Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Documents & Policies

Data Protection Officers, compliance officers, IT admins, and auditors use the Documents & Policies module to store, manage, and govern every formal policy your organisation needs — from GDPR privacy notices to data retention schedules — all in one auditable, centrally searchable location.

The Documents & Policies module is your organisation's single source of truth for written policies, procedural guidelines, and technical governance documents. Whether you need to upload a freshly approved Information Security Policy, check that a privacy notice is still marked "Active" before an external audit, or trace exactly who changed a document and when, this is where it all happens. Because documents here can be linked to Assets, Processing Activities (ROPAs), Assessments, and Tasks, a document stuck in "Draft" or missing a responsible person will surface as an open gap across your entire compliance picture. Keeping this module tidy is one of the most direct ways to demonstrate accountability under GDPR Article 5(2).

How to open it

In the left-hand sidebar, click Documents & Policies. You land directly on the list view. No sub-menus to expand — one click and you're there.

Access requirements: You need at least read permission for Documents & Policies to see the list. If you only have permission for records assigned to you, you will see your own documents but not others'. Without any read permission, DPMS shows a "Forbidden" screen. The ability to create, edit, delete, import, or share documents is controlled by separate permission levels — if a button appears greyed out, ask your system administrator to review your access.

What you see

The list view

Opening Documents & Policies shows a clean table with four columns: Name, Organisational Unit, Classification, and Updated At. Above the table, five status tabs — All, Active, Draft, Inactive, and Review — let you instantly narrow the list without leaving the page. The currently selected tab is underlined in blue, and your last-used tab is remembered so coming back from a detail view restores your previous filter.

In the top-right corner you'll find two action controls: the Multiple Upload button (a pill-shaped button with an upload icon) for bulk file imports, and the Create button for adding individual documents. A search bar above the table lets you find documents by name, and clicking any column header (except Organisational Unit) sorts the list.

The detail view

Opening a document takes you to its detail view. On the far left is a narrow strip with a small circle icon — clicking it expands or collapses the tab navigation menu running down the left side. The tabs are: General, Upload, Linked Elements, Linked Controls, Tasks, Assessments, and Workflows.

Across the top runs the breadcrumb bar showing "Documents & Policies → [document name] → [current tab]". If the document has neighbours in your current filtered list, left and right chevron arrows appear in the breadcrumb for rapid sequential navigation — handy during an audit sprint when you need to review ten documents in a row. Small chevron arrows also sit next to the current tab name so you can step through tabs without using the side menu.

Below the breadcrumb is the sticky header: a bar that stays visible no matter which tab you're on (except Reviews & Approvals). It shows the responsible person, the lifecycle status, the priority, and the last-updated and last-reviewed dates. Changes you make here — reassigning the responsible person or changing the status — take effect immediately without needing to open the edit form.

In the top-right of the content area you'll see a clock icon button and a three-dot options menu. The clock opens the audit trail; the three-dot menu gives access to options like Delete and Sharing.

Working with this screen

Creating a new policy document

When a new policy needs to be registered — say, a freshly drafted Data Retention Policy — start from the list view and click the Create button, then choose Create Document from the dropdown.

On the creation form, fill in the Name (you can enter translations for multiple languages if your organisation needs them). Next, choose the Type: select File if you'll be uploading a PDF or Word document, or Link if the document lives externally (e.g. SharePoint or Confluence). This choice is permanent — once you save the record, the Type field locks and cannot be changed. If you pick the wrong one, you'll need to delete the record and start again.

Choose the Organisational Unit that owns this document and add a Classification tag (such as "Policy" or "Procedure") to make it easy to filter later. Set the Status to "Draft" while the document is still being prepared, assign yourself or a colleague as Responsible Person, and click Save.

DPMS saves the record and brings you to the Upload tab. If you chose "File" type, drag your PDF (or other document) into the upload zone — this becomes the "latest version" and is the file that reviewers will see during any approval workflow. If you chose "Link" type, enter the URL and press Enter to add it to the list.

Once the file or link is in place, use the left-side menu to visit Linked Elements and connect the document to the relevant Assets or Processing Activities. When the document is ready to go live, return to the sticky header at the top, click the Status dropdown, and change it to Active. The change is saved instantly, and the document will now appear under the Active tab on the list view.

Updating an existing document with a new version

When a policy has been revised — perhaps after an annual review — open the document from the list, navigate to the Upload tab using the left-side menu, and click Edit to enter edit mode. Drag the new file into the upload zone. The new file becomes the "latest version" and the previous version moves to the history list below, where it remains accessible as a clickable link. You don't lose the old version — it's preserved for audit purposes.

If you need to update the document's name, classification, or responsible person at the same time, click the Edit button in the General tab detail card. This opens the full edit form. Make your changes and click Save. Alternatively, you can update the responsible person or status right from the sticky header without entering the edit form at all — useful for quick ownership transfers.

Running an approval workflow

When a document needs to go through a formal sign-off process — for example, an annual policy review requiring sign-off from your legal team and DPO — open the document and click the Workflows tab in the left-side menu.

The Overview sub-tab shows all workflow instances for this document. If no workflows have been started, click Start Workflow, choose your workflow template (templates are configured separately in Workflow Settings), and save. Named reviewers will receive a notification with a direct link to the document.

Each reviewer opens the document, navigates to the Required Action sub-tab under Workflows, and either clicks Confirm Latest Version (to approve the current file) or Upload New Version (to replace the file before approving). Once all reviewers have approved, the workflow completes, and the Last Reviewed date in the sticky header updates automatically to reflect the completion date.

Heads up: Workflow templates must be set up in the Workflow Settings module before they appear in the "Start Workflow" dropdown. If the dropdown is empty, that's the first thing to check.

