Why proper personal data protection documentation is so important for a company?
Drafting of complete, intelligible and functional documentation is an important part of ensuring fair processing of personal data within the organisation.
Policies and procedures should take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Simultaneously, GDPR requires that the controllers are able to demonstrate their compliance, in line with accountability rule imposed on them by art. 5 of this act.
How does our documentation look like?
We offer drafting of the complete documentation concerning personal data processing within the organisation, including among others:
- Personal data protection policy – a document of general nature, aiming at establishing broad rules of personal data protection, on the basis of the GDPR provisions.
- Instruction on IT system management – defining the rules of management of IT systems, used for processing of personal data, taking into account the protection of personal data against threats, especially against their disclosure to unauthorised persons, unlawful alternation, loss, damage or destruction.
- Records of processing activities and records of categories of processing activities – aimed at identification and description of the processing activities of the company acting as a controller or as a processor.
- Personal data retention procedure – its purpose is to ensure the limitation of the personal data retention periods to the necessary minimum and to establish the date of their erasure or criteria for establishing such a date as well as periodical review of retention periods.
- Data subjects rights fulfilment procedure – defines and documents mechanisms of fulfilment of data subject rights, provided for by the GDPR, within the organisation.
- Personal data breach notification procedure – governs the breach notification to the supervisory authority as well as communication to the data subjects within the time limit.
- Risk for the rights and freedoms of the data subjects assessment procedure – guidelines concerning conducting of the procedure together with its criteria. Its purpose is to determine the processes that poses particular risk, including those requiring data protection impact assessment (DPIA).
- Data protection impact assessment (DPIA) – procedure aimed at identification of the impact of the envisaged or modified processing operations on the data protection system, especially when those operations involve the use of new technologies which are likely to result in a high risk to the rights and freedoms of natural persons.
- Privacy by design and Privacy by the default procedure.
- Processor (contractor) selection procedure – a document setting out practical rules enabling the assessment whether contracts ensure sufficient guaranties of implementation of adequate technical and organisational measures, so that the processing fulfils the GDPR requirements and protects rights of the data subjects.
- Model personal data processing entrustment contracts, together with guidelines on their application – model clauses together with instruction on their application when the company is a controller or a processor.
- Guidelines on processing of employees data, accompanied by model documents – detailed guidelines on processing of employees data and on main obligations of the controller in the HR field.
- Monitoring of the employees – model provisions attached to the staff regulations with relation to monitoring, privacy notices placed in the company premises as well as messages to the employees.
The number, size and level of details of the document are adapted to the activity of the organisation, especially to the nature of processing operations operating by it.