You are currently not logged in. Any progress made will be lost.

Next Steps: Documentation for GDPR

Next Steps: Documentation for GDPR

The documentation you need to develop and have in place to adhere to data protection requirements is as follows:


Data Inventory

To compile a personal data inventory you need to undertake the following steps:

  1.     Recording of data processing activities is now required. The data inventory summarises the types of personal data you are processing and collecting.

The data inventory needs to include all personal data that you are processing. The sorts of personal data you should be including within your inventory includes both live and static data such as:

  • Your database of participants and the exact data held by name, age, email address, contact numbers, marital status, etc.
  • Participant profiles
  • Pre-tasks
  • Bank details for incentives
  • Client supplied sample e.g. customer lists
  • Survey platform outputs e.g. if you use DIY tools you will have questionnaire responses stored somewhere on your systems


  1.     Once the personal data is identified you need to specify where the personal data is stored.  For example:

  • PCs – drives, downloads, desktops
  • Mobile devices – laptops, phones, tablets
  • Back-up services – any outside of the country?
  • Emails
  • Paper records

If you have staff who work with you ensure you know where they store personal data collected for your business and recruitment purposes.

  1.     Review the grounds for processing the data.  It is most likely to be informed consent or possibly legitimate interest, but you can not assume this will be the case.  You need to be sure you have identified the correct processing grounds.


  1.     Determine who has access to the different types of personal data. Within the recruitment context this is likely to be:

  • Participants
  • Staff – full-time, part-time, casual
  • Third parties e.g. IT consultants, hostesses for groups


  1.     Identify the retention and deletion periods for the personal data held on your inventory.


  1.     Once the document is completed, review it regularly, and identify any personal data you no longer need to keep and once identified delete/destroy it securely.


Data Protection Policy

This document summarises your understanding of your legal obligations to data protection principles.  Having a data protection policy applies to everyone in the supply-chain, even those who are freelancers or part-time.

The policy states your approach and intention for personal data, in summary rather than in detail.  The policy needs to include:

  • Your commitment to following the principles of data protection
  • Who is responsible for data protection
  • Policies on data retention, data transfers, data breaches
  • Responsibilities with regard to data subject rights


Privacy Notices

Privacy notices are those statements which are directed at individuals whose personal data is being processed. In research this means participants.  Privacy policies needs to include:

  • Who you are, where you are, what you do and how you can be contacted
  • Grounds for processing e.g. consent, legitimate interest
  • What data you collect and who you share it with
  • How long you keep personal data
  • Where you store personal data and transfer personal data – confirming if it is stored and transferred to countries in the European Economic Area or outside of this Area and if so whether these countries have suitable safeguards
  • How data subject rights can be accessed by individuals
  • How individuals can complain including contacting the relevant supervisory authority (the ICO in the UK).


Data Breach Recording

It is a legal requirement of GDPR to record personal data breaches within 72 hours of discovering a breach. 

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

If you have a breach you need to document:

  • What happened
  • When it happened
  • How many people’s data is affected
  • What actions were taken immediately
  • Who has been notified
  • What further actions need to be taken

Remember you only have to notify the regulator (the ICO in the UK) and individuals affected in certain circumstances. 

The seriousness of a breach is linked to the harm it may cause to the rights and freedoms of individuals.

You may need to take legal advice to determine the seriousness of a breach and you may also have to notify your insurer. 

Staff Training

Document all the training you do with your staff.  Once staff have undertaken training, obtain signatures acknowledging that they have received and understood the training. 

Your training process should include:

  • On induction new staff undertake separate training session detailing your data protection approach
  • Provide refresher training for all staff annually
  • Provide ad hoc training when required

The overall aim of the training is to promote a culture where data protection is important, queries are welcomed and any personal data breaches are identified and reported immediately.

If you work by yourself keep up to date with data protection, and make a record of what you have undertaken and when e.g. listening to the webinar at the top of this page, attending a course.