To give you an idea of the complexity of compliance with the GDPR, here is a list of documents that are commonly required.

We can provide you with a working system, but please be aware that you have to maintain your records and this record keeping aspect is not a trivial task.

Document GDPR Reference Notes
Personal Data Protection Policy Article 24(2) The Personal Data Protection Policy is usually a high-level policy document intended to demonstrate the organisation's accountability and commitment to the EU GDPR provisions.
Privacy Notice Articles 12, 13and 14 This is the main way of providing the necessary information to the data subjects. Generally, a Privacy Notice must be supplied to individuals whern they provide you with their personal data.
Employee Privacy Notice Articles 12, 13and 14 This document serves a similar purpose to that of the Personal Data Protection Policy, but is directed towards the employees. It must be available to your employees e.g. via an intranet or by email. This document should be quite broad to address all the processing activities related to employment.
Website Privacy Policy Articles 12 and 13 This policy serves the same purpose as the Privacy Notice, but it is directed towards the data usually processed by website owners. This should be accurate and describe the processing activities undertaken when your website is visited, or when your website is used as a platform to provide goods or services.
Data Retention Policy Articles 5(1)(e), 13(1), 17, 30 This is usually a high-level policy document, for internal use only, setting out the basic rules when it comes to the retention of personal data.

Data Retention Schedule

Article 30 This is usually an annex to the Data Retention Policy containing detailed and accuratedetails of the retention periods for all the personal data held by the organisation.
Data Protection Officer Job Description* Articles 37, 38, 39 If you are required to have a DPO, or if you wish to appoint one, you will need to have some specific tasks assigned. The Task Description or Job Description is the document establishing the duties of the DPO.
Cookie Policy Articles 12and 13 Like a Website Policy, the Cookie Policy is meant to provide website visitors with information about the cookies that are placed on their browsers. This is required under the transparency obligation set out in the EU GDPR, as well as according to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (e-Privacy Directive). This should be quite specific, considering the cookies used and the purpose for which they are used.
Inventory of Processing Activities** Article 30 If your organisation needs to keep such records, ten be aware that they need to be quite accurate and always up to date. This could be among the first documents required of you if you were to find yourself facing an investigation by a Supervisory Authority such as the ICO. This document should be able to provide an overview of your organisation's processing activities.
Data Subject Consent Form Articles 6(1)(a),7(1), 9(2) If you rely on consent as a lawful basis for processing, it always needs to be a freely given, specific, informed, and an unambiguous indication of the individual’s wishes. Data controllers must keep records to demonstrate that consent has been given by the relevant individuals.
Data Subject Consent Withdrawal Form Article 7(3) Data subjects need to be able to withdraw their consent at any time and must be notified of that right prior to giving consent in the first place via a privacy notice. It should be as easy to withdraw consent as it is to give it. Therefore, the consent withdrawal form should be simple and accessible and its use must not be made not mandatory.
Parental Consent Form Article 8 Thos document and the corresponding wothdrawal document serve the same purposes as the Data Subject Consent Form and Data Subject Consent Withdrawal Form, but they are aimed at underaged data subjects who cannot consent for themselves and need to be represented by either their parents or legal guardians.
Parental Consent Withdrawal Form Article 8 See above.
DPIA Register Article 35 Performing Data Protection Impact Assessments is a new requirement of the EU GDPR that only needs to be considered for some specific processing activities, namely those activities that might have a significant impact on the rights and freedoms of data subjects. DPIAs should be carried out for the processing activities where you are the controller.
Standard Contractual Clauses for the Transfer of Personal Data to Controllers Article 46(5) The EU GDPR bans transfers outside the EEA unless specific safeguards are in place. One such safeguard – and the most popular among companies – is the use of Standard Contractual Clauses. These documents are issued by the EU Commission and their wording should not be altered.
Standard Contractual Clauses for the Transfer of Personal Data to Processors Article 46(5) See above.
Supplier Data Processing Agreement Articles 28, 32, 82 The EU GDPR requires that controllers only use processors that provide guarantees to implement appropriate technical and organisational (security) measures to meet the requirements of the EU GDPR. The Supplier Data Processing Agreement is meant to ensure that the controllers and processors have binding rules in place (consistent with EU GDPR Article 28 – Processor) to regulate the way data is being processed by the processor on behalf of the controller.
Data Breach Response and Notification Procedure Articles 4(12),33, 34  Controllers and processors alike would need a centralised way to deal with personal data breaches, and this is achieved by having a documented process for how to handle data breaches to ensure that they meet the notification requirements of the EU GDPR. This document could also be used as proof when audited by a Supervisory Authority.
Data Breach Register Article 33(5) All personal data breaches need to be recoded, even those that do not fall under the notification requirements set up by the EU GDPR. It is essential to keep the Data Breach Register up to date and to present it to the Supervisory Authorities when requested to do so. One of the new requirements of the EU GDPR is to notify the Supervisory Authority of any data breaches and, sometimes, to notify the affected data subjects. Controllers must report data breaches to their Supervisory Authority (unless the breach is unlikely to be a risk for the affected data subjects). The data subjects need to be notified if there is a high risk with regard to their rights and freedoms. Both notifications need to include some specific information mandated by the EU GDPR.
Data Breach Notification Form to the Supervisory Authority Article 33  
Data Breach Notification Form to Data Subjects Article 34  
Employee Personal Data Protection Policy Article 24(2)  

Register of Privacy Notices

Articles 12, 13and 14  

Website Terms & Conditions


Guidelines for Data Inventory and Processing Activities Mapping

Article 30  

Data Subject Access Request Procedure

Articles 7(3),15, 16, 17,18, 20, 21, 22  

Data Subject Access Request Form

Article 15  

Data Subject Disclosure Form

Article 15  

Data Protection Impact Assessment Methodology

Article 35  

Cross Border Personal Data TransferProcedure

Articles 1(3), 44, 45, 46,47, 49  

Processor GDPR Compliance Questionnaire

Article 46(5)  

IT Security Policy

Article 32  

Access Control Policy

Article 32  

Security Procedures for IT Department

Article 32  

Bring Your Own Device (BYOD) Policy

Article 32   

Mobile Device and Teleworking Policy


Clear Desk and Clear Screen Policy

Article 32   

Information Classification Policy

Article 32   
Anonymisation and Pseudonymisation Policy Article 32  

Policy on the Use of Encryption

Article 32  

Disaster Recovery Plan

Article 32  

Internal Audit Procedure

Article 32  
ISO 27001 Internal Audit Checklist Article 32  

Data Processing Agreements
Contract clauses
Data Sharing Agreements
Data Processing Registers
Terms & Conditions

Data Protection
Information Governance
Information Security
Records Management

Business Continuity
Data Retention & Disposal
Subject Access
Data Subject Rights

Data processing
Information asset
Information flow
Information risk

Breach reporting
Incident management
Risk assessment

Project collaboration
File up /downloads
Cyber Essentials