iSecure logo
Personal data protection and GDPR audit

Preparing of documentation

Necessary component of personal data protection system implementation is developing of documentation required by law. Lack of it is a frequent discrepancy we discover during audits.

GDPR requires companies to implement data protection policies in the first place, the content of which, however, remains at the discretion of the company concerned.

The complete documentation of personal data protection consists of:

  • personal data protection policy
  • privacy by design and privacy by default policy
  • policy on handling GDPR inquiries
  • authorizations to personal data processing
  • confidentiality statements
  • data processing agreements
  • record of processing activities
  • record of all categories of processing activities
  • data retention policy
  • data breach records

Both GDPR and the current Polish Data Protection Act do not explicitly say what to call the documents describing the implemented security measures and what an exhaustive list of them should be.

This leads to the conclusion that the documentation, which includes a description of the safeguards in place, i.a. organisational policies, must be prepared on the basis of a previously conducted risk analysis or an audit examining the risk of non-compliance with the GDPR. This will indicate to your organisation, among other things, what procedures may be needed.

"Investing" in a package of ready-made documentation misses the point. The prerequisite for the implementation of documentation with the right content is first and foremost that the documents are prepared in a proper and tailored manner to the activities of the specific entity, which is not always the case, for example, when using templates available on the Internet.

Based on our many years of experience, we will be happy to help you tailor a data protection policy to suit your company.


Why is it important to have such documentation?

  • the possession of certain documents is directly indicated by the provisions of the GDPR,
  • during inspections, designated employees of the Data Protection Authority have the right to inspect the documentation,
  • the company must be able to demonstrate that it complies with data protection regulations - and the documentation in its possession will help prove this before the data protection authority or in court,
  • for positive PR of the brand,
  • simply to take care of the data of the employees and customers and the further development of the company.


Internal procedures are not all!

Additionally, it is important to remember that internal regulations are not the end of the GDPR documentation adventure. The effect of the implementation of GDPR in your organisation must also be visible externally, e.g. through:

  • a privacy policy posted on the website,
  • appropriate information obligations, e.g. regarding monitoring, competition, newsletter sign-up,
  • the model contract offered to contractors for the entrustment of personal data processing,
  • the content of the consent clause,
  • the website's cookie management policy.
Maria Lothamer
Vice-President of the Board
Newsletter subscription
By adding your e-mail address and confirming "Sign up" you agree to processing your e-mail address by iSecure Sp. z o.o. for the purpose of sending a newsletter about services, events, or other activities of our Company