Mandatory GDPR Documents
The GDPR requires each company processing personal data to implement a number of mandatory documents in order to:
-
Maintain control over the data being processed
-
Monitor the recipients of the data and assess their level of compliance
-
Analyze any risks associated with the processing of sensitive data and implement appropriate measures to mitigate them
-
Be able to demonstrate its level of compliance to:
-
Clients
-
Prospects
-
The supervisory authority (CNIL)
-
The following mandatory documents must be implemented:
-
Record of processing activities (ROPA)
-
List and audit of data processors
-
Data Protection Impact Assessment (DPIA) where applicable
-
Information documents (Privacy Policy, Cookie Policy)
-
Binding internal documents (procedures, policies, and rules)
-
Data Processing Agreements (DPA) and Standard Contractual Clauses (SCC)
-
Data breach register
-
Register of data subject rights requests
-
IT systems charter
This list is not exhaustive and may vary depending on your activities and the types of processing you carry out.
Regular updates are necessary to maintain the compliance level of your projects, subcontractors, and internal processes.
"Data protection is, above all, about respecting human dignity."
— Helen Dixon, Data Protection Commissioner for Ireland