This article has been written by Shreya Mazumdar, pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.

Introduction

GDPR is also known as General Data Protection Regulation is a set of European rules and standards which is related to privacy and data governance. GDPR applies to the companies that have its set up in Europe and/or companies that are doing their business in Europe or with European customers. GDPR makes it essential for the active consent of the customers and providing them with new portability power to control the transfer of their information. If there is non-compliance there is a significant number of penalties. 

If an organisation is starting from scratch drafting/revising the existing data protection policies or making use of a template from a professional provider, documentation under GDPR measures and controls is a very lengthy and time-consuming task. Although GDPR has existed since May 2018 there are still numerous firms that partially complied with the regulation. GDPR seems to be a huge task and might take a toll on cost but compliance with the rules might bring back any resources or money spent on complete data protection compliance. 

Therefore, there is a list of GDPR documentation that is required to help one find out all the mandatory documents that should be in place. Please note that the headings mentioned in the list are not prescribed by GDPR, so other titles can be used instead. There is also a possibility to merge these documents.   

Mandatory documents for EU GDPR compliance

Following is the list of documents that one must have to follow and be compliant with for the GDPR compliance:

Personal Data Protection Policy (Article 24)

This policy is one of the top-level documentation for managing privacy in the organisation which defines what the organisation wants to achieve and how. This is a statement that sets out on how the organisation protects personal data. This policy explains the GDPR requirements to the users and employees and projects the organisation’s commitment to compliance. The policy does not have to provide specific details as to how the organisation will meet the GDPR’s data protection principles as these will be covered in the organisation’s procedure. The policy only provides an outline of the GDPR related to the organisation. The procedures of the organisation will state that how the organisation ensures that this principle will be carried out. In GDPR, data protection policy must include the following clauses:

1. Purpose: The purpose of the policy should be clearly stated at the beginning which explains the policy related to the GDPR, the necessity for compliance and the importance of the policy.
2. Definition: Several terminologies need to be explained as GDPR is full of terminologies. Therefore, the terms like ‘data controller’ and ‘data processor’ etc. might need some clarification. 
3. Scope: The GDPR is applicable for EU residents’ personal information and any organisation that processes this data. The policy must define the type of information the GDPR applies to for data collected. The reason to mention this is that the Regulation distinguishes ‘special categories of personal data which are subjected to higher protection. 
4. Principles: The seven principles of data processing which are as follows has to be mentioned. 
   • Lawfulness, fairness and transparency
   • Purpose limitation
   • Data minimization
   • Accuracy
   • Storage Limitation
   • Integrity and Confidentiality 
   • Accountability
5. Data Subject Rights: The policy must mention the eight data subject rights that are granted under GDPR and how the organisation is complying with it. The eight data subject rights are as follows:

• The right to be informed: The organisation must mention to its users the data that is being collected and how it is being used and the way it will be kept and if it will be shared with any third party. 
• The right of access: An individual user can submit a request for subject access which oblige organisations to provide a copy of personal data that is held by the individual. The organisation has a duration of one month to produce this information. 
• The right to rectification: If individual users discover that the information that is held by the organisation is inaccurate or incomplete, they can ask them to update it. 
• The right to erasure: An individual user can request the organisation to erase their data in certain circumstances, that is if the data is no longer necessary or the data was unlawfully processed etc. This right is also known as the ‘right to be forgotten’. 
• The right to restrict processing: Individuals can request the organisation the way to limit the use of personal data. It is an alternative to the right to be forgotten where individual users might be used when an individual contests the accuracy of their data. 
• The right to data portability: This allows individual users to obtain and reuse personal data for their purpose across different services. The application of these rights limits only to the personal data that the individual has provided to data controllers.
• The right to object: The individual users have a right to object to the processing of personal data that is collected on the ground of legitimate interests or the performance of a task that is in the interest of official authority.   
• Rights related to automated decision-making including profiling: This means the decisions that are made automatically with no human involvement which uses personal data to make calculated assumptions about individuals. GDPR draws strict rules about this kind of processing and individuals are permitted to challenge and request a review of processing if it is believed that the rules are not followed.

Data Protection Officer (DPO): The policy must mention the name and contact details of the DPO. If the organisation has chosen not to appoint one then, in that case, the organisation is exempted from this requirement and in such cases, the organisation should list the senior member of staff responsible for data protection. 

