What Are the Mandatory Documents Required by the UK GDPR?

Discover what the UK GDPR requires in terms of policies, procedures and documents in our guide.

What Are the Mandatory Documents Required by the UK GDPR (1)

Under the UK GDPR, organisations must document their processing activities to support good data governance and show compliance with other areas of the GDPR.

Along with the appropriate records, several policies and procedures must be implemented to ensure compliance. Below, we list the mandatory documentation required by the UK GDPR.

Mandatory Documents for GDPR Compliance

Data Protection Policy

A personal data protection policy is an internal document that outlines your GDPR requirements and commitment to compliance. 

In most businesses, employees will handle personal data daily. Many of these employees will have limited knowledge of the GDPR, so your policy should make it easy for them to understand. Your data protection policy will also include your commitment to GDPR’s data protection principles and data subject rights, along with the name of your Data Champion or DPO

Privacy Notice

A privacy notice explains how your organisation processes personal data. This notice must be available on your website so individuals can easily understand how you’re using their data. 

Your privacy notice will include contact details, the types of personal data you process, how long you process and store their data, along with the lawful basis for doing so. If an individual wants to know more, they will submit a subject access request (SAR) to gain more transparency. 

Employee Privacy Notice

Like your privacy notice, you must establish how you process an employee’s personal data. This should cover the time during and after an employee works for you. 

The UK GDPR promotes transparency at all levels, and with an employee privacy policy, you will be open with what you process. 

Data Retention Policy

The data protection principles require processors to store personal data only for the time needed to achieve your purpose (see ‘storage limitation’ and ‘purpose limitation’). A data retention policy specifies how long you will store data and how it will be destroyed when no longer required. 

Data Retention Schedule

A data retention schedule lists the types of personal data on record, how long you will keep them stored and guidelines for safely disposing of them. 

Data Breach Notification & Response Procedure

Under Articles 33 and 34 of the UK GDPR, you must set out what you will do in the event of a personal data breach. This includes contacting the affected data subject(s) if the violation is likely to result in a high risk to their rights and freedoms. 

If you are unfortunate to experience a breach, contact our GDPR support desk. Our team is skilled in effectively managing personal data breaches. 

Data Breach Report Form

Following your data breach procedure, you should also have a notification form if the breach must be reported to the ICO or the data subject. 

Register of Data Breach 

A data breach register is an internal record of any personal data breach that has occurred in your organisation. You must outline what happened, the impacts and any action that was taken afterwards. 

Data Sharing Agreement

A data sharing agreement is necessary when data controllers share personal data with a processor. You must outline what responsibilities each party has and what will happen at every stage. 

Data Subject Consent Form & Withdrawal of Consent Form

Consent is one of the six lawful bases for processing personal data. To gain permission, you must provide a clear consent form which outlines what you intend to do with an individual’s data. 

You should also have a withdrawal of consent form should the data subject act on their right to restrict processing

Parental Consent Form & Withdrawal of Parental Consent Form

Parents must provide consent for data processing if their children are under the age of sixteen. A parental consent form will provide this permission; a withdrawal form must be organised if they want to retract. 

Register of DPIAs

Your Data Protection Impact Assessment (DPIA) register records your organisation’s DPIA results. Find out when DPIAs are required and who should be involved in our latest blog

As you can see, the UK GDPR requires extensive documentation to ensure compliance. But this is just the mandatory list. Under certain conditions, several more policies, procedures and documents are needed. For example, if you have over 250 employees, you will need a register of processing activities (RoPA).  

Simplify GDPR Documentation with a GDPR Toolkit

Not sure where to begin with all this documentation? Our expertly-made GDPR toolkit covers all mandatory, non-mandatory and conditional documentation needed under the UK GDPR. 

Every policy, procedure and document is ready-made for easy implementation. It is available for SMEs and enterprises and as a bespoke toolkit. Contact our team to get your GDPR toolkit today