We’re not going to lie: documenting your compliance with the GDPR may be one of the most manually intensive parts of meeting the requirements of the GDPR. Since there’s little information about it freely available online, we thought we’d pull together a short ‘how to’ guide for creating your own documentation.
Firstly, a quick overview to GDPR documentation
In order to show that you comply with the EU General Data Protection Regulation (GDPR), you will likely need to produce and maintain a wide range of documentation. This will not only help you meet the explicit and implicit requirements for specific records (especially proving you have obtained consent from data subjects), but will also ensure you have evidence to support your claims should the supervisory authority have any cause to investigate.
Which documentation is especially important?
- Statements of the information you collect and process, and the purpose for processing (Article 13 of the GDPR).
- Records of consent from data subjects or relevant holder of parental responsibility (Articles 7 and 8 of the GDPR).
- Records of processing activities under your responsibility (Article 30 of the GDPR).
- Documented processes for protecting personal data, such as an information security policy, cryptography policy and procedures, etc.
As with creating/maintaining documentation for any management system, there are these basic rules you should follow:
- It needs to be complete – don’t half-start something and expect it to be good enough.
- It needs to be comprehensive – be sure to leave nothing out.
- It should be in line with the GDPR – have a copy of the GDPR requirements beside you as you build your documentation.
- It must be tailored to suit your organisation – this part is really important, and quite often something that organisations forget. Make sure your documentation is applicable to your organisation. Too many times we’ve seen companies produce bare minimum, nondescript documentation that could apply to any organisation. Make it your own.
- The documentation should be made available to your staff, but with varying levels of access.
- Avoid duplication across documentation – where possible, documentation should be structured so that you don’t have to update things in multiple places.
- There should be a standard approach to your documents, so that they all have the same look and feel – version control, change history, format, etc.
- The documentation has a lifecycle: initial draft – published – retired.
- Documents should be controlled.
- Use job titles instead of names.
Get help producing GDPR-compliant documentation
To help you produce GDPR-compliant documentation quickly and easily, we have published the EU General Data Protection Regulation (GDPR) Documentation Toolkit.
This comprehensive, market-leading toolkit is used by hundreds of organisations worldwide and contains all the critical documents you will need in order to comply with the GDPR, including:
- A procedure for conducting a privacy audit.
- Templates for creating clear and accurate privacy notices.
- Data breach notification process and procedures.
- Subject access request templates and procedures.
- An international data transfer procedure.
- Consent form templates.
- Data protection impact assessment templates and procedures.
- Important information security policies and procedures to keep your information secure.