One of the more laborious demands of the EU’s GDPR (General Data Protection Regulation) is the requirement to have dozens of documents available that prove you have the necessary policies and procedures in place. Understanding the GDPR doesn’t necessarily mean that you can or have the time to create this documentation.
To make that task easier, you could invest in our EU GDPR Documentation Toolkit. It includes customizable templates of every document you need, including:
Data protection impact assessments
The GDPR states that DPIAs (data protection impact assessments) are necessary for projects “likely to result in a high risk to the rights and freedoms of natural persons”. By completing a DPIA, you can identify and examine the project’s potential effects on individual privacy and compliance with data protection legislation. The Article 29 Working Party believes that the DPIA should always be carried out before processing and become part of a proactive ‘privacy by design’ approach.
A common misconception of the GDPR is that you need to get consent to process personal data. In fact, there are six lawful grounds for processing data, of which consent is the riskiest and least favorable. Still, there will be times when it’s the only option, meaning that you need to produce GDPR-compliant consent forms. This means you need to:
- Request as little data as possible: Data should be collected for a specific purpose, used only for that purpose, and retained for only as long as necessary to achieve that purpose. You’ll typically need individuals’ names and contact information, in addition to any other information necessary for the task at hand. It’s up to you to specify what that information is.
- Make the terms and conditions clear: You can’t hide the terms and conditions for consent, and you can’t make them so vague or complicated that people won’t be able to read or understand them. Consent mechanisms must be easy to use and kept separate from other terms and conditions, and requests must be written clearly and concisely.
- Make it easy to withdraw consent: Consent requests need to make it as easy (or easier) for individuals to withdraw their consent as it was for them to give it. This means individuals need to be told straight away that they can withdraw their consent at any time, and you must explain how to do it.
A description of the data protection officer role
Although not every organization needs to appoint a DPO (data protection officer), the WP29 advises all organizations to appoint one as a matter of good practice.
The DPO has a variety of tasks, and organizations should use this document to establish their remit. This will help the DPO, management, and other staff understand how the organization is meeting the GDPR’s requirements. We offer a DPO as a service.
A data protection policy
It’s essential that staff know how to process data lawfully and who to approach if they have any questions. A data protection policy should cover both elements.
Having a DPO will be beneficial for both, as they are responsible for making sure that staff comply with the policy.
A data breach notification procedure
The GDPR defines a data breach as the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data”. Organizations need to report a breach when it is likely to risk the rights and freedoms of individuals. This covers significant economic or social disadvantages, such as discrimination, reputational damage, or financial losses.
Any breach that meets these requirements must be reported within 72 hours of becoming aware of it. To achieve this, all employees, contractors, temporary staff, and third parties need to be aware of, and follow, a data breach notification procedure.
Our toolkit includes a template that outlines the obligatory steps you must follow, and shows you where you need to fill out specific information – such as the supervisory authority you need to report to.
Subject access request forms and procedures
Under the GDPR, all organizations need to give individuals the right to obtain:
- Confirmation that their data is being processed
- Access to their personal data
- Other supplementary information (mostly the information provided in privacy notices)
The procedure for making and responding to subject access requests remains similar to most current data protection laws, but the GDPR introduces some changes.
Read our blog How to write a GDPR-compliant data subject access request procedure for more information on this documentation.
A privacy notice is a public, easy-to-understand statement of how your organization adheres to the data processing principles. Read our blog How to write a GDPR privacy notice – with example documentation template for more information or get a customizable privacy notice template here.
Your privacy procedure should explain in detail how your organization protects data subjects’ rights, describing who is responsible for each step and what the outcomes should be. Get a customizable privacy procedure template here.
Take a look at our EU GDPR Documentation Toolkit
The documents listed here are just the beginning of our EU GDPR Documentation Toolkit. It also covers training policies, data portability procedures, an audit checklist for compliance, and much more. Used by thousands of organizations worldwide, the toolkit provides all the templates, worksheets, and policies required to comply with the Regulation.