Overview
You'll learn how to use ISMS Copilot to create and maintain comprehensive GDPR compliance documentation, from data processing inventories and privacy policies through Data Protection Impact Assessments and breach response procedures.
Who this is for
This guide is for:
Data Protection Officers managing GDPR compliance programs
Privacy professionals creating GDPR documentation
EU-based organizations processing personal data
Non-EU companies offering services to EU residents
Organizations combining GDPR with ISO 27001 or SOC 2
Prerequisites
Before starting, ensure you have:
An ISMS Copilot account (free trial available)
Understanding of personal data your organization processes
Access to existing privacy policies and data processing agreements
Knowledge of your data flows and third-party processors
Before you begin
What is GDPR? The General Data Protection Regulation (GDPR) is EU regulation 2016/679 that governs how organizations collect, process, store, and delete personal data of EU residents. It establishes individual rights, organizational obligations, and enforcement through significant fines (up to €20M or 4% of global revenue).
GDPR applies to you if: You offer goods/services to EU residents OR monitor behavior of EU residents, regardless of where your organization is located. US, UK, and global companies must comply when processing EU personal data. Non-compliance can result in regulatory investigations and substantial fines.
Documentation is mandatory: GDPR Article 5(2) requires demonstrating compliance through documentation. Verbal policies or informal processes are insufficient—you must maintain comprehensive records of processing activities, decisions, and compliance measures.
Understanding GDPR documentation requirements
Mandatory documentation
GDPR explicitly requires these documented elements:
Document | GDPR Article | Purpose |
|---|---|---|
Privacy Notice/Policy | Articles 13-14 | Inform data subjects how their data is processed |
Record of Processing Activities (ROPA) | Article 30 | Inventory all personal data processing activities |
Data Processing Agreements (DPA) | Article 28 | Contracts with third-party data processors |
Data Protection Impact Assessment (DPIA) | Article 35 | Evaluate high-risk processing activities |
Consent Records | Article 7 | Demonstrate valid, informed consent obtained |
Data Breach Register | Article 33 | Document all personal data breaches |
Data Subject Rights Procedures | Articles 15-22 | Process access, rectification, erasure, portability requests |
Legitimate Interest Assessment (LIA) | Article 6(1)(f) | Justify processing based on legitimate interests |
Role-specific requirements
Documentation obligations vary by role:
Data Controller: Determines purposes and means of processing; responsible for ROPA, privacy notices, DPIA, consent management
Data Processor: Processes data on behalf of controller; requires DPAs, processing records, security measures documentation
Both roles: Many organizations are controllers for some processing (e.g., employee data) and processors for others (e.g., customer data on behalf of clients)
Step 1: Set up your GDPR workspace
Create dedicated workspace
Log into ISMS Copilot
Create new workspace: "GDPR Compliance - [Your Organization]"
Add custom instructions:
GDPR compliance context:
Organization: [Company name]
Location: [HQ location, operating regions]
Role: [Data Controller / Data Processor / Both]
Industry: [SaaS, e-commerce, healthcare, marketing, etc.]
Size: [employees, EU customers/users]
Data processing:
- Personal data types: [names, emails, IPs, health data, financial data, etc.]
- Special category data: [Yes/No - if yes, specify: health, biometric, etc.]
- Processing purposes: [marketing, service delivery, analytics, etc.]
- Data sources: [website forms, API, third parties]
- Third-party processors: [cloud providers, payment processors, tools]
Compliance status:
- DPO appointed: [Yes/No]
- Existing documentation: [list what you have]
- Main gaps: [areas needing work]
- Integration: [also pursuing ISO 27001/SOC 2]
Preferences:
- Reference specific GDPR articles
- Provide DPA-ready language
- Consider multi-framework alignment (GDPR + ISO 27001)
- Suggest practical implementations for [startup/SMB/enterprise]Step 2: Create Record of Processing Activities (ROPA)
What is ROPA and who needs it?
Article 30 requires organizations with 250+ employees OR processing high-risk/regular data to maintain a ROPA documenting all personal data processing activities.
Generate ROPA structure
Ask ISMS Copilot to create your ROPA template:
"Create a GDPR Article 30 Record of Processing Activities (ROPA) template for a [data controller/processor]. Include columns: Processing Activity Name, Purpose of Processing, Legal Basis (Article 6), Categories of Data Subjects, Categories of Personal Data, Categories of Recipients (who receives data), Third Country Transfers (if applicable), Retention Period, Security Measures. Explain each column's requirements."
