Does Optinmonster Have A Gdpr Template?

The documentation of processing activities is a new legal requirement under the Eu GDPR (General Data Protection Regulation).

Documenting your processing activities can as well support good information governance, and help you to demonstrate your compliance with other aspects of the GDPR.

In this post, nosotros have listed all of the documentation, policies and procedures you must take if you want to be fully GDPR compliant.

Personal Data Protection Policy (Commodity 24)

A data protection policy is a statement that sets out how your system protects personal information.

Information technology explains the GDPR'south requirements to your employees, and demonstrates your arrangement's delivery to compliance.

If yous are unsure what your information protection policy should include, this template tin assistance you lot create one in minutes.

See also: How to write a GDPR data protection policy – with template examples

Privacy Notice (Manufactures 12, 13, and fourteen)

A privacy find is a public argument of how your organization applies (and complies with) the GDPR's data processing principles.

An essential office of compliance, it serves 2 purposes: to promote transparency and to provide individuals with more control over the way their data is used.

Our customisable template can help yous produce a privacy notice in just a few minutes.

See also: How to write a GDPR data privacy notice – with template example

Employee Privacy Detect (Articles 12, 13 and xiv)

Under the GDPR, yous must exist more than transparent and open up than always before about the employee-related data you process.

It is likewise a cadre GDPR principle for employers to process 60 minutes-related data fairly and transparently. An employee privacy detect is a crucial footstep towards compliance. It explains to an private how a data controller (in this case, your organization) processes an employee's personal information.

Information Retentiveness Policy (Articles 5, 13, 17, and thirty)

A information retentivity (or records retentiveness) policy outlines your organisation'south protocol for retaining information.

It is essential that your organisation merely retains data for as long as information technology's needed.

This is because holding on to data for longer than necessary tin can take up valuable storage space and incur unnecessary costs.

When writing your data memory policy, you should consider 2 fundamental factors:

1) How you are going to organise data then it tin can be accessed at a later date; and

2) How you will dispose of data that is no longer needed.

See too: Acme tips for data retentiveness nether the GDPR

Data Retention Schedule (Article 30)

A data retentiveness (or records retention) schedule is a policy that defines how long information items must be kept.

It as well provides disposal guidelines for how data items should be discarded.

Y'all tin can create a GDPR-compliant retention and disposal schedule in minutes with our like shooting fish in a barrel-to-use and customisable templates, developed by our practiced GDPR practitioners.

Information Subject Consent Form (Articles vi, 7, and 9)

Consent is one lawful ground for processing personal information, and explicit consent can also legitimise the use of special category data.

If your organisation is processing personal information for a specific purpose, you must obtain permission from the data subjects in question with a consent form.

Consent under the GDPR is ofttimes misunderstood and mismanaged.

Below, nosotros have outlined all-time-practice guidance for writing a GDPR consent course.

Unsure what your consent procedures should include?

Our easy-to-use and customisable templates can help you lot create a GDPR-compliant consent process in minutes.

Supplier Data Processing Agreement (Manufactures 28, 32, and 82)

If you lot utilise another organisation (i.e. a sub-processor) to assist with your processing of personal data, you need to have a written contract in place with that sub-processor.

This is known as a supplier data processing agreement.

DPIA Register (Article 35)

The DPIA Annals is used to certificate your arrangement's Information Protection Bear upon Analysis (DPIA).

To learn more than most how to bear a DPIA, see our information page: Data Protection Touch on Assessments under the GDPR.

Information Breach Response and Notification Procedure (Articles 4, 33, and 34)

You must create a process that applies in the effect of a personal data breach under Article 33 – "Notification of a personal information breach to the supervisory say-so" – and Article 34 of the GDPR – "Communication of a personal information alienation to the data field of study".

Beneath is an example of what a information alienation notification might look like, bachelor from the marketplace-leading Eu GDPR Documentation Toolkit:

For assist writing your information alienation notification procedure, run into: How to write a GDPR data breach notification process – with template case.

Data Breach Register (Article 33)

You must maintain an internal record of all personal information breaches in a Information Alienation Register.

The information breach annals should comprise details of the facts surrounding the alienation, the effects of the breach, and any remedial action taken.

Data Breach Notification Class to the Supervisory Authority (Commodity 33)

If you have experienced a personal information breach that needs to exist reported to the ICO, you lot volition need to fill up in the advisable data alienation notification form.

For more data on data breach reporting, visit the ICO's website.

Information Breach Notification Course to Data Subjects (Article 34)

You lot will need to complete a Data Breach Notification Form to Data Subjects if you take experienced a personal data alienation that is likely to result in a "high gamble to the rights and freedoms" of an individual.

GDPR documentation only required under certain conditions

Some GDPR documents are only applicable under certain conditions, including:

Data Protection Officeholder Job Description (Articles 37, 38, and 39)

Y'all need to appoint a DPO if:

You are a public authority or body, except for courts acting in their judicial chapters;
Your core activities consist of processing operations that require regular and systematic monitoring of information subjects on a large scale; or
Your core activities process on a big-scale special categories of data and personal information relating to criminal convictions and offences.

Inventory of Processing Activities (Article thirty)

This document is mandatory if:

Your organisation has more than 250 employees; or
The processing you carry out is likely to event in a risk to the rights and freedoms of information subjects; or
The processing is not occasional; or
The processing includes special categories of data; or
The processing includes personal information relating to criminal convictions and offences.

Standard Contractual Clauses for the Transfer of Personal Information to Controllers (Article 46)

This document is mandatory if you lot are transferring personal data to a non-EU fellow member state and you are relying on model clauses as your lawful grounds for cross-border data transfers.

Standard Contractual Clauses for the Transfer of Personal Data to Processors (Article 46)

This document is mandatory if y'all are transferring personal data to a processor outside the European Economic Expanse (EEA) and yous are relying on model clauses as your lawful grounds for cross-border data transfers.

GDPR documentation: simplified

Encounter requirements apace and avert expensive consultancy fees with the market-leading GDPR Toolkit.

Written past lawyers and expert practitioners, information technology's the almost comprehensive toolkit on the market containing all the GDPR policies and procedures you lot need to demonstrate compliance while significantly reducing your implementation costs.

More than 3,000 organisations worldwide are already using the GDPR toolkit to simplify and accelerate their projection. If you lot need help achieving GDPR compliance, this toolkit is for you.

A version of this blog was originally published on 14 September 2017.