If you’ve read anything about the EU General Data Protection Regulation (GDPR), you’ll know that it obliges organizations to keep data secure, gives data subjects more freedom regarding their data, and affects organizations across the globe. Even if your organization is based in the US, you’ll still be subject to the Regulation if you process EU residents’ personal data.
You may be less familiar with how you should comply and how you can prove that you do so. Software company SAP writes that almost half of the GDPR’s articles relate to “business procedures associated with policies, controls, record-keeping, and the accountabilities of different roles and entities,” adding that: “To avoid costly penalties, governance of policies, processes, and people must be clearly defined and documented.”
These documents cover a wide range of issues and need to be regularly updated. Well-maintained documentation will not only help you meet the explicit and implicit requirements for specific records but will also help protect your organization should the supervisory authority investigate your compliance practices.
- Records of consent from data subjects or the relevant holder of parental responsibility (Articles 7 and 8)
- Statements of the information you collect and process, and the purpose for processing (Article 13)
- Records of processing activities (Article 30)
- Documented processes for protecting personal data, such as an information security policy (Article 32)
When creating policies, you need to make sure you don’t leave out any requirements. The Regulation has many nuances, so you should have a copy of the GDPR for reference as you build your documentation. It’s just as important to tailor each policy to your organization. It’s no good creating a policy that covers every requirement of the GDPR if it either doesn’t address your organization’s needs or discusses issues that don’t apply to your organization.
If you want help preparing your policies, you should take a free trial of our EU General Data Protection Regulation (GDPR) Documentation Toolkit.
This toolkit contains easy-to-use templates, customizable worksheets, policies, and expert guidance. It will help you:
- Identify risks to personal data and put in place the necessary controls to resolve those issues
- Embed the documentation in your organization quickly and easily
- Integrate GDPR documentation alongside your ISO 27001 documentation