GDPR FAQs - Accountability

Do I need a lot of documents to comply with the GDPR?

The GDPR’s accountability principle requires you to complete dozens of documents to prove that you have the necessary policies and procedures in place.

This can be very intensive, especially if you do not know exactly what these documents should cover. However, you can save a lot of time and effort by using customisable templates.

Designed and developed by expert GDPR practitioners, and used by thousands of organisations worldwide, IT Governance’s EU GDPR Documentation Toolkit provides a complete set of customisable documentation templates to help you comply with the GDPR’s accountability principle (Article 5.2).

Our toolkit includes:

  • Data protection policy
  • Training policy
  • Information security policy
  • Data protection impact assessment procedure
  • Retention of records procedure
  • Data subject access request form and procedure
  • Privacy procedure
  • Privacy notice
  • International data transfer procedure
  • Data portability procedure
  • Audit checklist

Find out more about the GDPR Toolkit

How do you write a GDPR privacy notice?

If you are a data controller under the GDPR, you must inform data subjects of your corporate privacy policy. This is usually done via a privacy notice.

When you collect personal data directly from data subjects, you should provide a privacy notice at the time of collection.

hen you get personal data from another source, you should provide a privacy notice without undue delay, and within one month. This must be done the first time you communicate with the data subject, or when their personal data is first shared with another recipient, such as a data processor.

Privacy notices can be issued in stages. 

Find out more about privacy notices

How do you write a GDPR data subject access request procedure?

Article 15 states that data controllers must confirm to data subjects whether their personal data is being processed, and, where it is, provide them with a copy of that personal data (providing it does not adversely affect the rights and freedoms of others).

They must also state:

  • The purposes of the processing;
  • The categories of personal data involved;
  • The recipients (or categories of recipients) to whom the personal data has been or will be disclosed;
  • The envisaged period for which the personal data will be stored (or, if this is not possible, the criteria used to determine that period);
  • The existence of the right to request that the controller rectify or erase the personal data or restrict processing, or to object to processing;
  • The right to lodge a complaint with a supervisory authority;
  • Where the personal data has not been collected direct from the data subject, any available information about its source; and
  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences for the data subject of such processing.

Data controllers must respond to data subject access requests within one month of receiving them.

Find out more about how to respond to data subject access requests

How do you write a GDPR-compliant data protection policy?

Article 24 states that data controllers must implement “appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with this Regulation”.

Where proportionate to the processing activity, these measures “shall include the implementation of appropriate data protection policies by the controller”. In practice, there will be very few processing activities that will not require a policy.

Find out more about how to write a data protection policy

How do you write a GDPR personal data breach notification procedure?

Articles 33 and 34 set out the conditions for notifying the supervisory authority of data breaches and communicating breaches to data subjects.

They state that:

  • Data processors must report all breaches of personal data to data controllers “without undue delay”;
  • Data controllers must report breaches to the supervisory authority (the ICO in the UK) within 72 hours of becoming aware of them if there is a risk to data subjects’ rights and freedoms; and
  • Data subjects themselves must be notified “without undue delay” if there is a high risk to their rights and freedoms.

A data breach notification procedure should set out the roles and responsibilities that will enable you to fulfil these obligations.

Find out more about writing a data breach notification procedure

How do you comply with Article 30 of the GDPR?

The principle of accountability is an essential part of the GDPR. Organisations must not only comply with the Regulation but also be able to demonstrate that they comply. This requires thorough record-keeping. Article 30 sets out the data processing records that you must maintain.

These include:

  • Your organisation’s name and contact details;
  • The purposes of the processing;
  • Descriptions of the categories of data subjects and categories of personal data;
  • The categories of recipients of personal data;
  • Details of transfers to third countries and international organisations, if applicable;
  • Envisaged data retention schedules for different categories of data, where possible; and
  • A description of the technical and organisational security measures you have implemented.

A data map will help you identify the information your organisation processes, and exactly how it is processed.

Find out more about data mapping and the GDPR

PROTECT YOUR
BUSINESS
THIS WINTER