“I can’t get to data protection because of all the documentation,” many companies think. In general, documentation is not an activity that triggers enthusiasm in most employees. When documentation and data protection come together, things often look even worse: the implementation of specifications that, for example, restrict the use of data and thus block business opportunities from the point of view of many companies, must also be described and explained in detail.
Documentation shouldn’t be viewed negatively, it’s not about unnecessary descriptions and records. Rather, documentation is always part of the business and also part of data protection, for many reasons. As will be shown below, data protection documentation is truly useful to an organization and not just a chore.
What regulators say about documentation requirements
Many companies fear that they will have to provide mountains of documents if there is an examination by the responsible supervisory authority or a data breach occurs. It is therefore worth taking a look at the explanation of the documentation requirements by the supervisory authorities.
These explain: The GDPR obliges the person responsible to prove that personal data is processed lawfully (accountability). In addition, the GDPR provides for documentation requirements at various points, for example for the processing directory, for the documentation of data protection incidents or for the documentation of instructions in the context of order processing. The data protection impact assessment (DPIA), a type of risk analysis, also requires extensive documentation.
Unfortunately, it is not the case that the so-called register of processing activities, i.e. the list of processing of personal data, is a kind of overall documentation, it is rather a core part of the documentation in data protection, but not everything.
The supervisory authorities emphasize that the creation of the list of processing activities does not meet all the documentation requirements required by the GDPR. For example, the existence of consent, the correctness of the entire processing and the result of data protection impact assessments must be proven by appropriate documentation.
Why this is necessary: Accountability
A key reason for having to document all of this is so-called accountability. But this does not only apply to data protection. The European Data Protection Supervisor says: Accountability is a general principle for organizations in many different fields. They are intended to ensure that organizations meet the expectations placed on them, for example in relation to the delivery of their products and the behavior towards the actors with whom they interact. Accountability is expressed in the General Data Protection Regulation (GDPR) as a principle that organizations must take appropriate technical and organizational measures and be able, upon request, to demonstrate what they have done and demonstrate the effectiveness of their actions.
This includes, among other things, the following measures: appropriate documentation of which data is processed in what way, for what purpose and for how long, documented processes and procedures for the early resolution of data protection problems when setting up information systems or for reacting to data protection violations and the integration of one or a data protection officer in organizational planning and operational processes.
What is really expected: Adequate documentation
Even if the demands made by the supervisory authorities sound very extensive: If, for example, there is an audit by the supervisory authority, nobody expects that there will be a file warehouse full of data protection records.
As of 10/30/2020
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. You can find detailed information in our data protection declaration.
Consent to the use of data for advertising purposes
I agree that Vogel IT-Medien GmbH, Max-Josef-Metzger-Straße 21, 86157 Augsburg, including all companies affiliated with it within the meaning of Sections 15 et seq. AktG (hereinafter: Vogel Communications Group) my E e-mail address for sending editorial newsletters. Lists of the respective associated companies can be accessed here.
The content of the newsletter extends to the products and services of all the companies mentioned above, including, for example, trade journals and specialist books, events and trade fairs as well as event-related products and services, print and digital media offers and services such as other (editorial) newsletters, competitions, lead campaigns, Market research in the online and offline area, subject-specific web portals and e-learning offers. If my personal telephone number was also collected, it may be used for submitting offers for the aforementioned products and services from the aforementioned companies and for market research.
If I call up protected content on the Vogel Communications Group portals, including its affiliated companies within the meaning of §§ 15 ff. AktG, I have to register with additional data for access to this content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here.
right of revocation
I am aware that I can revoke this consent at any time for the future. My revocation does not affect the legality of the processing carried out on the basis of my consent up to the time of revocation. In order to declare my revocation, I can use the contact form available at as one option. If I no longer wish to receive individual newsletters to which I have subscribed, I can also click on the unsubscribe link at the end of a newsletter. I can find more information about my right of withdrawal and how to exercise it, as well as the consequences of my withdrawal, in the data protection declaration, section Editorial newsletters.
Rather, the supervisory authorities have very clear ideas about what absolutely has to be in place. A good example is an audit of existing ransomware protections, which regulators are currently investigating.
The documentation should then be available in particular: a complete and up-to-date overview of all IT systems and IT components used (such as clients, servers, firewalls, switches, VPN endpoints, not to forget IT in the home offices), i.e. an IT inventory and network plan, a regular evaluation of information on security gaps in the components used and a description of patch management, a backup concept, logs for checking data traffic, a logging and analysis concept, training documentation on data protection and data security, an authorization concept, these are essential parts of the Documentation that a supervisory authority expects here.
Admittedly, that’s quite a lot of documents that should be available. But this documentation is not an end in itself and also not something that has to be done only for data protection. Rather, these documents should also be available from the point of view of the IT department and IT security. This knowledge already contains a key to reducing the effort involved in data protection documentation.
The most important thing: avoid duplication of effort, use synergies, see advantages
Companies make the little-loved documentations in many areas, including those whose importance for marketing and customer image is seen much more strongly than in the case of data protection.
Quality management also requires extensive documentation. Here you should see what synergies there are with the documents that data protection requires. When describing a process, it is best to put on both glasses, that of quality management and that of data protection.
Then you should also see the advantages of good documentation, because it can not only serve as proof in supervisory checks or in the event of a data breach. Good descriptions that do not concern confidential areas are suitable, for example, for the induction and training of employees.
Last but not least, good documentation can also help to uncover gaps in procedures and processes, because if you describe something, flaws become more visible. Concept work on backup, for example, not only helps with GDPR accountability, but can also lead to better backup processes.
Documentation should therefore never be seen as an end in itself, but as part of appropriate data protection and good corporate governance.