In GDPR there is a principle of accountability, which means that you should be able to demonstrate compliance with the regulation. One way of doing this is through documentation. So what kind of documents do you need to have in place? Here is a quick guide to the most important documents you need in order to comply with GDPR.
Record of processing activities
As the name suggests, a record of processing activities is a record that outlines an organization’s data processing activities. Both Controllers and Processors are required to keep records of personal data processing. By keeping a detailed record, organizations can answer questions like, where, why, how and for how long personal data will be processed. Several things should be included in this record, all of which are specified in the regulation. Some of the things you should specify are: the purpose, what categories of personal data are being processed, legal grounds and for how long the personal data is stored.
A record of processing activities is an important document, as an organization should be able to provide the document upon request to the monitoring authority. The record also provides a good basis for a gap analysis. X has developed a ready-to-use template.
Information security policy (data protection policy)
GDPR represents a new way of looking at information security and the integrity of the individual. Organizations will have to demonstrate that they have set overall security goals and responsibilities for, e.g., personal data. This should be reflected in an information security policy, which many may already have in place. However, the policy will need to be updated to include the focus areas that are emphasized in GDPR, e.g., personal integrity, rights, risk and incident management, and classification of information.
Rules and guidelines regarding information security
An information security policy does not reveal many details about practicalities, i.e., how the company will work to fulfill it, which is why rules and guidelines are needed. Rules and guidelines define and develop the content of the information security policy and specify how the organization will work to follow it. We recommend that you separately describe what concerns users, management, systems/networks and rights (registered rights to their personal data) in different sections in the document.
Privacy Policy
A Privacy Policy specifies the type of information collected and what the organization is doing with it. A privacy policy is an opportunity to be transparent with your personal data processing.
A number of things should be included in a Privacy Policy, and a good starting point is to answer the questions what, why, how, how long and where. You must state what personal data you are processing. It is also important to state why you process personal data? What is the purpose? As GDPR requires personal data to be processed within the EU/EEA, it is also important to specify where personal data is being processed and stored. In addition to this, you should disclose the security measures that are in place to protect personal data and the rights of individuals.
Don’t be vague! It is important to be specific and transparent in a Privacy Policy. For example, if an organization processes personal data in ways that are not specified in the policy, it can be used against them. When writing a privacy policy, do look at how other organizations have written theirs. Here is Google’s Privacy Policy.
Processing agreement
A processor is someone who processes personal data on behalf of a controller, i.e. someone outside the controller’s organization. A data processor can be a person (e.g. individual entrepreneur), authority or organization (e.g. cloud service provider). In order to ensure that personal data processing complies with GDPR, a processing agreement should be established with the processor. The agreement created by the controller describes the personal data processing. The description should, at the very least, include what is being processed (type of personal data), for how long, the purpose of the processing and the obligations of the controller and processor.
You may already have some of these documents in place, but as GDPR involves a number of changes from previous directives, you should review and update existing documents. Some of the GDPR requirements can be difficult to understand, but in essence, the regulation is about organizations needing to become better at managing personal data. A security mindset should therefore exist throughout the entire organization – in routines, rules, policies, products and services.