Privacy Notice (Article 12, 13 and 14)

This notice is a public statement as to the way the organisation applies as well as complies with the GDPR’s data processing principle. This has two objectives under privacy notice:

1. To promote transparency and prevention of any confusion about the procedure a personal data is being used and establish a level of trust between the user and the organisation. 
2. To provide individuals with more control over the way the individual’s data is used. In the case where the individual is not satisfied then in that case he/she can raise a query via a DSAR (data subject access request) and also direct the organisation to suspend the processing activity.

The privacy notice is provided to the clients, customers and other interested parties to explain how the organisation processes personal data. Privacy notice may also help the organisation in several ways. The privacy notice will provide documented proof of the data processing activities carried out by the organisation. This helps in justifying the processing if someone files a complaint with the supervisory authority. GDPR policies may also bring in good investors as the organisation may have appropriate information and security measures in place. 

Article 30 of GDPR mentions that the compliant documents should be included in the following details: 

• Contact details: One of the basic things that a privacy notice contains is the name, e-mail address, address and telephone number of the organisation. If the organisation has appointed a DPO (data protection officer) or EU representative then their contact details should be included. 
• Type of Personal Data that is Processed: The definition of personal data is very broad and the organisation should make sure that everything is included with specific details. If the data subject has not provided the personal information directly then in that case the organisation has to mention the source of the information obtained. 
• Processing Personal Data Lawfully: Personal data can be processed under GDPR only if there is a legal basis to do so. The privacy policy should describe what the organisation is relying on for processing.  For instance, if the organisation is relying on the user’s consent, this must be specifically stated that it could be withdrawn at any point in time. The rules might be a little different if the data falls under sensitive personal data. It is the data under  “special categories” that must be treated with special security. This information included details about:
  • Political Opinion
  • Trade union memberships
  • Racial or ethnic origin
  • Religious and philosophical beliefs
  • Biometric data
  • Genetic data

These sensitive personal data needs explicit consent from the individual owner for processing. 

• Processing Personal Data: It must be explained very clearly whether personal data will be transferred to a third party. It is also suggested that the organisation must mention how the data that is shared will be protected particularly in situations where the third party processing the data is based out of the EU. The clause can be depicted as follows:-

• Term for keeping the Data: The GDPR states that the organisation can only retain the personal data for as long as the legal basis for processing is applicable. For instance, if the data is processed to fulfil a contract then in that case the organisation shall keep the data as long as it takes to finish the contract. It might be difficult to ascertain the consent and legitimate interest as there is no clear point at which they are no longer valid. Therefore, in such cases, data retention practice is suggested to be valid for two years. 
• Data Subject Rights: The GDPR must give eight data subject rights that should be listed and explained in the privacy notice. 

Privacy notice and privacy policy are two different things. Privacy notice as per the GDPR is a publicly accessible document that is produced for data subjects.  GDPR privacy policy is an internal document that details out the organisation’s obligation and practices for meeting the compliance requirements. 

Employee Privacy Notice (Article 12, 13 and 14)

As per the GDPR, the organisation should be more transparent and open about the data related to the employee that is processed.  It is also mandatory for employers to process the HR-related data fairly and transparently. 

An employee privacy notice is a mandatory step towards compliance and an explanation to an individual as to how the organisation processed the employee’s data. 

Data Retention Policy (Article 5, 13, 17 and 30)

A data retention policy outlines the organisation’s protocol for retention information. The organisation must only retain the data for as long as it is needed. While drafting a data retention policy two factors must be considered: 

1. Mention the process to organise information so that it could be accessed at a later date; and
2. The process to dispose of information is no longer essential.

The data retention policy of the organisation must be a part of the overall information security documentation process. A basic data retention policy will address the following: 

1. Type of Information: As different types of information is handled differently so the organisation should keep a record as to what data is being processed.
2. Term: Although it is surprising the GDPR does not mention the specific time limit for data to be held, therefore the term for retention of this particular data is subjected to the organisation’s decision based on the reason for processing the data. 
3. Data Deletion: Regular deletion of unnecessary data shall reduce the data needed to comply with the subject access requests. 

Data Retention Schedule (Article 30)

It is a policy that mentions the term for retention of the data item that must be kept. It provides the guidelines for discarding the data items.

