Skip to main content
All CollectionsCompliance
Example Evidence for Not Monitored GDPR Controls
Example Evidence for Not Monitored GDPR Controls
Markindey Sineus avatar
Written by Markindey Sineus
Updated over a week ago

This article is meant to provide examples of evidence for the ‘Not Monitored’ GDPR Controls in Drata. For each Control, you’ll find one or more examples of evidence to upload.

NOTE: This document should not be interpreted as legal advice. When supplying evidence for Controls, you should always have your legal team review the evidence to ensure that documents are appropriate for your organization’s specific facts and circumstances. In addition, we cannot guarantee that the recommendations provided below will meet specific requirements of the GDPR.

Be sure to review https://help.drata.com/en/articles/6116924-gdpr-where-do-i-start if you have not already.

Code

Name

Example Evidence

DCF-18

Quarterly Vulnerability Scan

1. Completed quarterly vulnerability scans for the the last four quarters.

DCF-19

Annual Penetration Tests

1. Most recently completed annual penetration test.

DCF-115

Privacy Policy Inclusions

1. Formal, documented privacy practices from the entity's website.

DCF-116

Accept The Privacy Policy

1. Screenshots of the new user registration process showing that users are required to explicitly agree to the notice of privacy practices prior to the completion of the registration process.

DCF-117

Minimal Information Required

  1. Completed ROPA (see DCF-536 for more information on ROPAs) documentation that includes:

    1. How each PII attribute/field that is collected will be used.

DCF-120

Annual Review of Purposes

  1. Meeting minutes for management's annual review of privacy policies

DCF-121

Purposeful Use Only

1. Section from privacy practices/policy that covers this item.

DCF-130

Tracking Breaches of PII

1. Screenshots of the incident tracking system used to track breaches or security incidents involving PII.

DCF-135

Notice of Breach to Affected Users

1. Formal, documented breach notification procedures.

2. Breach Notification Template (please see Appendix B of Drata’s latest Incident Response Plan Template template for additional guidance for GDPR Breach Reporting)

DCF-166

Business Continuity Plan

1. Business Continuity Plan.

DCF-183

Vulnerability Management

1. Vulnerability Management Policy.

DCF-526

Scope of Privacy Program

  1. Documentation that summarizes the information you’ve collected for DCF-536. Be sure to include Control Activities 1-3.

DCF-527

Designated Data Protection Official

  1. Screenshot or documentation that designates a DPO. See Control Activities for additional guidance on the requirements and expectations of the DPO.

DCF-528

Management of Sensitive Information

  1. Data Classification Policy as long as it includes:

    1. Classification for PII

    2. Handling procedures for PII

  2. Any Security Awareness Training materials that include information about handling PII and inform end users how to report security issues.

DCF-529

Data Subject Consent

  1. Documentation that details how consent is obtained from Data Subjects prior to processing their PII.

  2. Screenshots of automated consent mechanisms that are built into processes that collect PII, such as a consent checkbox on a marketing webinar registration form.

  3. Records of where/how consent was obtained, such as records in the CRM system used by marketing and sales.

DCF-530

Data Subject Withdrawal of Consent

  1. Documentation within the Privacy Policy that details how Data Subjects can withdraw consent.

  2. Screenshots of automated consent withdrawal mechanisms, such as opt-out links at the footers of marketing emails.

  3. Records of consent withdrawal and the actions taken to comply with the request.

DCF-531

Notification of Disclosures to Third Parties

  1. Documentation or templates that describes processes for notifying appropriate stakeholders regarding the disclosure of PII to third parties

    1. Ensure that Control Activities 1-3 are addressed.

  2. Records of disclosures that include each area described in Control Activity 4.

DCF-532

International Transfer of Personal Data

  1. Privacy Policy that includes information about how international transfers are handled.

  2. DPA templates that include language about how international transfers are handled.

DCF-533

Joint PII Controllers

  1. Privacy Policy that includes information about roles and responsibilities of each Controller where Joint Controllers are used.

  2. DPA templates that include language about roles and responsibilities of each Controller where Joint Controllers are used.

DCF-534

Communication of Obligations to Data Subjects

  1. Privacy Policy that communicates company obligations as it relates to Privacy, including the method(s) used by Data Subjects and Customers to make Privacy requests.

  2. Records of Data Subject Requests (DSRs) received and the actions taken to resolve them.

  3. Any templates used to respond to the various types of DSRs.

DCF-535

Organizational Context

  1. Documentation that discusses how your company fits into the data processing ecosystem and includes each of the areas discussed in the 'Control Activities' section. Please see Appendix B of Drata’s latest Personal Data Management Policy template for helpful definitions.

DCF-536

Record of Processing Activity (ROPA)

  1. Completed ROPA documentation that includes the elements described in Control Activities a-g (Please see Appendix A of Drata’s latest Personal Data Management Policy template for more information on ROPAs).

    1. Be sure to consider your processing activities across different Personas, such as Marketing and Sales Prospects, Customers, Website Visitors, Employees, etc. It can be helpful to complete a separate ROPA per Persona.

  2. ROPAs are only required in certain circumstances. The Control Activity Note details which circumstances trigger this requirement.

DCF-537

Data Processing Agreements in Place

  1. DPA templates used when sharing PII with third parties (an example DPA has been included in Appendix A of Drata’s latest Vendor Management Policy Template, for reference).

  2. Copies of fully executed contracts with third parties that include DPAs.

DCF-538

Data Protection Impact Assessment (DPIA)

  1. Completed DPIA documentation (see Control Activity 1 for information on what needs to be included in the DPIA)

    1. DPIAs are only required in certain circumstances. Control Activity 2 details which circumstances trigger this requirement.

    2. Note that DPIAs must be completed prior to processing PII.

    3. Depending on the complexity of your personal data processing, it can be helpful to conduct separate DPIAs on separate use cases.

DCF-539

Collection of PII from Special Categories

  1. Completed ROPA (see DCF-536 for more information on ROPAs) documentation that includes:

    1. Whether or not Special Categories of PII are collected (see Control Activity 1 for details on what PII is considered Special Categories).

    2. Which allowable conditions are used for collection (see Control Activity 2 for details on which allowable conditions are available).

DCF-540

Tracking and Response to Data Subject Requests

  1. Records of Data Subject Requests (DSRs) received and the actions taken to resolve them.

DCF-541

Management of Data Subject Rights

  1. Privacy Policy that includes information about how Data Subjects can exercise their rights under the GDPR, such as sending an email to a specific company inbox or a web form they can use to make the request.

  2. Records of Data Subject Requests (DSRs) received and the actions taken to resolve them.

  3. Any internal documentation used to action DSRs, such as documentation that is used to process a ‘Delete My Data’ or ‘Forget Me’ request.

DCF-542

Representative for Non-EU Controllers/Processors

  1. Screenshot or documentation that designates an EU Representative. See Control Activities for additional information as to whether or not an EU Representative is required for your company.

Did this answer your question?