Article by Dejan Kosutic
The General Data Protection Regulation (GDPR) has already raised many controversies, and one of the biggest ones is certainly which documents are required. For example, often you see companies who think having a privacy policy and a consent form on their website is enough; however, this is only a small part of the documents that are required to be fully compliant with this new privacy regulation.
Therefore, we created a list of GDPR documentation requirements to help you find all mandatory documents at one place . Please note that the names of the documents are not prescribed by the GDPR, so you may use some other titles; you also have a possibility to merge some of these documents.
Mandatory documents and records required by EU GDPR
Here are the documents that you must have if you want to be fully GDPR compliant:
- Personal Data Protection Policy (Article 24) – this is a top-level document for managing privacy in your company, which defines what you want to achieve and how. See also: Contents of the Data Protection Policy according to GDPR.
- Privacy Notice (Articles 12, 13, and 14) – this document (which can also be published on your website) explains in simple words how you will process personal data of your customers, website visitors, and others.
- Employee Privacy Notice (Articles 12, 13 and 14) – explains how your company is going to process personal data of your employees (which could include health records, criminal records, etc.).
- Data Retention Policy (Articles 5, 13, 17, and 30) – describes the process of deciding how long a particular type of personal data will be kept, and how it will be securely destroyed.
- Data Retention Schedule (Article 30) – lists all of your personal data and describes how long each type of data will be kept.
- Data Subject Consent Form (Articles 6, 7, and 9) – this is the most common way to obtain consent from a data subject to process his/her personal data. Learn more here: Is consent needed? Six legal bases to process data according to GDPR.
- Parental Consent Form (Article 8) – if the data subject is below the age of 16 years, then a parent needs to provide the consent for processing personal data.
- DPIA Register (Article 35) – this is where you’ll record all the results from your Data Protection Impact Assessment. See this webinar: Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR.
- Supplier Data Processing Agreement (Articles 28, 32, and 82) – you need this document to regulate data protection with a processor or any other supplier.
- Data Breach Response and Notification Procedure (Articles 4, 33, and 34) – it describes what to do before, during, and after a data breach. See also: 5 steps to handle a data breach according to GDPR.
- Data Breach Register (Article 33) – this is where you’ll record all of your data breaches. (Hopefully, it will be very short.)
- Data Breach Notification Form to the Supervisory Authority (Article 33) – in case you do have a data breach, you’ll need to notify the Supervisory Authority in a formal way.
- Data Breach Notification Form to Data Subjects (Article 34) – again, in case of a data breach, you’ll have the unpleasant duty to notify data subjects in a formal way.
. It should be a clear and concise document that is accessible by individuals.
the requirements on giving privacy information to data subjects. These are more detailed and specific than in the 
Act 1998 (DPA).
, and has been used by thousands of organisations worldwide. It includes:
; and
) (EU 2016/679 regulation) coming up on 25 May 2018, many organizations are addressing their data gathering, protection and retention needs concerning the privacy of their data for EU citizens and residents. This regulation has many parts, as ISACA has described in many of its 
view is that privacy is an essential part of functionality, the security of the system and its processing activities.
across the entire processing effort for the affected data. This end-to-end need for protection includes collection efforts, retention requirements and even the new “right to be forgotten” requirement, wherein the customer has the right to request removal of their data from an organization’s storage.
demands the 
implemented are proactive rather than reactive. As its principal goal, the system needs to prevent issues, releases and successful attacks. The system is to keep privacy events from occurring in the first place.
, the most important point for organizations to understand about GDPR is transparency. The EU wants full disclosure of an organization’s efforts, documentation, reviews, assessments and results available for independent third-party review at any point. The goal is to ensure privacy managed by these companies is not dependent upon technology or business practices. It needs to be provable to outside parties and, therefore, acceptable. The EU has purposely placed some strong fine structures and responses into this regulation to ensure compliance.
, it has been found that it is good practice to look at these 6 areas for all the collected and retained data, not just EU-based data. This zero-tolerance approach to data breaches is purposely designed to be stringent and strong. Good luck to all in meeting and maintaining the data privacy and security requirements of 
.
