Documenting your compliance with the EU GDPR (General Data Protection Regulation) can be one of the most challenging parts of meeting its requirements. We’ve put together a short ‘how to’ guide for creating your own documentation and have provided a shortcut in the form of customizable templates.
In order to demonstrate your GDPR compliance, you will need to produce and maintain a wide range of documentation. This will not only help you meet the requirements for specific records (proving you have obtained consent from data subjects) but will also ensure you have evidence to support your claims should the supervisory authority have any cause to investigate.
- Statements of the information you collect and process, and the purpose for processing (Article 13)
- Records of consent from data subjects or relevant holders of parental responsibility (Articles 7 and 8)
- Records of processing activities under your responsibility (Article 30)
- Documented processes for protecting personal data, such as an information security policy, cryptography policy and procedures, etc.
As with creating and maintaining documentation for any management system, there are basic rules you should follow:
- It needs to be complete – don’t leave something unfinished and expect it to be good enough
- It needs to be comprehensive – be sure to leave nothing out
- It should be in line with the GDPR – have a copy of the GDPR requirements beside you as you build your documentation
- It must be tailored to suit your organization – this part is crucial but is often something that organizations forget. Make sure your documentation is applicable to your organization. Too many times we’ve seen companies produce bare-minimum, nondescript documentation that could apply to any organization. Make it your own.
- It should be made available to your staff, but with varying degrees of access
- Avoid duplication– where possible, documentation should be structured so that you don’t have to update things in multiple places.
- There should be a standard approach to your documents so that they all have the same look and feel – version control, change history, format, etc.
- Documentation has a lifecycle: initial draft – published – retired
- Documents should be controlled
- Use job titles instead of names
Get help producing GDPR-compliant documentation
To help you produce GDPR-compliant documentation quickly and easily, we have published the EU GDPR Documentation Toolkit. This comprehensive, market-leading toolkit is used by thousands of organizations worldwide and contains all the critical documents you will need to comply with the GDPR, including:
- A procedure for conducting a privacy audit
- Templates for creating clear and accurate privacy notices
- Data breach notification processes and procedures
- Subject access request templates and procedures
- An international data transfer procedure
- Consent form templates
- Data protection impact assessment templates and procedures
- Important information security policies and procedures to keep your information secure
Some of these template documents are also available separately
These templates are suitable for organizations of all sizes and types in any location. They will enable you to make a GDPR-compliant document relevant to your business, in minutes.