Privacy documentation

This is any document containing data privacy information. It can range from privacy statements and cookie use policies, to internal policies and procedures that your employees will have to comply with to meet their data protection obligations.

There are various documents, however we have listed the main documents below:

1. Data Protection Policy
2. Privacy Notice
3. Employee Privacy Notice
4. Data Retention Policy
5. Data Retention Schedule
6. Data Subject Consent Form
7. DPIA Register
8. Supplier Data Processing Agreement
9. Data Breach Response and Notification Procedure/Policy

There are certain steps and documentation needed to demonstrate compliance. These include, but are not limited to:

• Testing and auditing data protection measures
• Implementing technical measures to ensure compliance
• Documenting and recording compliance measures
• Determining and documenting a lawful basis for each instance of personal data processing

1. Lawfulness, fairness and transparency in processing of personal data
2. Collecting personal data for specified, explicit and legitimate purposes
3. Accuracy in holding personal data and keeping it up to date
4. Processing in a manner that ensures appropriate security of the personal data

Article 30 of the UK GDPR imposes documentation requirements on controllers and processors, which includes the purposes of processing personal data; the categories of individuals whose personal data is being processed; the name of any third countries or international organisations that you transfer personal data to; and a general description of your organisation’s technical and organisational security measures to protect the personal data.