Expert tip: How to fill out and use GDPR templates in your company



So, you got a GDPR template package during the GDPR frenzy (If not – get ours here for free). By now, you know it’s a legal requirement to do something about personal data, i.e. GDPR… But – the templates you receieved look terribly boring. Moreover, what do you actually do with them? How do I input the right information the right places? What is my legal basis for collecting personal data? What is my legitimate use of personal data?

At this point my guess is, you’d rather watch white paint dry than filling out GDPR templates. Do not worry: we got your back. In this post, we will provide some guidance and hopefully get you from the above outset to “Aaaah – that’s what it is…”.

First, we will start with some general introductions to get the full picture, and then we will go into the specific templates.

1. Introduction

The General Data Protection Regulation (“GDPR”) has entered into force throughout Europe and as a company, you should be dedicated to observe all relevant regulation. GDPR is all about personal data and how to safeguard it, minimize handling of it and have sufficient measures in place. The rules are important but they may seem very complex to the untrained eye.

2. Personal data

The term “personal data covers any information relating to an identified or identifiable natural person (called a “data subject”). Such information may be information on name, contact information, e-mail, phone number, location data, payroll information or anything else that can identify a data subject.

Basically, this means that all companies process loads of personal data every day. And it’s okay but you should have the right approach to do so.

3. Have the right approach to GDPR

We take the obligation to process personal data in an orderly and secure manner very seriously. The protection of personal data and the rights and integrity of individuals is of paramount importance.

But let’s not get carried away: to be very honest, we all know that this is another burden put on you and your business. And it is not a light one. This really entails a lot of work. Very few companies have the setup to handle it, and many does not have the time to do so.

You need a plan, and you need to focus on important matters – not go for 100% compliance. Nobody will be fully GDPR compliant. It is simply not possible. There is always something that could be done better. Therefore, strive for some compliance – not full compliance.

Our approach is to identify key risk areas and handle those. Also, there are some easy wins – for instance getting policies and procedures in place. It is a one-time investment and then you have it. That’s also why we are giving them away for free.

4. The policies and procedures should be available throughout your company

It is important that personal data is processed with care and a proper risk-based approach that is proportionate to your company and its business.

All employees must commit themselves to the adherence to these policies and procedures.

Make sure that you emphasize this importance. There are plenty of ways to do so, but a very efficient one is to have a simple quiz about the content of them. And it also creates some healthy competition.

5. Data protection responsible

Consider whether you need to have a true data protection officer. However, you always need someone who is responsible for GDPR in your company. Since you are reading this, it’s probably you.

The data protection responsible oversees compliance with data protection rules, conducts/facilitates training of employees, initiates audits and handles all questions with respect to personal data.

6. The general principles applied

To ensure a high standard for processing personal data, you must adhere to the following general principles:

a) Lawfulness and fairness
Personal data should be processed in a lawful and fair manner and in accordance with the data subjects’ rights.

b) Purpose limitation
Personal data should only be collected for specified, explicit and legitimate purposes. Further, personal data should solely be used for the purposes for which the data was originally collected.

c) Transparency
When collecting personal data from data subjects or via third-parties, you must ensure that the data subject(s) in question will be provided with the information required by applicable law. Furthermore, data subjects are at all times entitled to request information on what personal data is collected about them.

d) Data minimisation
Any personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, i.e. do not collect the name of a data subject’s dog if it is not necessary.

e) Accuracy
Any personal data processed must be accurate and, where necessary, kept up to date.

f) Storage limitation and retention
Personal data should only be processed in a way that is necessary, i.e. do not store it places it does not belong or in multiple copies. It should permit identification of data subjects for no longer than is necessary for the purposes for which the personal data is collected and processed. Each of us must ensure personal data is deleted in a correct manner.

g) Confidentiality
Any personal data that is processed is regarded as confidential information and should always be handled with special care.

7. Training

You should conduct training (webinars, quizzes, seminars etc.) of your employees regarding applicable data protection rules and these policies and procedures. You can find a lot of good (and free) online resources for this and remember that proportionality also applies here. Are you a low risk company, then training is less needed and vice versa.