Inventory processing activities
Identify all processing operations:
"For a [company type: SaaS platform, e-commerce site, marketing agency], identify common personal data processing activities to include in ROPA. Consider: customer account management, marketing communications, payment processing, customer support, analytics, employee HR management, vendor management. For each activity, describe what personal data is processed and why."
Document each processing activity
Create detailed entries:
"For our processing activity [customer account management], complete the ROPA entry: Processing name: 'Customer Account Registration and Management'. Purpose: [describe]. Legal basis: [Contract performance / Legitimate interest / Consent]. Data subjects: [existing customers, prospects]. Personal data categories: [name, email, company, IP address, usage data]. Recipients: [internal teams, cloud provider AWS]. Retention: [account lifetime + 2 years]. Security: [encryption at rest/transit, access controls, MFA]."
Address special category data
If processing sensitive data:
"We process [health data / biometric data / racial data] for [purpose]. What additional GDPR requirements apply? Update our ROPA entry to include: Article 9 legal condition (explicit consent, medical purposes, etc.), enhanced security measures required, necessity and proportionality justification, and DPIA requirement assessment."
ROPA is living document: Update ROPA whenever you add new processing activities, change purposes, add third parties, or modify retention periods. Outdated ROPA during DPA inspection creates compliance risk and undermines your accountability demonstration.
Step 3: Develop privacy notices and policies
Create external privacy notice
Article 13-14 transparency requirements:
"Create a GDPR-compliant Privacy Notice for our [website/app/service] including: data controller identity and contact details, DPO contact (if applicable), purposes of processing, legal basis for each purpose, recipients or categories of recipients, international transfers details, retention periods or criteria, data subject rights (access, rectification, erasure, restrict, object, portability, withdraw consent), right to lodge complaint with supervisory authority, whether providing data is contractual/statutory requirement, and automated decision-making details (if applicable). Make it clear and accessible for non-legal audiences."
Develop internal privacy policy
For employees and internal processes:
"Create an internal Data Protection Policy for GDPR compliance covering: policy scope and applicability, data protection principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability), roles and responsibilities (DPO, data owners, processors), data handling requirements (collection, processing, storage, deletion), security obligations, breach notification procedures, data subject rights fulfillment process, training requirements, and policy enforcement. Target audience: all employees."
Create cookie policy and consent mechanism
For websites using cookies:
"Create a Cookie Policy for our website explaining: what cookies are, what cookies we use (essential, analytics, marketing), purpose of each cookie type, third-party cookies (Google Analytics, etc.), how users can control cookie preferences, and impact of refusing cookies. Also provide cookie consent banner text that's GDPR-compliant: granular consent options, pre-checked boxes forbidden, easy opt-out."
Tailor to specific data subjects
Different notices for different contexts:
"Create separate privacy notices for: 1) Website visitors (browsing, cookies), 2) Customer accounts (service delivery), 3) Email marketing subscribers (marketing communications), 4) Job applicants (recruitment), 5) Employees (HR processing). For each, specify: relevant personal data, processing purposes, legal bases, and retention periods specific to that relationship."
Pro tip: Privacy notices must be provided BEFORE collecting data, not as an afterthought. For web forms, include notice text or link immediately adjacent to data collection fields. Ask: "Design a privacy notice presentation strategy for our [signup form/checkout page/contact form]."
Step 4: Create Data Processing Agreements (DPAs)
When DPAs are required
Article 28 mandates written contracts with any third party that processes personal data on your behalf (processors).
Generate DPA template
Create controller-processor agreement:
"Create a GDPR Article 28 Data Processing Agreement template between our organization (controller) and [cloud service provider / payment processor / email marketing tool] (processor). Include mandatory clauses: subject matter and duration, nature and purpose of processing, types of personal data and categories of data subjects, controller obligations and rights, processor obligations (Article 28(3) requirements: process only on instructions, ensure confidentiality, implement security measures, engage sub-processors only with consent, assist with data subject rights, assist with security incidents and DPIAs, delete or return data at contract end, demonstrate compliance). Make it enforceable and GDPR-compliant."
Identify your processors
Inventory third parties handling your data:
"We use these third-party services: [list: AWS, Google Workspace, Stripe, Mailchimp, Zendesk, etc.]. For each, determine: Are they data processors or controllers? What personal data do they access? Do we need a DPA with them? Do they already provide standard DPAs? What additional contractual protections do we need beyond their standard terms?"
