongoing compliance; the documents are not a complete compliance solution to the new data protection Regulation and associated laws.
You can have all the procedures and documents required and still not be compliant! It is important to instil an ethos of compliance throughout the organisation – ensuring that staff are aware of the changes and their obligations. Ensure documents, objectives and responsibilities are disseminated and understood; create reporting lines and clear support systems for your employees and ensure regular GDPR training and support sessions so that requirements can be discussed, and any gaps identified.
Help with GDPR Documentation & Templates
We know how many policies, procedures, documents and templates are required to comply with the GDPR, because we have already written them all (plus many others that support GDPR compliance.) From our standard £58 GDPR Policy Pack, through to our market-leading GDPR Documentation Toolkit, we have covered everything noted in this article and more.
Our EU GDPR Documentation Toolkit and other GDPR document templates are fully customisable, ready to corporate brand and come in easy to use Microsoft Office formats, with free updates. Used by hundreds of organisations in sectors such as government, healthcare, education, charity, finance, consultancy, recruitment and many more; our essential GDPR document sets contains the mandatory and important documents required to comply with the GDPR and can greatly aid your preparation and compliance.