Data Subject Consent Form (Article 6,7 and 9)

This is the lawful process for processing personal data and explicit consent should be required to legitimise the use of special category data. In cases where the organisation is processing the personal data for a specific purpose then permission for the data subject has to be obtained with a consent form. The GDPR form must contain the following: 

Supplier Data Processing Agreement (Article 28, 32 and 82)

If there is a third party used for processing the personal data (sub-processors) then the organisation has to have a written contract in place with this sub-processor. 

DPIA Register (Article 35)

The organisation’s Data Protection Impact Analysis (DPIA) is documented by DPIA Register. DPIA is supposed to be a type of risk management that helps the organisation identify and minimise the risk that is related to personal data processing activities. The EU GDPR and DPA (Data Protection Act), 2018 is required to be carried out by the organisation before processing of data. This ensures that the organisation can mitigate data protection risks. 

Data Breach Response and Notification Procedure (Article 4, 33 and 34)

The organisation should create a procedure that applies to a situation where there is a data breach under Article 33- “Notification of a personal data breach to the supervisory authority” and Article 34 of the GDPR- “Communication of a personal data breach to the data subject”. 

Data Breach Notification Form to the Supervisory Authority (Article 33) and Data Breach Notification Form (Article 34)

If the organisation has faced any personal breach that needed to be reported to ICO then in that case applicable data breach form has to be filled. ICO’s website (https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/) provides more information about the assessment of breach and reporting about it. 

If the organisation has some personal data breach which may result in a high risk to the right and freedom of the users then the organisation need to complete a Data Breach Notification Form to Data Subjects.

Standard Contractual Clauses for the Transfer of Personal Data to Controllers (Article 46) and Standard Contractual Clauses for the Transfer of Personal Data to Processor (Article 46)

Standard Contractual Clauses for the Transfer of Personal Data to Controllers is essential if there is a transfer of personal data to a controller that is outside the European Economic Area (EEA) and the organisation is relying on model clauses as lawful grounds for cross-border data transfer. 

Standard Contractual Clauses for the Transfer of Personal Data to Processors are essential if there is a transfer of personal data to a processor that is outside the European Economic Area (EEA) and the organisation is relying on model clauses as lawful grounds for cross-border data transfer. 

Conclusion

Having a GDPR compliant Policy and Statements within an organisation can bring in a huge advantage.  It reconfirms the organisation’s commitment to upholding the GDPR principles. These policies do not have to belong to complicated documents. It could be a simple way of mentioning that the organisation recognises that the GDPR applies to the business and that it intends to meet the obligation and uphold the user’s rights.

At the very least GDPR Compliance statement includes the following four primary parts:

• A written acknowledgement to GDPR compliance
• A commitment towards data subject rights
• Organisation’s GDPR preparation plan
• Organisation’s contact information

Once this is done it can be linked to Privacy Policy and added to the organisation’s website footer to project the GDPR compliance by the organisation. 

References

• Camden Woollven, List of Mandatory Documents required by the GDPR, https://www.itgovernance.co.uk/blog/the-documents-you-need-to-comply-with-the-gdpr (July 31st 2019).
• Galina Kulakova, 7 principles of the GDPR and what they mean, https://www.amara-marketing.com/travel-blog/7-principles-of-the-gdpr-and-what-they-mean (last updated April, 05th 2021).
• GDPR checklist for Data Controllers, https://gdpr.eu/checklist/ (last updated April, 05th 2021).
• Luke Irwin, How to write a GDPR Data Protection Policy- With Template Examples, https://www.itgovernance.co.uk/blog/how-to-write-a-gdpr-data-protection-policy (April 26th, 2019).
• Luke Irwin, What are the data subject rights under the GDPR?, https://www.itgovernance.co.uk/blog/what-are-the-data-subject-rights-under-the-gdpr (March 10th, 2021).
• Luke Irwin, Personal data vs. Sensitive Data: What’s the Difference?, https://www.itgovernance.co.uk/blog/the-gdpr-do-you-know-the-difference-between-personal-data-and-sensitive-data (February 18th, 2021).
• Nicole O., GDPR Compliance Statement, https://www.privacypolicies.com/blog/gdpr-compliance-statement/ (January 22nd, 2021)
• Punit Bhatia, Contents of the Data Protection Policy according to GDPR, https://advisera.com/eugdpracademy/knowledgebase/contents-of-the-data-protection-policy-according-to-gdpr/ (last updated April, 05th 2021).

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.