Mandatory documents and records required by EU GDPR
Here are the documents that you must have if you want to be fully GDPR compliant:
- Personal Data Protection Policy (Article 24) – this is a top-level document for managing privacy in your company, which defines what you want to achieve and how. See also: Contents of the Data Protection Policy according to GDPR.
- Privacy Notice (Articles 12, 13, and 14) – this document (which can also be published on your website) explains in simple words how you will process personal data of your customers, website visitors, and others.
- Employee Privacy Notice (Articles 12, 13 and 14) – explains how your company is going to process personal data of your employees (which could include health records, criminal records, etc.).
- Data Retention Policy (Articles 5, 13, 17, and 30) – describes the process of deciding how long a particular type of personal data will be kept, and how it will be securely destroyed.
- Data Retention Schedule (Article 30) – lists all of your personal data and describes how long each type of data will be kept.
- Data Subject Consent Form (Articles 6, 7, and 9) – this is the most common way to obtain consent from a data subject to process his/her personal data. Learn more here: Is consent needed? Six legal bases to process data according to GDPR.
- Parental Consent Form (Article 8) – if the data subject is below the age of 16 years, then a parent needs to provide the consent for processing personal data.
- DPIA Register (Article 35) – this is where you’ll record all the results from your Data Protection Impact Assessment. See this webinar: Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR.
- Supplier Data Processing Agreement (Articles 28, 32, and 82) – you need this document to regulate data protection with a processor or any other supplier.
- Data Breach Response and Notification Procedure (Articles 4, 33, and 34) – it describes what to do before, during, and after a data breach. See also: 5 steps to handle a data breach according to GDPR.
- Data Breach Register (Article 33) – this is where you’ll record all of your data breaches. (Hopefully, it will be very short.)
- Data Breach Notification Form to the Supervisory Authority (Article 33) – in case you do have a data breach, you’ll need to notify the Supervisory Authority in a formal way.
- Data Breach Notification Form to Data Subjects (Article 34) – again, in case of a data breach, you’ll have the unpleasant duty to notify data subjects in a formal way.
Documents that are needed under certain conditions
You’ll need the following documents if the following conditions apply:
- Data Protection Officer Job Description (Articles 37, 38, and 39) – you’ll need to have a Data Protection Officer (DPO) if (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or (b) the core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities process on a large scale special categories of data and personal data relating to criminal convictions and offences. Learn what the DPO must do in this free online training: GDPR Data Protection Officer Course.
- Inventory of Processing Activities (Article 30) – this document is mandatory if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data; or (e) the processing includes personal data relating to criminal convictions and offences.
- Standard Contractual Clauses for the Transfer of Personal Data to Controllers (Article 46) – mandatory if you are transferring personal data to a controller outside the European Economic Area (EEA) and you are relying on model clauses as your lawful grounds for cross-border data transfers.
- Standard Contractual Clauses for the Transfer of Personal Data to Processors (Article 46) – mandatory if you are transferring personal data to a processor outside the EEA and you are relying on model clauses as your lawful grounds for cross-border data transfers.
Here are the documents that are not required by the GDPR. However, you might find these kinds of documents quite useful if you want to maintain your compliance without worries:
- EU GDPR Readiness Assessment – useful if you want to find out the gap between what you have and what the GDPR requires. See also: EU GDPR Readiness Assessment Tool.
- Project Plan for Complying with the EU GDPR – useful if you are a mid-sized to a large company and want to know exactly who is responsible for the compliance and what the deadlines are. Download here a free GDPR Project Plan.
- Employee Personal Data Protection Policy (Article 24) – similar to the top-level Personal Data Protection Policy, but this one focuses specifically on your employees.
- Register of Privacy Notices (Articles 12, 13, and 14) – could be quite useful if you have published privacy notices in many places and want to have control over all of them.
- Guidelines for Data Inventory and Processing Activities Mapping (Article 30) – since you’ll probably need an Inventory of Processing Activities, these guidelines will help you fill out that document.
- Data Subject Consent Withdrawal Form (Article 7) – useful document when a data subject wants to withdraw his/her consent.
- Parental Consent Withdrawal Form (Article 8) – useful document if you’re dealing with a data subject younger than 16 years.
- Data Subject Access Request Procedure (Articles 7, 15, 16, 17, 18, 20, 21, and 22) – helps you define who does what when you receive such request (which you likely will).
- Data Subject Access Request Form (Article 15) – makes it easier for data subject and for you to handle such requests because you’ll have a clearer picture of what the data subject wants.
- Data Subject Disclosure Form (Article 15) – you’ll know exactly which information to send once you receive the data subject access request.
- Data Protection Impact Assessment Methodology (Article 35) – since this is probably the most complex task in your GDPR compliance project, you’ll find guidelines on how to perform DPIA quite useful.
- Cross Border Personal Data Transfer Procedure (Articles 1, 44, 45, 46, 47, and 49) – you’ll find this useful as a guideline if you transfer personal data outside of the European Economic Area.
- Processor GDPR Compliance Questionnaire (Articles 28 and 32) – you’ll find this very helpful when performing due diligence on a processor.
- Documents regulating security of personal data (Article 32) – e.g., IT Security Policy, Access Control Policy, Security Procedures for IT Department, Bring Your Own Device (BYOD) Policy, Mobile Device and Teleworking Policy, Clear Desk and Clear Screen Policy, Information Classification Policy, Anonymization and Pseudonymization Policy, Policy on the Use of Encryption, Disaster Recovery Plan, Internal Audit Procedure, ISO 27001 Internal Audit Checklist – these are the documents you’ll find very helpful for protecting the data; the easiest way is to use an information security standard like ISO 27001 as a guide.
Here you can download a free preview of the EU GDPR Documentation Toolkit, where you can see the structure and part of the text for each of the above-mentioned documents.