Auditing the change history

If an auditor asks you to prove that a specific person reviewed and approved a policy on a particular date — or if you simply want to see what changed and when — open the document's detail view and click the clock icon in the top-right of the content area.

The Activity Log drawer slides in from the right, listing every field-level change in chronological order: what field changed, what the old value was, what the new value is, who made the change, and when. You can screenshot this log for your audit file or regulatory submission. Close the drawer by clicking the X in its header.

Heads up: The Activity Log button is currently disabled for Documents & Policies in this release (the underlying infrastructure is in place but history tracking for this module is not yet active). This will be enabled in a future update.

Bulk-uploading multiple documents at once

If you need to onboard a large batch of policy files — for example, after inheriting a SharePoint library of PDFs — use the Multiple Upload button on the list view. Clicking it reveals a dashed-border drag-and-drop zone below the action bar. Drop all your files at once. DPMS creates a new document record for each file automatically.

A progress counter ("X out of Y") and a small spinning logo appear between the Multiple Upload button and the Create button while processing is underway. The upload zone closes automatically once all files have been processed. You can then open each newly created record to fill in the Name, Organisational Unit, Classification, and Status before they are formally "Active".

Tip: After a bulk upload, switch to the Draft tab to find all newly created records waiting to be completed. This prevents half-finished entries from accidentally appearing in the Active list.

Exporting documents for a regulatory submission

When a regulator or auditor asks for evidence of your policy inventory, you don't need to copy-paste from the screen. On the list view, click the Active tab to filter to live documents only. Then click the checkbox in the table header to select all records. An action bar appears — click XLSX to download a spreadsheet with all visible columns (Name, Organisational Unit, Classification, Updated At) for every selected record. For a machine-readable format, use JSON instead.

Field reference

The following fields appear on the document creation/edit form and are worth understanding before you fill them in:

  • Name — The document's display name. You can enter translations for each language your organisation has configured. Required before saving.
  • Type — "File" (upload a document) or "Link" (store a URL). Cannot be changed after the first save. Think carefully before choosing.
  • Status — The lifecycle stage of the document. Defaults to the first available status. Standard values are Active, Draft, Inactive, and Review; your organisation may also have custom statuses configured in Compliance Settings.
  • Responsible Person(s) — The user(s) accountable for this document. Optional, but strongly recommended — documents without a responsible person are harder to track during audits and may show as gaps in linked assessments.
  • Organisational Units — The business unit(s) that own this document. Selecting a unit here also determines which classification tags are available.
  • Classification — Freeform tags describing the document type (e.g. "Policy", "Procedure", "Guideline"). Tags come from Compliance Settings but can also be created on the fly by typing a new name and pressing Enter.

How this connects to the rest of DPMS

Documents & Policies sits at the centre of your compliance evidence chain. Here's what depends on it:

  • Assets, ROPAs, Assessments, Tasks — All of these modules can link back to specific documents. If a linked document is in "Draft" rather than "Active", the parent record may show an open compliance gap. Keeping your documents in the right status is essential.
  • International Standards module — The Linked Controls tab connects a document to specific controls from your chosen standards (e.g. ISO 27001). Clicking a linked control navigates you directly to the International Standards screen.
  • Workflow Settings — The Workflows tab on this screen only works if workflow templates have been set up. If the Start Workflow button doesn't produce a list of options, check Workflow Settings first.
  • Compliance Settings → Statuses — Custom lifecycle statuses (beyond the built-in Active/Draft/Inactive/Review set) are configured there and then appear in the status dropdowns and filter tabs here.
  • Compliance Settings → Attributes — Classification tags for documents are managed here. Without any tags set up, the Classification field will always be empty.
  • IT Settings → Sharing — The "Sharing" option in the three-dot menu on a document only appears if the Sharing feature is enabled in IT Settings and you have the appropriate permission.
  • Group Sharing — The three-dot options menu links directly to the sharing configuration for cross-organisation document access.
  • File Preview — Clicking a filename in the Upload tab history opens a preview of that file in a new browser tab.

After setting up your documents here, make sure to visit the linked modules (Assets, ROPAs, Assessments) to confirm that the links are in place and that nothing shows as an unresolved gap.

Tips & common pitfalls

Heads up: The document Type (File vs. Link) cannot be changed after the first save. If you realise you chose the wrong type, you must delete the record and recreate it. There is no warning when you first set the field — the dropdown simply becomes greyed out after saving.
Tip: Changing the Status or Responsible Person directly in the sticky header sends an immediate update to the server — this is separate from clicking Save in the edit form. You don't need to open the edit form just to transfer ownership or activate a document.
  • Custom statuses won't appear until configured. The standard filter tabs (All / Active / Draft / Inactive / Review) are always shown, but any custom statuses you define in Compliance Settings only appear in the dropdowns and filter tabs once they exist there. A blank "Review" tab is normal until records with that status exist.
  • Malware-flagged files are role-gated. If a file uploaded to the Upload tab was flagged by the malware scanner, only users with IT Security Coordinator, IT Security Manager, System Manager, or Super Admin roles can see it in the history. Compliance officers and standard users will not see the entry at all, which can cause confusion during audits.
  • The Multiple Upload zone closes automatically once all uploads complete. If a file fails to upload, the progress bar stays open until all items (including failures) are accounted for. If the counter appears stuck, reload the page to clear it.
  • The Reviews & Approvals tab is not visible on the detail screen in the current release. Approval workflows are handled entirely through the Workflows tab. If you're looking for a standalone approval tab from an older version of DPMS, it no longer appears on the detail view — use Workflows instead.
  • Concurrent editing is protected. If a colleague edits the same document while you have it open, DPMS will alert you that the record has changed and prompt you to reload before saving, preventing one person's changes from silently overwriting another's.


Was this article helpful?

English
Powered by Product Fruits