There are certain documents that every organisation which is processing personal data will need. These documents support good practice in data protection, enable organisations to meet their legal requirements, and enable organisations to demonstrate how they are complying with the law. A checklist is provided at the bottom of this resource.
Privacy notice: A privacy notice is a legal requirement. It is a publicly facing document which outlines the ways in which an organisation collects, uses, and protects personal data. It gives individuals the information they need in order to be confident that their data is secure and to be able to access and exercise control over their personal data.
Data protection policy: This is an internally facing document which outlines the processes the organisation employs to ensure data is safe and that they comply with the law. It will document the lawful basis for data processing.
Consent: An organisation needs to document how it obtains consent from individuals and keep a record of that consent.
Roles and responsibilities: An organisation needs to document that it knows who is processing data and levels of responsibility such as if they have appointed a DPO.
Processing activities: Organisations processing special category data or large volumes will need to have a record of processing activities including categories of data processed, purposes of processing, legal bases for processing, data sharing arrangements, data retention periods and security measures.