The General Data Protection Regulation has already raised many controversies, and one of the biggest ones is certainly which procedures and documents are required.
Below you will find a list GDPR procedures and documentation required if you want to be fully GDPR compliant:
Personal Data Protection Policy this is a top-level document for managing privacy in your company, which defines what you want to achieve and how.
Privacy Statement this document (which can also be published on your website) explains in simple words how you will process personal data of your customers, website visitors, and others.
Employee Privacy Notice explains how your organization is going to process personal data of your employees (which could include financial, health or criminal records, etc.).
Data Retention Policy describes the process of deciding how long a particular type of personal data will be kept, and how it will be securely destroyed.
Data Retention Schedule lists all of your personal data and describes how long each type of data will be kept.
Data Subject Consent Form this is the most common way to obtain consent from a data subject to process his/her personal data. When children parental consent has to be obtained.
DPIA Register this is where you’ll record all the results from your Data Protection Impact Assessment.
Data Processing Agreement you need this document to regulate data protection with a processor or any other supplier.
Data Breach Response and Notification Procedure describes what to do before, during, and after a data breach.
Data Breach Register this is where you’ll record all of your data breaches.
Data Breach Notification Form to the Supervisory Authority in case you do have a data breach, you’ll need to notify the Supervisory Authority in a formal way.
Data Breach Notification Form to Data Subjects again, in case of a data breach, you’ll have the unpleasant duty to notify data subjects in a formal way.