Necessary component of personal data protection system implementation is developing of documentation required by law. Lack of it is a frequent discrepancy we discover during audits.
GDPR requires companies to implement data protection policies in the first place, the content of which, however, remains at the discretion of the company concerned.
The complete documentation of personal data protection consists of:
Both GDPR and the current Polish Data Protection Act do not explicitly say what to call the documents describing the implemented security measures and what an exhaustive list of them should be.
This leads to the conclusion that the documentation, which includes a description of the safeguards in place, i.a. organisational policies, must be prepared on the basis of a previously conducted risk analysis or an audit examining the risk of non-compliance with the GDPR. This will indicate to your organisation, among other things, what procedures may be needed.
"Investing" in a package of ready-made documentation misses the point. The prerequisite for the implementation of documentation with the right content is first and foremost that the documents are prepared in a proper and tailored manner to the activities of the specific entity, which is not always the case, for example, when using templates available on the Internet.
Based on our many years of experience, we will be happy to help you tailor a data protection policy to suit your company.
Additionally, it is important to remember that internal regulations are not the end of the GDPR documentation adventure. The effect of the implementation of GDPR in your organisation must also be visible externally, e.g. through: