Example Evidence for Not Monitored GDPR Controls

This article is meant to provide examples of evidence for the ‘Not Monitored’ GDPR Controls in Drata. For each Control, you’ll find one or more examples of evidence to upload.

NOTE: This document should not be interpreted as legal advice. When supplying evidence for Controls, you should always have your legal team review the evidence to ensure that documents are appropriate for your organization’s specific facts and circumstances. In addition, we cannot guarantee that the recommendations provided below will meet specific requirements of the GDPR.

Be sure to review https://help.drata.com/en/articles/6116924-gdpr-where-do-i-start if you have not already.

Code	Name	Example Evidence
DCF-18	Quarterly Vulnerability Scan	1. Completed quarterly vulnerability scans for the the last four quarters.
DCF-19	Annual Penetration Tests	1. Most recently completed annual penetration test.
DCF-115	Privacy Policy Inclusions	1. Formal, documented privacy practices from the entity's website.
DCF-116	Accept The Privacy Policy	1. Screenshots of the new user registration process showing that users are required to explicitly agree to the notice of privacy practices prior to the completion of the registration process.
DCF-117	Minimal Information Required	Completed ROPA (see DCF-536 for more information on ROPAs) documentation that includes: How each PII attribute/field that is collected will be used.
DCF-120	Annual Review of Purposes	Meeting minutes for management's annual review of privacy policies
DCF-121	Purposeful Use Only	1. Section from privacy practices/policy that covers this item.
DCF-130	Tracking Breaches of PII	1. Screenshots of the incident tracking system used to track breaches or security incidents involving PII.
DCF-135	Notice of Breach to Affected Users	1. Formal, documented breach notification procedures. 2. Breach Notification Template (please see Appendix B of Drata’s latest Incident Response Plan Template template for additional guidance for GDPR Breach Reporting)
DCF-166	Business Continuity Plan	1. Business Continuity Plan.
DCF-183	Vulnerability Management	1. Vulnerability Management Policy.
DCF-526	Scope of Privacy Program	Documentation that summarizes the information you’ve collected for DCF-536. Be sure to include Control Activities 1-3.
DCF-527	Designated Data Protection Official	Screenshot or documentation that designates a DPO. See Control Activities for additional guidance on the requirements and expectations of the DPO.
DCF-528	Management of Sensitive Information	Data Classification Policy as long as it includes: Classification for PII Handling procedures for PII Any Security Awareness Training materials that include information about handling PII and inform end users how to report security issues.
DCF-529	Data Subject Consent	Documentation that details how consent is obtained from Data Subjects prior to processing their PII. Screenshots of automated consent mechanisms that are built into processes that collect PII, such as a consent checkbox on a marketing webinar registration form. Records of where/how consent was obtained, such as records in the CRM system used by marketing and sales.
DCF-530	Data Subject Withdrawal of Consent	Documentation within the Privacy Policy that details how Data Subjects can withdraw consent. Screenshots of automated consent withdrawal mechanisms, such as opt-out links at the footers of marketing emails. Records of consent withdrawal and the actions taken to comply with the request.
DCF-531	Notification of Disclosures to Third Parties	Documentation or templates that describes processes for notifying appropriate stakeholders regarding the disclosure of PII to third parties Ensure that Control Activities 1-3 are addressed. Records of disclosures that include each area described in Control Activity 4.
DCF-532	International Transfer of Personal Data	Privacy Policy that includes information about how international transfers are handled. DPA templates that include language about how international transfers are handled.
DCF-533	Joint PII Controllers	Privacy Policy that includes information about roles and responsibilities of each Controller where Joint Controllers are used. DPA templates that include language about roles and responsibilities of each Controller where Joint Controllers are used.
DCF-534	Communication of Obligations to Data Subjects	Privacy Policy that communicates company obligations as it relates to Privacy, including the method(s) used by Data Subjects and Customers to make Privacy requests. Records of Data Subject Requests (DSRs) received and the actions taken to resolve them. Any templates used to respond to the various types of DSRs.
DCF-535	Organizational Context	Documentation that discusses how your company fits into the data processing ecosystem and includes each of the areas discussed in the 'Control Activities' section. Please see Appendix B of Drata’s latest Data Protection Policy template for helpful definitions.
DCF-536	Record of Processing Activity (ROPA)	Completed ROPA documentation that includes the elements described in Control Activities a-g (Please see Appendix A of Drata’s latest Data Protection Policy template for more information on ROPAs). Be sure to consider your processing activities across different Personas, such as Marketing and Sales Prospects, Customers, Website Visitors, Employees, etc. It can be helpful to complete a separate ROPA per Persona. Further guidance on ROPAs can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/documentation/how-do-we-document-our-processing-activities/ ROPAs are only required in certain circumstances. The Control Activity Note details which circumstances trigger this requirement.
DCF-537	Data Processing Agreements in Place	DPA templates used when sharing PII with third parties (an example DPA has been included in Appendix A of Drata’s latest Vendor Management Policy Template, for reference). Copies of fully executed contracts with third parties that include DPAs.
DCF-538	Data Protection Impact Assessment (DPIA)	Completed DPIA documentation (see Control Activity 1 for information on what needs to be included in the DPIA) DPIAs are only required in certain circumstances. Control Activity 2 details which circumstances trigger this requirement. Note that DPIAs must be completed prior to processing PII. Depending on the complexity of your personal data processing, it can be helpful to conduct separate DPIAs on separate use cases. An example DPIA can be reviewed here: https://iapp.org/resources/article/template-for-data-protection-impact-assessment-dpia/
DCF-539	Collection of PII from Special Categories	Completed ROPA (see DCF-536 for more information on ROPAs) documentation that includes: Whether or not Special Categories of PII are collected (see Control Activity 1 for details on what PII is considered Special Categories). Which allowable conditions are used for collection (see Control Activity 2 for details on which allowable conditions are available).
DCF-540	Tracking and Response to Data Subject Requests	Records of Data Subject Requests (DSRs) received and the actions taken to resolve them.
DCF-541	Management of Data Subject Rights	Privacy Policy that includes information about how Data Subjects can exercise their rights under the GDPR, such as sending an email to a specific company inbox or a web form they can use to make the request. Records of Data Subject Requests (DSRs) received and the actions taken to resolve them. Any internal documentation used to action DSRs, such as documentation that is used to process a ‘Delete My Data’ or ‘Forget Me’ request.
DCF-542	Representative for Non-EU Controllers/Processors	Screenshot or documentation that designates an EU Representative. See Control Activities for additional information as to whether or not an EU Representative is required for your company.