Address sub-processors
When processors use their own processors:
"Our processor [vendor name] uses sub-processors for [services]. What GDPR requirements apply? Draft DPA language covering: general authorization for sub-processors (with notification) vs. specific authorization required, processor's liability for sub-processor compliance, obligation to impose equivalent GDPR obligations on sub-processors, and our right to audit sub-processor compliance."
Step 5: Conduct Data Protection Impact Assessments (DPIAs)
When DPIA is mandatory
Article 35 requires DPIA for processing likely to result in high risk, including:
Systematic and extensive automated processing with legal/significant effects (profiling)
Large-scale processing of special category data (health, biometric, etc.)
Systematic monitoring of publicly accessible areas at large scale (CCTV)
New technologies or novel processing methods
Assess if DPIA is needed
Evaluate your processing:
"We process personal data for [describe activity: AI-driven customer scoring, health monitoring app, facial recognition, behavioral advertising]. Assess if GDPR Article 35 DPIA is required. Consider: Is there automated decision-making with legal/significant effects? Is it large-scale processing? Does it involve special category data? Is there systematic monitoring? Is it a new technology? Provide recommendation with rationale."
Create DPIA template and process
Structure your impact assessment:
"Create a DPIA template for GDPR Article 35 compliance including sections: description of processing operations and purposes, assessment of necessity and proportionality, assessment of risks to data subject rights and freedoms (likelihood and severity), measures to address risks (technical and organizational), safeguards and security measures, and demonstration that risks are appropriately mitigated. Include risk assessment methodology (likelihood × impact matrix)."
Conduct DPIA for specific processing
Complete assessment for high-risk activities:
"Conduct a DPIA for our [AI-powered customer analytics platform]. Processing details: We analyze customer behavior data (browsing history, purchase patterns, demographics) using machine learning to predict churn risk and personalize marketing. Data subjects: 100,000+ EU customers. Assess: What are the risks to data subject rights (profiling, discrimination, privacy intrusion)? What safeguards mitigate these risks (human review, opt-out, transparency, data minimization)? Is residual risk acceptable or does processing need redesign?"
Consult DPO and stakeholders
DPIAs require consultation:
"For our DPIA on [processing activity], who must we consult? Draft consultation questions for: DPO (compliance assessment), data subjects or representatives (acceptability of processing and safeguards), IT security team (technical risk mitigation), legal team (legal compliance), and business stakeholders (necessity and proportionality). How do we document consultation outcomes?"
Prior consultation with DPA: If DPIA shows high residual risk even after mitigation, Article 36 requires consulting your Data Protection Authority BEFORE starting the processing. Skipping this consultation when required is a serious violation.
Step 6: Establish data subject rights procedures
Understand data subject rights (Articles 15-22)
GDPR grants individuals eight rights:
Right of Access (Art. 15): Obtain copy of their personal data
Right to Rectification (Art. 16): Correct inaccurate data
Right to Erasure / "Right to be Forgotten" (Art. 17): Delete data in certain circumstances
Right to Restriction (Art. 18): Limit processing in certain situations
Right to Data Portability (Art. 20): Receive data in machine-readable format
Right to Object (Art. 21): Object to processing, especially for marketing
Rights related to Automated Decision-Making (Art. 22): Challenge automated decisions
Right to Withdraw Consent (Art. 7(3)): Withdraw consent as easily as given
Create rights fulfillment procedures
Document how you handle each right:
"Create procedures for handling GDPR data subject rights requests including: request intake process (how users submit requests, request form template), identity verification (how to authenticate requestor), response timelines (1 month standard, extensions with justification), request fulfillment steps for each right type, fee policy (generally free, excessive requests may incur fee), refusal criteria (when requests can be denied, how to justify), documentation requirements (log all requests and responses), and escalation process for complex requests. Make it operational for customer support teams."
Design access request (SAR) response
Most common request type:
"For GDPR Subject Access Requests, create: 1) Data export format (what information to include: data categories, purposes, recipients, retention, sources, automated decision-making), 2) Data presentation format (structured, intelligible, commonly used), 3) Technical implementation (how to extract user data from [your systems], format it, deliver securely), 4) Response template letter explaining the data provided. Ensure we can fulfill requests within 30 days."
