PrivacyDocs comes with 25 pre-filled compliance documentation data tables, such as records of processing activities, data protection impact assessments, and others. Each table has several practical ready-to-use examples, together forming a reasonably compliant (virtual) company.
Tables with Documentation Data
Compliance documentation is structured in PrivacyDocs in the form of interconnected data tables.
The following image shows key GDPR compliance documentation elements that a company needs to manage:
Controller Records
According to the GDPR, a controller (you) bears the main burden of compliance responsibilities. First of all, you need to discover and register all personal data processing activities (manual and automatic) to form the Records of Processing Activities (RoPA).
For each activity, you need to record its purpose, legal basis, data subjects, categories of personal data, source of data, processing and filing systems, and recipients. These data protection documentation elements are stored in additional tables, looked up in the records.
Controllers need to conduct a few types of assessments: check the processing activities against pre-defined risk criteria, perform the Data Processing Impact Assessment (DPIA) if two or more risks are present, perform the Legitimate Interest Assessment (LIA) if the processing is conducted based on a legal interest, perform the Transfer Impact Assessment (TIA) if personal data is transferred outside the EU. In addition, personal data breaches need to be investigated.
These key tables reference various aspects of the company (departments, employees, collaborating partners: processors and other controllers). A few additional tables contain reference information, such as (standard) options for rights of individuals, review schedules, and others.
Processor Records
You may be providing services to other companies, acting as a processor for them. In the 'Processor' section, you would need to record the processing activities conducted in this role. These records are much simpler than the controller records.
Example Record of Processing Activities
The following screenshot contains an example of a record of processing activities managed by PrivacyDocs. It can be used as a template record of processing activities in your data protection documentation.
In particular, you can see that it refers to the responsible person and responsible department, data subjects, purposes, rights, risks, review schedule, and joint controllers, which are managed in separate tables. They are then referenced from the records of processing activities.
Several sample records of processing activities are included in the demo for your inspiration:
More records are available in the demo.
You can review all these tables and records in the public demo of PrivacyDocs.