GDPR Documentation Templates
Review Rating Score
Since 2018 there is a new regulation regarding the collecting and processing of personal data from EU Citizens, which is called the General Data Protection Regulation GDPR). The EU GDPR is currently enforced, and the first fines were already given to famous companies, such as Google, British Airways, Marriott International (110 Mln EUR), H&M (35 Mln EUR), TIM (27.8 Mln EUR), Austrian Post (18 Mln EUR), and more GDPR Fines were given. This regulation replaces the 1995 Data Protection Directive, makes changes to the way data is handled and processed in the EU. It is a legal framework that sets the exact guidelines for the collection and processing of personal information from any individuals who live in the EU. Since the documentation of processing activities is now a legal requirement, it's important, in order to become GDPR compliant, to do a (quick) gap analysis, and make sure that you demonstrate your sincere efforts in order to become compliant with the GDPR. Documenting your information processing activities is an important characteristic for good information/data governance, and therefore this will help you to demonstrate your efforts in order to become compliant with the GDPR. We provide a list of mandatory documentation, policies, and procedures you must have if you want to become GDPR compliant.
Check out this overview of mandatory documents required by the GDPR that also mentions the documents that are included in the file, and help you in order to become compliant with the GDPR. Download this GDPR Documents Kit if your organization collects personal data directly from EU Citizens.
How to protect and register personal data according to GDPR requirements?
According to the EU GDPR, you are required to identify and minimize the data protection risks of your organization. The documentation of processing activities is a legal requirement under the EU GDPR, which also probably your organization needs to comply with. It's therefore highly important that you document your data processing activities and that you also support good data governance, and help you to demonstrate your compliance with other aspects of the GDPR. This Data Protection Impact Assessment (DPIA) Log registers those steps and lists all of the documentation, policies, and procedures you have. This way, if you keep track of those steps taken, it helps you to become GDPR compliant. This DPIA template is an example of how you can record your DPIA process and outcome. It contains two taps and follows a logical evaluation process. You should modify this Excel with your Criteria for an acceptable DPIA, as is set out in EU guidelines on DPIAs.
A DPIA is a process to help you identify and minimize the data protection risks of a project. You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA. You should start to fill out the DPIA template at the start of any major project involving the use of personal data, or if you are making a significant change to an existing process. Final outcomes should be integrated back into your project plan.
It is also good practice to do a DPIA for any other major project which requires the processing of personal data. So, your DPIA must include at least:
- description and the nature, scope, context, and purposes of the processing;
- assess necessity, proportionality, and compliance measures;
- identify and assess risks to individuals;
- identify any additional measures to mitigate those risks;
- to assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. The high risk could result from either a high probability of some harm or a lower possibility of serious harm;
- you should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you;
- if you identify a high risk that you cannot mitigate, you ask for further assistance before starting the processing.
A privacy notice is a public document from an organization that explains how that organization processes personal data and how it applies data protection principles. On a website, the privacy policy is a statement contained that in detail describes how the operators of the website will collect, store, protect, and utilize personal data provided by its users. The definition of personal data includes names, addresses (physical, IP and/or e-mail), telephone numbers, date of birth, and financial information, such as debit or credit card details. In addition to outlining how the organization will use the information, the website privacy policy also states how it will meet its legal obligations, and how those sharing their data can seek recourse should the company fail to meet those responsibilities.
Why GDPR is important for companies outside the European Union?
First of all, GDPR isn’t exclusively enforceable on EU-based companies. The regulation affects organizations both inside and outside of the European Union (EU). Any organization dealing with EU businesses, residents, or citizens’ data will have to comply with the GDPR! The regulations make it very clear that all organizations handling such data will be required to comply, regardless of location or jurisdiction.
Since the Regulation applies regardless of where the organization is based, you will also need to ensure your website is GDPR proof if that website attracts European visitors, even if you don't specifically market goods and/or services to EU citizens.
Articles 12, 13, and 14 of the GDPR provide detailed instructions on how to create a privacy notice, placing an emphasis on making them easy to understand and accessible. If you are collecting data directly from someone, you have to provide them with your privacy notice at the moment you do so.
Note that the terms “privacy notice” and “privacy policy” do not actually appear in the text of the GDPR and are essentially interchangeable. The guidelines explained in this article apply to any public documents in which your organization describes its data processing activities to customers and the public.
If an organization is collecting information from an individual directly, it must include the following information in its privacy notice, such as the identity and contact details of the organization, its representative, and its Data Protection Officer (DPO). According to the GDPR, organizations must provide people with a privacy notice that is:
- In a concise, transparent, intelligible, and easily accessible form
- Written in clear and plain language, particularly for any information addressed specifically to a child
- Delivered in a timely manner
- Provided free of charge
The GDPR also stipulates what information an organization must share in a privacy notice. There is a slight variation in requirements depending on whether an organization collects its data directly from an individual or receives it as a third party. Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data.