8. Audits

Processes for regular data audits with the view of managing and mitigating risks should be in place. As a starting point, all policies and procedures must be reviewed at least once every year. The same goes for testing the processing of personal data within the company to identify any risks or non-compliance.

9. The documents forming part of our GDPR template package

The following documents are part of our “GDPR package”. Each and every document in this package is important and should be carefully considered by you. It might not be relevant for you to implement all of them in your organization. For instance, you do not need a cookie policy, if you do not use cookies or have a website at all.

Below you will find a short description of each template and why they are part of our package:

1. Internal processing procedures

Your organization has to be aligned, and the right preparedness and employee training is key to a successful implementation on your path to GDPR compliance. You all need to know what we can do with incoming and existing personal data, access levels, deletion policies etc. This processing procedure can be split into multiple procedures not to make it too complicated. This could be the case if you have more departments that handle very different data (it is explained more in the template).

2. Data breach procedures

Do you know when you have to inform about a data breach? You all need to know what a “data breach” is and who to go to in the event of a breach. Furthermore, your data protection responsible needs to know if she/he has to inform the supervisory authority and/or the data subjects in case of a breach.

3. Data breach log

A log of all breaches, big or small, is required by law and has to be kept updated by the data protection responsible. Doesn’t matter if you do not have to inform anyone about the breach – it still has to be in the log.

4. Data breach notification template

Some data breaches need to be reported to the authorities within 72 hours. This document sets out some guidance on these instances as well as the information to be included. This document is mainly for the data protection responsible.

5. Privacy policy

If you gather any personal data, you have to update your privacy policies with the new GDPR standards. The template contains a GDPR compliant template text, but some information has to be filled in by you, e.g. what kind of personal data you process and for what purposes. This has to be kept updated at all times. This is especially important if you are creating websites, landing pages or similar for marketing and sales purposes.

Remember the distinction between non-sensitive and sensitive personal data. If you are not processing the latter, there is a bit of text that can be deleted (it is clearly stated in the policy).

If you are in doubt what to put in certain sections, you can always write us, and we will help out. We also recommend looking at well-reputed websites and getting inspiration from their policies and its content. Don’t copy it – just get into the thinking.

This policy should be available on your website.

6. Cookie policy

Contains all necessary information on cookies. What they are and which types, including information on how to delete or avoid certain types of cookies. In this template you will find a complete GDPR compliant text but an actual cookie software (can be a good idea to look into) is not included. Visitors to your website(s) needs to know which cookies you use and store about them and has to be filled in by you. This has to be kept updated at all times. This is especially important if you are creating websites, landing pages or similar for marketing and sales purposes.

A service like cookiebot.com can help you with identifying your cookies – and it’s free.

This policy should be available on your website.

7. Data processing agreement

A complete template on a data processing agreement (“DPA”). If you need to process data for someone else or if you ask someone to process data for you, you need a DPA to make sure that the roles are set in stone. The DPA is a GDPR requirement.

8. Access request procedure

You need to know exactly what to do in case of a “data access request”, i.e. when a data subject asks for their data or anything in relation to their data. This policy contains guidelines on how you can handle such requests.

9. Employee Data Consent Form

You as a company are also handling personal data about all employees to fulfil the employment relationship. To inform all employees in a consistent manner, we made a template for informing all employees about your processing of personal data on employees.

10. How to fill in the templates?

Because every company is different there are some information that we can simply not include in our templates. This you need to fill in yourselves.

All places are marked with yellow and sharp brackets “[XX]”.

Be aware that some places, you need to delete the information text that we have inserted. In those cases, it should be stated that you need to delete the text.

Once you have filled in the templates, you should make them available internally with your company and make sure that all employees know (and have read) them. Not an easy task but very necessary.

If you have trouble or questions about filling out GDPR templates, let us know and we’re ready to help you out. What you need to do is to comment below and we’ll be sure to give you the answer you need.

How we might help
Archii GDPR gets you part of the way by removing the tedious task of manually finding personal data in documents. This is documents located across human-governed locations such as e-mail and file locations. Instead of finding data manually, you can do it by the click of a button. This limits the amount of control management need to conduct, as each person need to click a button and the admin gets an automatic overview of where personal data in documents is located. Go check it out here.