Under the GDPR organisations must be able to prove that they are compliant with the law.
This is known as ‘accountability’.
Organisations need to implement appropriate technical and organisational measures. These include policies.
Every organisation should have a data protection and an information security policy at least.
Other documents to consider [the list is not exhaustive] might be:
Procedures for dealing with requests by people to exercise rights e.g. subject access;
Data sharing agreements;
Tele- working (outside of the office) policy;
Information classification, labelling and handling policy;
Password policy ;
Records management policy;
Data breach response plan
For further information please contact us.