Handle erasure requests complexity
Deletion isn't always straightforward:
"For Right to Erasure requests, address: When can we refuse (legal obligations, contractual necessity, legitimate interests)? What data must be deleted vs. anonymized vs. retained? How to delete from backups? How to notify third parties we shared data with? How to document erasure for audit trail? Create decision tree for evaluating erasure requests."
Pro tip: Automate data subject rights workflows where possible. Ask: "How can we technically implement automated data export for Subject Access Requests? What database queries, scripts, or tools can extract all data related to a specific user email/ID?"
Step 7: Develop breach notification procedures
Understand notification requirements
GDPR breach notification obligations:
Article 33 - DPA notification: Report breaches to supervisory authority within 72 hours (unless unlikely to result in risk)
Article 34 - Individual notification: Notify affected individuals without undue delay if high risk to rights and freedoms
Create breach response plan
Prepare for incidents:
"Create a GDPR personal data breach response procedure including: breach definition (what constitutes a personal data breach), detection and reporting (how breaches are identified, internal escalation), breach assessment (severity evaluation, risk to individuals), 72-hour notification workflow to DPA (what information to provide per Article 33, notification template), individual notification process (when required, communication template, delivery method), breach register maintenance (log all breaches per Article 33(5)), post-incident review, and roles/responsibilities. Make it actionable under time pressure."
Create notification templates
Draft templates in advance:
"Create two breach notification templates: 1) DPA notification (Article 33) including: breach description, personal data categories and approximate number of individuals affected, contact point (DPO), likely consequences, measures taken or proposed to address breach and mitigate harm. 2) Individual notification (Article 34) in plain language describing: nature of breach, contact point, likely consequences, measures taken/proposed, recommended actions for affected individuals. Make templates ready to populate with incident details."
Establish breach register
Document all breaches:
"Create a personal data breach register template including: Breach ID, Date detected, Date reported to DPA (if applicable), Description of breach, Personal data affected (categories and volume), Individuals affected (number), Root cause, Containment actions taken, DPA notification required (Yes/No/Assessment), Individual notification required (Yes/No), Risk level (Low/Medium/High), Status (Open/Investigating/Resolved), Lessons learned. This register must be maintained even for breaches not reported to DPA."
72-hour clock starts at breach awareness: When you become aware of a potential breach, the 72-hour notification clock starts immediately. "Awareness" means when you have sufficient information to determine a breach occurred, not when investigation completes. Plan breach assessment processes that can conclude within 72 hours.
Step 8: Document consent management
When consent is appropriate
Consent (Article 6(1)(a)) is ONE legal basis, not always required:
"For our processing activities [list activities], determine appropriate legal basis: Consent (freely given, specific, informed, unambiguous), Contract (necessary for contract performance), Legal Obligation (required by law), Vital Interests (life or death), Public Task (official authority), or Legitimate Interest (with balancing test). For each activity, recommend legal basis with justification. When is consent the right choice vs. other bases?"
Design valid consent mechanisms
GDPR consent requirements (Article 7):
"Create consent collection mechanisms meeting GDPR requirements: freely given (no bundling, genuine choice, no detriment for refusal), specific (separate consent for different purposes), informed (clear information about processing), unambiguous (affirmative action, pre-ticked boxes forbidden), easy to withdraw (as easy as giving), and documented (who, when, what, how). Design consent forms and cookie banners accordingly."
Maintain consent records
Article 7(1) requires demonstrating consent:
"Create a consent record keeping system documenting: who gave consent (data subject identifier), when consent was given (timestamp), what they consented to (specific purpose and processing description), how consent was obtained (form version, checkbox text), consent mechanism used (opt-in checkbox, explicit action), and consent status (active, withdrawn, expired). How do we store and retrieve this for compliance demonstration?"
Step 9: Perform legitimate interest assessments (LIA)
When to use legitimate interest
Article 6(1)(f) allows processing for legitimate interests if not overridden by data subject rights:
"Explain GDPR legitimate interest as a legal basis. When is it appropriate vs. consent or contract? What's the three-part test: 1) Purpose test (legitimate interest pursued), 2) Necessity test (processing necessary for that interest), 3) Balancing test (interests don't override data subject rights). Provide examples where legitimate interest works (fraud prevention, direct marketing to existing customers, network security) vs. doesn't work (special category data, children's data)."
