GDPR Documents For Compliance

Documenting your information processing activities is an important characteristic for good data governance, and therefore this will help you to demonstrate your efforts in order to become compliant with the GDPR. The documentation of processing activities is a new legal requirement under the EU GDPR (General Data Protection Regulation).

What documents do I need to be GDPR compliant?

We provide a full list of all of the documentation, policies, and procedures you must have if you want to become GDPR compliant in this file. You may consider this a GDPR compliance checklist, that shows what documents are mandatory. This helps you to do your own gap analysis and find out what documents, policies, and procedures that you still need to implement in your company to become GDPR compliant. Consider the following:

• GDPR Roles, awareness and training
• Personal data mapping
• Privacy policies and notices
• Rights of the data subject
• Controllers and processor
• Data protection impact assessment
• International transfers
• Personal data breach management

Download this free overview of mandatory documents required by the GDPR directive if your organization collects personal data directly from European citizens. For more GDPR Compliance Templates, check out this GDPR Document Kit

What is GDPR?

The EU General Data Protection Regulation came into place in 2018. The regulation, which replaces the 1995 Data Protection Directive, makes changes to the way data is handled and processed in the EU. It is a legal framework that sets the exact guidelines for the collection and processing of personal information from any individuals who live in the EU.

Why GDPR is important for companies outside the EU?

First of all, GDPR isn’t exclusively enforceable on EU-based companies. The regulation affects organizations both inside and outside of the European Union (EU). Any organization dealing with EU businesses, residents, or citizens’ data will have to comply with the GDPR! The regulations make it very clear that all organizations handling such data will be required to comply, regardless of location or jurisdiction.

Since the Regulation applies regardless of where the organization is based, you will also need to ensure your website is GDPR proof if that website attracts European visitors, even if you don't specifically market goods and/or services to EU citizens.

Articles 12, 13, and 14 of the GDPR provide detailed instructions on how to create a privacy notice, placing an emphasis on making them easy to understand and accessible. If you are collecting data directly from someone, you have to provide them with your privacy notice at the moment you do so.

Note that the terms “privacy notice” and “privacy policy” do not actually appear in the text of the GDPR and are essentially interchangeable. The guidelines explained in this article apply to any public documents in which your organization describes its data processing activities to customers and the public.

If an organization is collecting information from an individual directly, it must include the following information in its privacy notice, such as the identity and contact details of the organization, its representative, and its Data Protection Officer (DPO). According to the GDPR, organizations must provide people with a privacy notice that is:

• In a concise, transparent, intelligible, and easily accessible form
• Written in clear and plain language, particularly for any information addressed specifically to a child
• Delivered in a timely manner
• Provided free of charge

The GDPR also stipulates what information an organization must share in a privacy notice. There is a slight variation in requirements depending on whether an organization collects its data directly from an individual or receives it as a third party. Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data.

Per Article 14(3), if you obtain personal data from a third party, you must communicate the above information to the data subject either: no later than one month after you have obtained the data, at the time you first communicate with the data subject, or before sharing the data with another organization.

We have done all the hard work already for you. Make this an advantage for you to leverage. And how much time are you spending to find those documents yourself? If you value your time, then go directly to this download and stop wasting your precious time.