The General Data Protection Regulation has already raised many controversies, and one of the biggest ones is certainly which procedures and documents are required.
Below you will find a list GDPR procedures and documentation required if you want to be fully GDPR compliant:
- Personal Data Protection Policy this is a top-level document for managing privacy in your company, which defines what you want to achieve and how.
- Privacy Statement this document (which can also be published on your website) explains in simple words how you will process personal data of your customers, website visitors, and others.
- Employee Privacy Notice explains how your organization is going to process personal data of your employees (which could include financial, health or criminal records, etc.).
- Data Retention Policy describes the process of deciding how long a particular type of personal data will be kept, and how it will be securely destroyed.
- Data Retention Schedule lists all of your personal data and describes how long each type of data will be kept.
- Data Subject Consent Form this is the most common way to obtain consent from a data subject to process his/her personal data. When children parental consent has to be obtained.
- DPIA Register this is where you’ll record all the results from your Data Protection Impact Assessment.
- Data Processing Agreement you need this document to regulate data protection with a processor or any other supplier.
- Data Breach Response and Notification Procedure describes what to do before, during, and after a data breach.
- Data Breach Register this is where you’ll record all of your data breaches.
- Data Breach Notification Form to the Supervisory Authority in case you do have a data breach, you’ll need to notify the Supervisory Authority in a formal way.
- Data Breach Notification Form to Data Subjects again, in case of a data breach, you’ll have the unpleasant duty to notify data subjects in a formal way.