In order to comply with the EU General Data Protection Regulation (GDPR), you must produce and maintain a wide range of documentation. This will not only help you meet the explicit and implicit requirements for specific records (especially proving you have obtained consent from data subjects), but will also ensure you have evidence to support your claims should the supervisory authority have any cause to investigate.
Although there are different requirements for data controllers and data processors, the responsibility for the documentation’s accuracy will generally be the controller’s. This is because they’re likely to suffer the consequences of a data breach regardless of who is to blame for it.
The following documentation is especially important:
- Statements of the information you collect and process, and the purpose for processing (Article 13 of the GDPR).
- Records of consent from data subjects or relevant holder of parental responsibility (Articles 7 and 8 of the GDPR).
- Records of processing activities under your responsibility (Article 30 of the GDPR).
- Documented processes for protecting personal data – an information security policy, cryptography policy and procedures, etc.
Help producing GDPR-compliant documentation
To help you produce GDPR-compliant documentation quickly and easily, we have published the EU General Data Protection Regulation (GDPR) Documentation Toolkit.
This comprehensive, market-leading toolkit is used by thousands of organisations worldwide and contains all the critical documents you will need in order to comply with the GDPR, including:
- A procedure for conducting a privacy audit
- Templates for creating clear and accurate privacy notices
- Data breach notification process and procedures
- Subject access request templates and procedures
- An international data transfer procedure
- Consent form templates
- Data protection impact assessment templates and procedures
- Important information security policies and procedures to keep your information secure
Extracts from this blog post were taken from Alan Calder’s EU GDPR – A Pocket Guide.