The documentation of processing actions is a brand new authorized requirement beneath the EU GDPR (General Data Protection Regulation).
Documenting your processing actions also can help good information governance, and allow you to to reveal your compliance with different elements of the GDPR.
In this submit, we have now listed the entire documentation, insurance policies and procedures you will need to have if you wish to be totally GDPR compliant.
Personal Data Protection Policy (Article 24)
An information safety coverage is an announcement that units out how your organisation protects private information.
It explains the GDPR’s necessities to your staff, and demonstrates your organisation’s dedication to compliance.
If you might be not sure what your information safety coverage ought to embrace, this template may also help you create one in minutes.
See additionally: How to write down a GDPR information safety coverage – with template examples
Privacy Notice (Articles 12, 13, and 14)
A privateness discover is a public assertion of how your organisation applies (and complies with) the GDPR’s information processing ideas.
An important a part of compliance, it serves two functions: to advertise transparency and to offer people with extra management over the way in which their information is used.
Our customisable template may also help you produce a privateness discover in only a few minutes.
See additionally: How to write down a GDPR information privateness discover – with template instance
Employee Privacy Notice (Articles 12, 13 and 14)
Under the GDPR, you should be extra clear and open than ever earlier than in regards to the employee-related information you course of.
It can also be a core GDPR precept for employers to course of HR-related information pretty and transparently. An worker privateness discover is an important step in direction of compliance. It explains to a person how an information controller (on this case, your organisation) processes an worker’s private information.
Data Retention Policy (Articles 5, 13, 17, and 30)
An information retention (or information retention) coverage outlines your organisation’s protocol for retaining info.
It is crucial that your organisation solely retains information for so long as it’s wanted.
This is as a result of holding on to information for longer than obligatory can take up beneficial cupboard space and incur pointless prices.
When writing your information retention coverage, you need to take into account two key elements:
1) How you’ll organise info so it may be accessed at a later date; and
2) How you’ll dispose of data that’s now not wanted.
See additionally: Top suggestions for information retention beneath the GDPR
Data Retention Schedule (Article 30)
An information retention (or information retention) schedule is a coverage that defines how lengthy information objects should be saved.
It additionally offers disposal tips for a way information objects must be discarded.
You can create a GDPR-compliant retention and disposal schedule in minutes with our easy-to-use and customisable templates, developed by our knowledgeable GDPR practitioners.
Data Subject Consent Form (Articles 6, 7, and 9)
Consent is one lawful foundation for processing private information, and express consent also can legitimise using particular class information.
If your organisation is processing private information for a selected function, you will need to acquire permission from the info topics in query with a consent kind.
Consent beneath the GDPR is commonly misunderstood and mismanaged.
Below, we have now outlined best-practice steering for writing a GDPR consent kind.
Unsure what your consent procedures ought to embrace?
Our easy-to-use and customisable templates may also help you create a GDPR-compliant consent process in minutes.
Supplier Data Processing Agreement (Articles 28, 32, and 82)
If you employ one other organisation (i.e. a sub-processor) to help together with your processing of private information, it’s worthwhile to have a written contract in place with that sub-processor.
This is called a provider information processing settlement.
DPIA Register (Article 35)
The DPIA Register is used to doc your organisation’s Data Protection Impact Analysis (DPIA).
To study extra about the best way to conduct a DPIA, see our info web page: Data Protection Impact Assessments beneath the GDPR.
Data Breach Response and Notification Procedure (Articles 4, 33, and 34)
You should create a process that applies within the occasion of a private information breach beneath Article 33 – “Notification of a personal data breach to the supervisory authority” – and Article 34 of the GDPR – “Communication of a personal data breach to the data subject”.
Below is an instance of what an information breach notification may seem like, obtainable from the market-leading EU GDPR Documentation Toolkit:
For assist writing your information breach notification process, see: How to write down a GDPR information breach notification process – with template instance.
Data Breach Register (Article 33)
You should preserve an inside report of all private information breaches in a Data Breach Register.
The information breach register ought to include particulars of the info surrounding the breach, the results of the breach, and any remedial motion taken.
Data Breach Notification Form to the Supervisory Authority (Article 33)
If you could have skilled a private information breach that must be reported to the ICO, you have to to fill within the applicable information breach notification kind.
For extra info on information breach reporting, go to the ICO’s web site.
Data Breach Notification Form to Data Subjects (Article 34)
You might want to full a Data Breach Notification Form to Data Subjects if in case you have skilled a private information breach that’s prone to lead to a “high risk to the rights and freedoms” of a person.
Some GDPR paperwork are solely relevant beneath sure situations, together with:
Data Protection Officer Job Description (Articles 37, 38, and 39)
You must appoint a DPO if:
- You are a public authority or physique, apart from courts performing of their judicial capability;
- Your core actions include processing operations that require common and systematic monitoring of knowledge topics on a big scale; or
- Your core actions course of on a large-scale particular classes of knowledge and private information referring to legal convictions and offences.
Inventory of Processing Activities (Article 30)
This doc is necessary if:
- Your organisation has greater than 250 staff; or
- The processing you perform is prone to lead to a threat to the rights and freedoms of knowledge topics; or
- The processing just isn’t occasional; or
- The processing contains particular classes of knowledge; or
- The processing contains private information referring to legal convictions and offences.
Standard Contractual Clauses for the Transfer of Personal Data to Controllers (Article 46)
This doc is necessary if you’re transferring private information to a non-EU member state and you might be counting on mannequin clauses as your lawful grounds for cross-border information transfers.
Standard Contractual Clauses for the Transfer of Personal Data to Processors (Article 46)
This doc is necessary if you’re transferring private information to a processor exterior the European Economic Area (EEA) and you might be counting on mannequin clauses as your lawful grounds for cross-border information transfers.
GDPR documentation: simplified
Meet necessities rapidly and keep away from costly consultancy charges with the market-leading GDPR Toolkit.
Written by attorneys and knowledgeable practitioners, it’s probably the most complete toolkit in the marketplace containing all of the GDPR insurance policies and procedures it’s worthwhile to reveal compliance whereas considerably lowering your implementation prices.
More than 3,000 organisations worldwide are already utilizing the GDPR toolkit to simplify and speed up their undertaking. If you need assistance attaining GDPR compliance, this toolkit is for you.
A model of this weblog was initially printed on 14 September 2017.