GDPR Week 5 – Documentation

Click The Arrow For The Table Of Contents
GDPR. Data Protection Regulation IT technologist Data Security system Shield Protection

t’s actually here!  The final week of our GDPR updates!  We hope these updates have proven to be useful and taken the sting out of the upcoming GDPR changes.  We have had some lovely feedback, so we hope it has been of use to you, knowing we have helped simplify technology and its impact on our customers is what motivates us.

In this last update, we will be discussing the documentation required to comply with the new requirements.  Remember not to panic even if you are not completely ready by the 25thof May.  Having a corrective plan in place will still help your cause so don’t give up on trying to get GDPR under control.

Compliance is not just about what you do with your current technology. It is also about having the correct policies and procedures in place to document it. Below is a list of the required documentation for you to quickly check off as you go.


GDPR compliant privacy policy 

To demonstrate to third parties how you handle the personal information you need to create or update your privacy policy.  Which should detail the measures you have in place to ensure data security.

Data processing inventory

This details where, how and why you process personal data which needs to be updated regularly to reflect new business processes/systems.

Legitimate Interests Assessment form 

The gold standard for holding data is through consent, but in some cases, you will be unable to get consent. If this is the case, you must evaluate the information you hold to see if it falls into the legal interest category.  If there is a legitimate interest in retaining the data such as contact details for sending a customer their invoice, then this won’t require consent.

Records retention policy 

Under the new regulations, you can no longer hold data indefinitely. So, you will need to create a strategy to document each data type you own and when you will remove that data.

Employee privacy statement

Under the new regulations, you now have to update your employment contracts, or have a separate policy, to show how you will process and store their data. It is best to get this countersigned by the employee as this will act as consent for you to hold their data and prove documented evidence should be ever be required.

Employee subject access request form 

Employees now have the right to request copies of the information you hold on them. It is good practice to make these forms available to your employees, so requests can be dealt with using a standard format.

Response to employee subject access request 

If you are going to have a standard way for employees to request the data you hold on them, then it’s probably a good idea to have a standard response form, this way you can show a consistent approach when an inspection occurs.

Processor agreement 

If you share data with third parties such as subcontractors or other organisations, it is a good idea to have a process agreement which details how you will both secure and process the data.

Third Party subject access request form

Anyone you hold data on now has the right to request copies of their information you keep.  It is good practice to make these forms available via your website, so all requests are received and dealt with using a standard format.

Response to Third Party subject access request 

If you are going to have a standard way for third parties to request the data you hold on them then again, it’s probably a good idea to have a standard response form to maintain a consistent approach.

Subject access record for third parties and employees.

It is best practice to record any access requests so that you have an audit trail.  Having this record ready in anticipation will not only show your expected process but also remind you to log these requests correctly.

Data breach record

A data breach record allows you to keep track of any breaches that may have occurred in the course of your regular business, and it is best practice to record all events even if the data was on an encrypted device.
We have a third party provided GDPR form pack which we have used for our internal GDPR documentation.  We have secured an agreement to be able to supply this pack to our customers under license. It Currently costs £299+VAT.  We can also help with completing the forms, and as always, we will only charge for the time we spend helping.