Demonstrating compliance with the EU General Data Protection Regulation (GDPR) is one of its manually intensive requirements. You need to complete dozens of documents to prove that you have the necessary policies and procedures in place, and although you might understand the GDPR, it doesn’t necessarily mean that you can produce this documentation.
To make that task easier, organisations should invest in our EU GDPR Documentation Toolkit. It includes customisable templates of every document you need, including:
Data protection impact assessments
The GDPR states that data protection impact assessments (DPIAs) are necessary for projects that are “likely to result in a high risk to the rights and freedoms of natural persons”.
By completing DPIAs, you can identify and examine the project’s potential effects on individual privacy and compliance with data protection legislation. The Article 29 Working Party believes that DPIAs should always be carried out before processing and become part of a proactive “privacy by design” approach.
A common misconception of the GDPR is that you need to get consent to process personal data. In fact, there are six lawful grounds for processing data, and consent is the riskiest and least favourable.
Still, there will be times when it’s the only option, so you need to produce GDPR-compliant consent forms. This means you need to:
- Request as little data as possible: Data should be collected for a specific purpose, used only for that purpose and retained for only as long as it meets that purpose. You’ll typically need individuals’ names and contact information at the very least, but you must decide what other information, if any, is necessary for the task at hand.
- Make the terms and conditions clear: You can’t hide the terms and conditions for consent, and you can’t make them so vague or complicated that people won’t read or understand them. Consent mechanisms must be easy to use and kept separate from other terms and conditions, and requests must be written clearly and concisely.
- Make it easy to withdraw consent: Consent requests need to make it as easy (or easier) for individuals to withdraw their consent as it is for them to give it. This means individuals need to be told straight away that they can withdraw their consent at any time, and you must explain how to do it.
A description of the data protection officer role
Although only some organisations need to appoint a data protection officer (DPO), the WP29 advises all organisations to appoint one as a matter of good practice.
The DPO has a variety of tasks, and organisations should use this document to establish their remit. This will help the DPO, management and other staff understand how the organisation is meeting the GDPR’s requirements.
A data protection policy
It’s essential that staff know how to process data lawfully and who to approach if they have any questions. A data protection policy should cover both of these elements.
Having a DPO will be beneficial for both of these, as they are responsible for making sure that staff comply with the policy.
A data breach notification procedure
The GDPR defines a data breach as the accidental or unauthorised destruction, loss, alteration, disclosure of or access to personal data. Organisations need to report a breach when it is likely to risk the rights and freedoms of individuals. This covers significant economic or social disadvantages, such as discrimination, reputational damage or financial losses.
Any breach that meets these requirements must be reported within 72 hours of discovery. To achieve this, all employees, contractors, temporary staff and third parties need to be aware of, and follow, a data breach notification procedure.
Our toolkit includes a template that outlines the obligatory steps you need to follow, and shows you where you need to fill in specific information – such as the supervisory authority you need to report to.
Subject access request forms and procedures
Under the GDPR, all organisations need to give individuals the right to obtain:
- Confirmation that their data is being processed;
- Access to their personal data; and
- Other supplementary information (mostly the information provided in privacy notices).
The procedure for making and responding to subject access requests remains similar to most current data protection laws, but the GDPR introduces some changes.
Take a look at our EU GDPR Documentation Toolkit
The documents listed here are just the beginning of our EU GDPR Documentation Toolkit. It also covers training policies, privacy procedures, data portability procedures, an audit checklist for compliance and much more.