ACCOUNTABILITY & DOCUMENTATION
Often people start with documentation and the mandatory GDPR policies. However, merely having a GDPR policy in your cabinet doesn't make you GDPR compliant. The hard part is matching the puzzle so that your documentation reflects your data processing activities with the GDPR principles, security measures, responsibilities, and governance in practice. To actually work up to its standards.
Our take on documentation is efficiency over quantity. We aim for all the mandatory and compliance aspects in easy-to-monitor lists, Standard Operational Procedures (SOP's) and policies, and train your team about what's in them so that your documentation matches your work and working systems.
GDPR REQUIRED DOCUMENTATION
Note that this is not an exhaustive list, but other documentation may be mandatory to monitor or document based on your activities.
Art. 5 (e) GDPR
Data Retention Policy
Set the parameters per type of data how long it shall be retained and if and how it shall be deleted.
Art. 6 (2) GDPR
Contracts
When the legal basis for processing is a contract.
Art. 7 GDPR
Consents
When the legal basis for processing is consent.
Art. 8 GDPR
Parental consents
When the legal basis for processing is consent, but your data subjects are minors.
Art. 12 (3) GDPR
Data subject policy
Set out the internal process for data subjects to exercise their data protection rights.
Art. 13 GDPR
Privacy Policy
Be transparent about your data processing activities in your privacy policy.
Art. 24 GDPR
General Company Policy
Provide the parameters within where your company complies to the GDPR principles.
Art. 28 GDPR
Data Processing Contracts
Hold your external data processors accountable via data processing agreements.
Art. 30 GDPR
Record of Data Processing Activities
Keep a register of all your data processing activities, legal basis, data subjects and external processors, storage, retention, and transfers. (This Record is usually kept by your DPO.)
Art. 32 GDPR
Security policies
Design and implement your technical and organisational security measures. Include IT, Remote working, Audit, external vendors, etc.
Art. 34 GDPR
Data breach policy
Set out the internal process for data breaches. Who is responsible for what task, when to contact, how to mitigate in-adverse events.
Art. 35 GDPR
Data Protection Impact Assessment (DPIA)
Assess risks when starting a new impactful data processing activity with potential risks for data subjects.
Art. 46 GDPR
Data Transfers
When internationally transferring data outside the EEA, follow the requirements from Chapter V, GDPR.
Art. 88 GDPR
Employee Policy
Provide transparency to employees about what data is being collected, if they are monitored and how, and what are their rights.