Documentation of Data Protection: Why compliance with the GDPR does not equal protection against penalties


2019-02-01 - Your company's compliance with the European Union's General Data Protection Regulation is crucial. However, the lawgiver requires more than mere compliance. You are also required to document your data protection practice in a very specific manner. We give you tips and pointers on how to document your data protection in a legal and time-saving manner.

What challenges does the documentation of data protection pose?

Establishing data protection as a core element of daily business is difficult enough for companies. Employees and CEOs face diverse requirements not just at one specific point in time but on a regular basis. To name a few examples: You must keep a thorough directory of all data processing activities. Order Processing Agreements must be concluded and monitored. Technical and organizational means of data protection must be updated regularly to ensure the minimal requirements are met. Your employees have to be trained in data protection – on a regular basis.

Compliance cannot be proven without proper documentation

Once you implement all core aspects of data protection in your company, you already do a lot of things right. Data protection alone is, however, not enough. The respective means must be documented in a way that is accessible and comprehensible to outsiders.
When your company is being audited by data protection authorities, you must be able to prove that your company meets the requirements in concrete cases. You must also prove that the respective requirements were and are constantly met in your corporate practice. You are obliged to meet the requirements not only point by point but also on a structural level. First and foremost, you must document your activities in a way that can attest your data protection measurements to data protection authorities. How can you achieve this in business practice? Using the following tips, you can avoid pitfalls and fulfill your data protection duties in a time-saving and legal manner.

  • Save everything in the same spot! Choose a central save location in which you store all documents relevant to data protection. Do not build a complicated storage structure in which you have to use different storage locations.
    Do not use your computer's hard drive but rather a system that allows versioned filing of documents. All versioned files should be stored in a central location. For instance, this could be achieved by using your CRM system or specialized data protection systems.
  • Store older versions of relevant documents! Outdated versions of a document must be stored safely. Through this procedure you can ensure that documents that are relevant for data protection can be reviewed retrospectively by authorities. But be careful: The audit-proof storage of different versions is hardly manageable without a good data protection management system.
  • Document all training measures! Most people know of the importance of keeping track of all processing activities or storing all order processing contracts. You should, however, not neglect to document all training measures for your team. It is most advisable to keep an overview of all data protection trainings. Make sure that every employee receives a certificate for participating in data protection training sessions. Those certificates must be stored safely in order to be able to prove that your employees were always well trained.
  • Store communication! When a third party approaches your company and requests information about the data your company stored about them, you have to comply with their demand. The same is true for when said party asks for deletion of their data. Fulfilling those wishes is not enough. You must document the communication with third parties and the deleting process which followed. Ideally, your CRM system allows the proper documentation of external communication.
  • New systems have to be documented! As soon as a new system is introduced to your company, you have to document when the adjustment took place. It does not matter what kind of system this might be. Was there a specific point in time at which the new system redeemed an older version? Or did the adjustment happen step by step? In the latter case, your documentation must clearly state the individual stages of the adjustment and when the change was completed.


Compliance with and documentation of data protection in daily business is a challenge for everyone involved. We hope our tips will help you establishing legal data protection practice. If you want to organize your data protection in a neat, audit-proof, time-saving way, we recommend using a specialized data protection management system software. Our Compliance-Kit offers just that. You will find many useful features, such as a comprehensive, web-based data protection training platform. This platform is also a means for training your employees in an audit-proof manner – certificates of attendance included.


Get advice now

Call-back service


Arrange a consultation