Per Article 14(3), if you obtain personal data from a third party, you must communicate the above information to the data subject either: no later than one month after you have obtained the data, at the time you first communicate with the data subject, or before sharing the data with another organization.
GDPR Privacy Notice best practices
For your convenience, please find a couple of phrases that are better when you want to comply with GDPR:
- “We will retain your shopping history and use details of the products you have previously purchased to make suggestions to you for other products which we believe you will also be interested in” (it is clear that what types of data will be processed, that the data subject will be subject to targeted advertisements for products and that their data will be used to enable this)
- “We will retain and evaluate information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive” (it is clear what type of data will be processed and the type of analysis which the controller is going to undertake)
- “We will keep a record of the articles on our website that you have clicked on and use that information to target advertising on this website to you that is relevant to your interests, which we have identified based on articles you have read” (it is clear what the personalization entails and how the interests attributed to the data subject have been identified)
Is the template content above helpful?
Thanks for letting us know!
Reviews
Hilde Rodriguez(5/10/2023) - NZL
Useful!
Jamal Goodman(5/10/2023) - GBR
Very good!!
Laraine Raymond(6/16/2022) - NZL
Thank you for this!!
Fredrick Malone(6/16/2022) - AUS
The content is really insightful
Inocencia Dillon(6/16/2022) - DEU
Thank you!!
Karel D(3/26/2021)
Best tevreden
Sandra G(3/26/2021)
Our DPO got a similar set of GDPR docs from another source, but much more expensive.
Ferdinand D(3/26/2021)
The GDPR docs are good and useful for me
Traci Perez(3/26/2021) - NZL
Thx for this template
Michael Z(10/12/2020)
Thanks for the KIT. Helped me a lot to draft my own documents at our company. I was surprised to get so many useful documents. Not all I needed but the ones that I was looking where included.
Jeroen Van Wezel(10/12/2020)
Thanks for the files, we have to comply with GDPR and this helps us in the right direction. Glad we found this affordable kit of GDPR templates.
Winnifred Tucker(10/12/2020) - NZL
You have really helped me so much.
George McKinsey(10/12/2020)
Thanks for this good overview of GDPR documents. Most are very useful for our company, we have been struggling with GDPR regulation for some time.
Pat Heath(10/12/2020) - USA
I share a tip with you, go on and make more nice templates!
Loren Rosario(10/12/2020) - AUS
Great file, handy website
Tatum Allison(10/12/2020) - GBR
This website is the first in list when looking for documents now.
Last modified
Delivery Instant Download
Your file will be available for download once payment is confirmed. Here's how.
Our Latest Blog
- The Importance of Vehicle Inspections in Rent-to-Own Car Agreements
- Setting Up Your E-mail Marketing for Your Business: The Blueprint to Skyrocketing Engagement and Sales
- The Power of Document Templates: Enhancing Efficiency and Streamlining Workflows
- Writing a Great Resume: Tips from a Professional Resume Writer
Template Tags
- gdpr templates for small businesses
- gdpr complete compliance kit
- gdpr compliance toolkit
- gdpr documentation
Need help?
We are standing by to assist you. Please keep in mind we are not licensed attorneys and cannot address any legal related questions.
-
Chat
Online - Email
Send a message
You May Also Like
Business Policy Template - Create Your Custom Policy
FDA Strategic Action Plan for Safety of Products
Inclement Weather Policy for Sb Policy: School Guidelines for Students and Weather
Motorcycle Policy, Safety, Service & Training - CNGO
HR Corporate Strategic Plan: Action and Engagement
Pregnancy Diet: PDF, Medications, and Avoidance Guidelines
Effective Staff Training Agenda for Emergency Preparedness and Disaster Management
Financial Statement Controls - Streamlining Finance Workflow
University Smoking Policy: Promoting Health and Enforcing Smoke-Free Campus
Employee Disciplinary Policy - April | Fair Hearing Process
Policy for Letter of Intent - Guidelines for Letter, Promotion, and Title for Faculty Chair
Assess Your Company's Employees and Gather Valuable Comments for Improvement
Marion Environmental Management: Your Comprehensive Environmental Policy Solution
Drug Testing Consent Agreement Form - Policy for Controlled Substance Testing at Citadel
Information Security Procedures: Ensuring Agency Safety and Compliance
Interim NOAA Training Policy: Employee Training & Development for Employees