GDPR compliance - what documents do you need?

What documents do you need to comply with GDPR?

A key to complying with GDPR, is to understand that it is a data protection regulation that aims to prevent organisations from processing personal data without a legal basis. With the correct documentation, you'll be able to determine if the personal data processing you are undertaking is appropriate depending on context.

Most organisation will broadly fall into two categories; As a controller of personal data or as a processor of personal data.

At Dapple, we use these simple definitions;

A controller
Is an organisation that has decided to collect personal data, decided on what data should be collected, and what the purpose or outcome of the processing the data is expected
A processor
Is an organisation that is given personal data by a third party, is following instructions from that third party regarding the processing of the data, and is not interested in the end result of the processing

Both controller and processor have obligations to comply with GDPR, but they are slightly different.

Obligations as a controller

As a controller you may need the following documents.

A Record of Processing Activities

A vital aspect of GDPR compliance is making a Record of Processing Activities for your company. You might also hear it called an RoPA, Data Flows, Data Mapping, Data processing activities, or Procedure Index.

Whatever you choose to call it, you are required under article 30 to maintain a record of your processing activites. The important thing with these records is to understand your GDPR risks and ensure you're in full compliance. Whether you are a data controller or a data processor (i.e., someone carrying out data processing on behalf of a controller).

Here's a step-by-step guide to conducting a Record of Processing Activities.

Data Privacy Impact Assessment

Data protection impact assessments (DPIAs) are mandatory for high-risk data processing under the GDPR. You will typically identify your high-risk data processing as part of your RoPA.

A DPIA seeks to look at how your organisation processes data and how such processes may put the rights of individuals at risk. It's a process for building and demonstrating compliance and encompasses the process of evaluating the "origin, nature, particularity, and severity" of risk.

Learn more about how to conduct a Data Privacy Impact Assessment

Legitimate Interest Impact Assessment

A legitimate interest impact assessment (LIA) a term that describes a risk assessment that businesses utilize in order to determine whether their purpose for processing personal data is based upon a legitimate interest of the business. Much like the DPIA, you would identify the need for an LIA when creating your RoPA.

GDPR does not identify specific factors that a business must consider when it comes to determining whether your purpose for storing or processing personal data is a legitimate interest. That said, when you identify your purposes, you must define them clearly and specifically. Vague descriptions of purpose will not do, and interests must be balanced with the rights and interests of the data subjects.

The LIA is a three-part test based upon the definition in GDPR Article 6(f).

  • Purpose
  • Necessity
  • Balancing

Learn more about how to conduct a Legitimate Interest Impact Assessment

Transfer Impact Assessment

A Transfer Impact Assessment (TIA) is a risk assessment of the factors related to the transferred of data into third countries. GDPR and the Schrems II ruling does not identify the specific factors that a business must consider when it comes to determining your assessment.

Learn about if you need to do a Personal Data Transfer Impact Assessment

Obligations as a processor

While Processors do not have the same obligations as controllers under the GDPR, they do have obligations of their own. Similar to a Controller's RoPA, a processor is expected to keep a record of processing activities. A Processor's RoPA is much smaller in scope, and makes clear reference that you are undertaking these processing activities under instruction from a controller.

Dapple can help you comply with GDPR?

Dapple helps guide you through the different documentation requirements. We'll demystifie phrases such as "third countries" and create a consistent approach to identifying and measuring your GDPR compliance, so you can focus on making better privacy decisions.

Dapple is free to use, requires no upfront commitment and will quantify your privacy risks within minutes. Sign-up and begin complying with GDPR.

Begin complying with GDPR today!
How to Conduct a Record of Processing for Personal Data to Comply with the GDPR
How to Conduct a Data Privacy Impact Assessment
How to Conduct a Legitimate Impact Assessment
Do I need to do a Personal Data Transfer Impact Assessment?
Data protection impact assessment template in excel vs Dapple
GDPR compliance - what documents do you need?