List of mandatory documents required by the GDPR

The documentation of processing activities is a new legal requirement under the EU GDPR (General Data Protection Regulation).

Documenting your processing activities can also support good data governance, and help you to demonstrate your compliance with other aspects of the GDPR.

In this post we have listed all of the documentation, policies and procedures you must have if you want to be fully GDPR compliant.


Mandatory documents for GDPR compliance


Personal Data Protection Policy (Article 24)

A data protection policy is a statement that sets out how your organisation protects personal data.

It explains the GDPR’s requirements to your employees, and demonstrates your organisation’s commitment to compliance.

If you are unsure what your data protection policy should include, this template, created by our expert GDPR practitioners, can help you create one in minutes.

For more information, see: How to write a GDPR data protection policy – with template examples


Privacy Notice (Articles 12, 13, and 14)

A privacy notice is a public statement of how your organisation applies (and complies with) the GDPR’s data processing principles.

An essential part of compliance, it serves two purposes: to promotes transparency, and to provide individuals with more control over the way their data is used.

Our customisable template can help you produce a privacy notice in just a few minutes.

For more information, see: How to write a GDPR data privacy notice – with template example


Employee Privacy Notice (Articles 12, 13 and 14)

Under the GDPR, you must be more transparent and open than ever before about the employee-related data you process.

It is also a core GDPR principle for employers to process HR related data in a fair and transparent way.

An employee privacy notice is a key step towards compliance, and explains to an individual how a data controller (in this case, your organisation) processes an employee’s personal data.


Data Retention Policy (Articles 5, 13, 17, and 30)

A data retention (or records retention) policy outlines your organisation’s protocol for retaining information.

It is important that your organisation only retains data for as long as it’s needed.

This is because holding on to data for longer than necessary can take up valuable storage space and incur unnecessary costs.

When writing your data retention policy, you should consider two key factors:

1) How you are going to organise information so it can be accessed at a later date; and

2) How you will dispose of information that is no longer needed.

For more information, see: Top tips for data retention under the GDPR


Data Retention Schedule (Article 30)

A data retention (or records retention) schedule is a policy that defines how long data items must be kept.

It also provides disposal guidelines for how data items should be discarded.

You can create a GDPR-compliant retention and disposal schedule in minutes with our easy-to-use and customisable templates, developed by our expert GDPR practitioners.


Data Subject Consent Form (Articles 6, 7, and 9)

Consent is one lawful basis for processing personal data, and explicit consent can also legitimise the use of special category data.

If your organisation is processing personal data for a specific purpose, you must obtain permission from the data subjects in question with a consent form.

Consent under the GDPR is often misunderstood and mismanaged.

Below, we have outlined best-practice guidance for writing a GDPR consent form.

Best-practice guidance for writing a GDPR consent form

Unsure what your consent procedures should include?

Our easy-to-use and customisable templates can help you create a GDPR-compliant consent procedure in minutes.


Supplier Data Processing Agreement (Articles 28, 32, and 82)

If you use another organisation (i.e. a sub-processor) to assist with your processing of personal data, you need to have a written contract in place with that sub-processor.

This is known as a supplier data processing agreement.


DPIA Register (Article 35)

The DPIA Register is used to document your organisation’s Data Protection Impact Analysis (DPIA).

To learn more about how to conduct a DPIA, see our information page: Data Protection Impact Assessments under the GDPR.


Data Breach Response and Notification Procedure (Articles 4, 33, and 34)

You must create a procedure that applies in the event of a personal data breach under Article 33 – “Notification of a personal data breach to the supervisory authority” – and Article 34 of the GDPR – “Communication of a personal data breach to the data subject”.

Below is an example of what a data breach notification might look like,  available from the market-leading EU GDPR Documentation Toolkit:

GDPR Data Breach Response and Notification Procedure

For help writing your data breach notification procedure, see: How to write a GDPR data breach notification procedure – with template example.


Data Breach Register (Article 33)

You must maintain an internal record of all personal data breaches in a Data Breach Register.

The data breach register should contain details of the facts surrounding the breach, the effects of the breach, and any remedial action taken.


Data Breach Notification Form to the Supervisory Authority (Article 33)

If you have experienced a personal data breach that needs to be reported to the ICO, you will need to fill in the applicable data breach notification form.

For more information on data breach reporting, visit the ICO’s website.


Data Breach Notification Form to Data Subjects (Article 34)

You will need to complete a Data Breach Notification Form to Data Subjects if you have experienced a personal data breach that is likely to result in a “high risk to the rights and freedoms” of an individual.


GDPR documentation only required under certain conditions

Some GDPR documents are only applicable under certain conditions, including:


Data Protection Officer Job Description (Articles 37, 38, and 39)

You’ll need to appoint a DPO if:

(a) You are a public authority or body, except for courts acting in their judicial capacity; or

(b) Your core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or

(c) Your core activities process on a large scale special categories of data and personal data relating to criminal convictions and offences.


Inventory of Processing Activities (Article 30)

This document is mandatory if:

(a) Your organisation has more than 250 employees; or

(b) The processing the you carry out is likely to result in a risk to the rights and freedoms of data subjects; or

(c) The processing is not occasional; or

(d) The processing includes special categories of data; or

(e) The processing includes personal data relating to criminal convictions and offences.


Standard Contractual Clauses for the Transfer of Personal Data to Controllers (Article 46)

This document is mandatory if you are transferring personal data to a controller outside the European Economic Area (EEA) and you are relying on model clauses as your lawful grounds for cross-border data transfers.


Standard Contractual Clauses for the Transfer of Personal Data to Processors (Article 46)

This document is mandatory if you are transferring personal data to a processor outside the European Economic Area (EEA) and you are relying on model clauses as your lawful grounds for cross-border data transfers.


GDPR documentation: simplified

Meet requirements quickly and avoid expensive consultancy fees with the market-leading GDPR Toolkit.

Written by lawyers and expert practitioners, it’s the most comprehensive toolkit on the market containing all the GDPR policies and procedures you need to demonstrate compliance while significantly reducing your implementation costs.

More than 3,000 organisations worldwide are already using the GDPR toolkit to simplify and accelerate their project – if you need help achieving GDPR compliance then this toolkit is for you.

This blog has been updated to reflect industry developments. Originally published Sep 14, 2017.