Article by Dejan Kosutic
The General Data Protection Regulation (GDPR) has already raised many controversies, and one of the biggest ones is certainly which documents are required. For example, often you see companies who think having a privacy policy and a consent form on their website is enough; however, this is only a small part of the documents that are required to be fully compliant with this new privacy regulation.
Therefore, we created a list of GDPR documentation requirements to help you find all mandatory documents at one place . Please note that the names of the documents are not prescribed by the GDPR, so you may use some other titles; you also have a possibility to merge some of these documents.
Mandatory documents and records required by EU GDPR
Here are the documents that you must have if you want to be fully GDPR compliant:
- Personal Data Protection Policy (Article 24) – this is a top-level document for managing privacy in your company, which defines what you want to achieve and how. See also: Contents of the Data Protection Policy according to GDPR.
- Privacy Notice (Articles 12, 13, and 14) – this document (which can also be published on your website) explains in simple words how you will process personal data of your customers, website visitors, and others.
- Employee Privacy Notice (Articles 12, 13 and 14) – explains how your company is going to process personal data of your employees (which could include health records, criminal records, etc.).
- Data Retention Policy (Articles 5, 13, 17, and 30) – describes the process of deciding how long a particular type of personal data will be kept, and how it will be securely destroyed.
- Data Retention Schedule (Article 30) – lists all of your personal data and describes how long each type of data will be kept.
- Data Subject Consent Form (Articles 6, 7, and 9) – this is the most common way to obtain consent from a data subject to process his/her personal data. Learn more here: Is consent needed? Six legal bases to process data according to GDPR.
- Parental Consent Form (Article 8) – if the data subject is below the age of 16 years, then a parent needs to provide the consent for processing personal data.
- DPIA Register (Article 35) – this is where you’ll record all the results from your Data Protection Impact Assessment. See this webinar: Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR.
- Supplier Data Processing Agreement (Articles 28, 32, and 82) – you need this document to regulate data protection with a processor or any other supplier.
- Data Breach Response and Notification Procedure (Articles 4, 33, and 34) – it describes what to do before, during, and after a data breach. See also: 5 steps to handle a data breach according to GDPR.
- Data Breach Register (Article 33) – this is where you’ll record all of your data breaches. (Hopefully, it will be very short.)
- Data Breach Notification Form to the Supervisory Authority (Article 33) – in case you do have a data breach, you’ll need to notify the Supervisory Authority in a formal way.
- Data Breach Notification Form to Data Subjects (Article 34) – again, in case of a data breach, you’ll have the unpleasant duty to notify data subjects in a formal way.