How to create GDPR-compliant documentation

Documenting your compliance with the EU GDPR (General Data Protection Regulation) can be one of the most challenging parts of meeting its requirements. We’ve put together a short ‘how to’ guide for creating your own documentation and have provided a shortcut in the form of customizable templates.

GDPR documentation

In order to demonstrate your GDPR compliance, you will need to produce and maintain a wide range of documentation. This will not only help you meet the requirements for specific records (proving you have obtained consent from data subjects) but will also ensure you have evidence to support your claims should the supervisory authority have any cause to investigate.

 Important documentation

  • Statements of the information you collect and process, and the purpose for processing (Article 13)
  • Records of consent from data subjects or relevant holders of parental responsibility (Articles 7 and 8)
  • Records of processing activities under your responsibility (Article 30)
  • Documented processes for protecting personal data, such as an information security policy, cryptography policy and procedures, etc.

Top tips

As with creating and maintaining documentation for any management system, there are basic rules you should follow:

  • It needs to be complete – don’t leave something unfinished and expect it to be good enough
  • It needs to be comprehensive – be sure to leave nothing out
  • It should be in line with the GDPR – have a copy of the GDPR requirements beside you as you build your documentation
  • It must be tailored to suit your organization – this part is crucial but is often something that organizations forget. Make sure your documentation is applicable to your organization. Too many times we’ve seen companies produce bare-minimum, nondescript documentation that could apply to any organization. Make it your own.
  • It should be made available to your staff, but with varying degrees of access
  • Avoid duplication– where possible, documentation should be structured so that you don’t have to update things in multiple places.
  • There should be a standard approach to your documents so that they all have the same look and feel – version control, change history, format, etc.
  • Documentation has a lifecycle: initial draft – published – retired
  • Documents should be controlled
  • Use job titles instead of names

Get help producing GDPR-compliant documentation

GDPR Compliance toolkitTo help you produce GDPR-compliant documentation quickly and easily, we have published the EU GDPR Documentation Toolkit. This comprehensive, market-leading toolkit is used by thousands of organizations worldwide and contains all the critical documents you will need to comply with the GDPR, including:

  • A procedure for conducting a privacy audit
  • Templates for creating clear and accurate privacy notices
  • Data breach notification processes and procedures
  • Subject access request templates and procedures
  • An international data transfer procedure
  • Consent form templates
  • Data protection impact assessment templates and procedures
  • Important information security policies and procedures to keep your information secure

Download free sample documents from the full toolkit here >>

Some of these template documents are also available separately

These templates are suitable for organizations of all sizes and types in any location. They will enable you to make a GDPR-compliant document relevant to your business, in minutes.

EU GDPR Data Protection Policy Template

EU GDPR Privacy Notice Template

EU GDPR Privacy Procedure


GDPR toolkit demo banner