Conduct balancing test
Document legitimate interest assessment:
"Create a Legitimate Interest Assessment template including: description of processing activity, legitimate interest pursued (business interest or third party interest), necessity analysis (is processing necessary, are there less intrusive alternatives), balancing test (nature and source of legitimate interest, impact on data subject, reasonable expectations, data sensitivity, safeguards implemented, balance outcome), conclusion (can processing proceed on legitimate interest basis), and review date. Make it defensible to DPA scrutiny."
Example LIA for common scenarios
Apply the framework:
"Perform a Legitimate Interest Assessment for: sending marketing emails to existing customers promoting similar products. Legitimate interest: [customer relationship, commercial interest]. Necessity: [how this is necessary for business]. Balancing: [customer expectation based on relationship, easy opt-out, not sensitive data, minimal privacy impact]. Conclusion: [is legitimate interest justified]? What safeguards mitigate impact (prominent unsubscribe, preference center, limited frequency)?"
Step 10: Integrate GDPR with other compliance frameworks
GDPR and ISO 27001 alignment
Many requirements overlap:
"Map GDPR requirements to ISO 27001:2022 Annex A controls. For each GDPR requirement (data security, access controls, breach notification, data minimization, privacy by design), identify: corresponding ISO 27001 controls, how implementing the control satisfies GDPR, what additional GDPR-specific measures are needed beyond ISO 27001. Create a compliance matrix showing where one framework satisfies the other."
GDPR and SOC 2 Privacy alignment
Leverage SOC 2 Privacy criteria:
"How does SOC 2 Privacy Trust Services Criteria support GDPR compliance? Map GDPR requirements (transparency, access rights, deletion, consent, DPIAs) to SOC 2 Privacy criteria (notice, choice, access, disclosure to third parties, security, retention). What controls serve both? What GDPR-specific documentation is needed beyond SOC 2 Privacy?"
Create integrated compliance program
Avoid duplicate work:
"We're pursuing both GDPR compliance and ISO 27001 certification. Design an integrated compliance program including: unified information security and privacy policy, combined risk assessment covering security and privacy risks, integrated control framework addressing both, consolidated audit program, shared evidence repository, and combined compliance reporting dashboard. How do we document once, comply with multiple frameworks?"
Efficiency gain: Organizations with ISO 27001 can achieve 60-70% of GDPR technical requirements through security controls. Focus GDPR-specific efforts on transparency, individual rights, and privacy governance rather than rebuilding security foundations.
Common GDPR documentation mistakes
Mistake 1: Generic privacy policy copy-paste - Using template privacy policies without customization. Solution: Tailor every notice to YOUR actual processing. Ask: "Review this privacy notice against our actual ROPA. Does it accurately describe what we do? Are there discrepancies between policy and practice?"
Mistake 2: Outdated ROPA - Creating ROPA once and never updating. Solution: Review ROPA quarterly or when adding new processing. Ask: "Compare our current ROPA to actual data flows. What processing activities are happening but not documented? What documented activities are no longer occurring?"
Mistake 3: Missing DPAs with processors - Using tools without signed Data Processing Agreements. Solution: Audit all third-party services. Ask: "List all tools/vendors with access to personal data. For each, do we have: DPA signed, security assessment completed, sub-processor list reviewed, contract compliance verified?"
Mistake 4: No DPIA for high-risk processing - Skipping DPIAs when required. Solution: Screen all processing activities. Ask: "Evaluate each ROPA entry for DPIA necessity. Does it involve: automated decision-making, special category data, large-scale processing, systematic monitoring, new technology? If yes, has DPIA been completed?"
Next steps after documentation
You've created comprehensive GDPR documentation:
✓ Record of Processing Activities (ROPA) completed
✓ Privacy notices and policies published
✓ Data Processing Agreements with processors
✓ DPIAs for high-risk processing
✓ Data subject rights procedures established
✓ Breach notification procedures ready
✓ Consent management documented
✓ Legitimate interest assessments completed
Maintain ongoing compliance:
Update ROPA quarterly and when adding new processing
Review privacy notices annually and after processing changes
Conduct annual DPIAs for high-risk processing
Monitor data subject rights request volumes and response times
Train staff on GDPR requirements and procedures annually
Maintain breach register and conduct breach drills
Getting help
Upload documents: Learn how to upload privacy policies for GDPR gap analysis
Verify compliance: Understand how to prevent AI hallucinations when validating GDPR guidance
Best practices: Review how to use ISMS Copilot responsibly for privacy documentation
Start your GDPR documentation today: Create your workspace at chat.ismscopilot.com and begin building your Record of Processing Activities in under an hour.