What legal documents do I need to comply with GDPR?

GDPR is the General Data Protection Regulation for all individuals within the EU and the citizens of the EEA. 

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the citizens of the European Economic Area (EEA). 

It also addresses the export of personal data outside the EU and EEA.

If your business processes EU or EEA citizens' personal data, you must comply with the GDPR. To do so, you will need to have the following legal documents in place:

A privacy policy that explains how you collect, use, and protect the personal data of EU and EEA citizens.

Here are some key things that should be included in your privacy policy if you are processing the personal data of EU or EEA citizens:

  1. The types of personal data you collect and why you collect it.
  2. How you collect personal data (e.g. through online forms, cookies, etc.)
  3. How you use personal data (e.g. for marketing purposes, to provide a service, etc.)
  4. How you protect personal data (e.g. through encryption, secure servers, etc.)
  5. How long do you retain personal data, and why
  6. Individuals' rights under the GDPR, including the right to access, rectify, erase, and object to the processing of their personal data
  7. How individuals can contact you with questions or concerns about your privacy practices
  8. Any third parties that you share personal data with and why

It's important to note that your privacy policy should be easy for individuals to understand and should be written in clear and plain language. Make sure that your privacy policy is regularly reviewed and updated as needed to reflect any changes in your data processing activities.

A data protection policy that outlines the measures you have taken to secure the personal data of EU and EEA citizens.

Under the GDPR, you must implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, disclosure, and destruction.

Here are some key things that should be included in your data protection policy:

  1. A description of the technical and organizational measures you have in place to protect personal data
  2. How do you ensure the confidentiality, integrity, and availability of personal data
  3. How do you regularly review and update your security measures
  4. How do you train your staff on data protection best practices
  5. How do you handle and protect personal data during the disposal or destruction process
  6. How do you handle data breaches and report them to the relevant authorities

It's important to note that your data protection policy should be tailored to your specific business and the types of personal data you process. You should also ensure that your data protection policy is regularly reviewed and updated to reflect any changes in your data protection practices.

Data processing agreements with any third parties that you share EU or EEA citizens' personal data. 

Under the GDPR, you are required to have a data processing agreement in place with any third parties whom you share personal data with.

Here are some key things that should be included in a data processing agreement:

  1. The purpose of the data processing and the types of personal data that will be processed
  2. The obligations and responsibilities of the data processor
  3. The measures the data processor will take to protect personal data
  4. The duration of the data processing
  5. The rights of the data controller and the individuals whose personal data is being processed
  6. How personal data will be returned or destroyed at the end of the data processing
  7. The governing law and jurisdiction of the data processing agreement

It's important to note that a data processing agreement should be specific to the data processing activities being carried out and should be reviewed and updated as needed. You also need to ensure that any third parties you share personal data with are fully compliant with the GDPR and other data protection laws.

Data retention policies outline how long you keep personal data and why.


Under the GDPR, you are required to only retain personal data for as long as is necessary for the purposes for which it was collected. You are also required to securely delete personal data when it is no longer needed.

Here are some key things that should be included in a data retention policy:

  1. The types of personal data that you retain and why
  2. How long do you retain personal data and why
  3. How do you ensure that personal data is securely deleted when it is no longer needed
  4. How do you handle requests from individuals to erase their personal data

It's important to note that your data retention policy should be specific to your business and should take into account any legal, regulatory, or business requirements for retaining personal data. You should also ensure that your data retention policy is regularly reviewed and updated as needed.

A data breach response plan to outline how you will respond in the event of a data breach.

A data breach is a security incident that results in the unauthorized access, use, disclosure, or destruction of personal data.

Under the GDPR, you are required to report certain data breaches to the relevant authorities and individuals whose personal data has been affected.

Here are some key things that should be included in a data breach response plan:

  1. A clear definition of what constitutes a data breach
  2. The steps you will take to contain and mitigate the effects of a data breach
  3. The process for conducting a thorough investigation of the data breach
  4. The process for reporting the data breach to the relevant authorities and individuals
  5. The process for communicating with the media and the public about the data breach
  6. The process for reviewing and updating your data breach response plan on a regular basis

It's important to note that a data breach response plan should be tailored to your specific business and should be reviewed and tested regularly to ensure that it is effective. You should also ensure that all staff are aware of the data breach response plan and know their roles and responsibilities in the event of a data breach. 


It's important to note that these are just some of the legal documents you may need to comply with the GDPR. It's always a good idea to seek legal advice to ensure that you fully comply with the GDPR and other data protection laws.