GDPR4All
Sign inFree Assessment

Document Approval Workflow

Submit, review, and approve GDPR documents with the built-in approval pipeline

5 min readUpdated 26 February 2026
Client AdminCompliance OfficerDPO

Publishing a GDPR document without proper review is a compliance risk. A privacy policy with inaccurate information, a breach notification with missing details, or a DPIA report that understates risks can all expose your organisation to regulatory action. GDPR4All's document approval workflow ensures that every important document passes through a structured review process before it is finalised, creating accountability and a clear audit trail at every step.

The Approval Pipeline

Every document in GDPR4All progresses through a five-stage pipeline. Each stage serves a specific purpose in ensuring document quality and compliance.

Draft

All documents begin in the Draft stage. This is the only stage where the document content can be edited. Use this time to generate the initial content, customise it to your needs, and prepare it for review. There is no rush — keep a document in Draft for as long as you need to get it right.

While in Draft, you can:

  • Edit the document content in the markdown editor.
  • Change the document title and metadata.
  • Regenerate the content from the source record if needed.

Under Review

When the document is ready for scrutiny, submit it for review by changing the status to Under Review. This signals to your reviewers that the document needs their attention.

Once a document is Under Review:

  • The content is locked and can no longer be edited.
  • The document appears in the reviewer's queue for action.
  • The reviewer can either approve or reject the document.

Approved

When a reviewer is satisfied that the document is accurate, complete, and appropriate, they approve it. The Approved status indicates that the document has passed review and is ready to be finalised.

Approval is a significant milestone — it represents a formal sign-off that the document meets your organisation's standards and GDPR requirements.

Final

Moving from Approved to Final is the last step before a document is considered complete and ready for distribution or publication. This transition is typically performed by the document owner or a Client Admin and represents the formal release of the document.

A document in Final status is the definitive version. It should be the one you share with data subjects, supervisory authorities, or other external parties.

Archived

When a document is no longer current — perhaps because it has been superseded by a newer version or the underlying processing activity has changed — move it to Archived. Archived documents are preserved for audit purposes but are clearly marked as no longer active.

The Rejection Path

Not every document passes review on the first attempt. The approval workflow includes a rejection path that allows reviewers to send documents back for revision.

Under Review to Rejected

When a reviewer identifies issues with a document — factual errors, missing information, inappropriate language, or insufficient detail — they can reject it. Rejection is not a dead end; it is a constructive step in the quality assurance process.

When rejecting a document, the reviewer must provide a reason. A modal window prompts them to explain what needs to be fixed. This reason is recorded on the document and visible to the document creator, ensuring clear communication about what changes are needed.

Rejected to Draft

A rejected document automatically returns to Draft status, where the creator can:

  • Read the rejection reason to understand what needs to change.
  • Edit the document content to address the reviewer's concerns.
  • Resubmit the document for review when the changes are complete.

This cycle can repeat as many times as necessary until the document meets the required standard.

Separation of Duties

One of the most important aspects of the approval workflow is the separation of duties principle. In GDPR4All:

The person who creates a document cannot approve their own document.

This rule is enforced both in the user interface (the approve button is not shown to the document creator) and in the API (attempts to approve your own document are rejected with an error). This prevents a single individual from creating and signing off on a document without independent review.

This principle is directly aligned with the GDPR's accountability requirements. Article 5(2) requires organisations to demonstrate compliance, and having an independent reviewer verify the accuracy of compliance documents is a key part of that demonstration.

Role Requirements for Each Transition

Different transitions in the workflow require different levels of authority:

Transitions Anyone Can Make (with appropriate role)

  • Draft to Under Review — any user with compliance management permissions (Client Admin, Compliance Officer) can submit a document for review. This makes sense because the creator is the one who decides when the document is ready for scrutiny.

Transitions Requiring Approval Authority

  • Under Review to Approved — only users with approval authority can approve a document. This includes Client Admins, DPOs, and Platform Admins. Compliance Officers cannot approve documents, which maintains the separation between those who create and those who approve.
  • Under Review to Rejected — the same users who can approve can also reject. The ability to reject is inherently an approval-level decision.

Administrative Transitions

  • Approved to Final — moving a document to its final state requires compliance management permissions.
  • Final to Archived — archiving a document requires compliance management permissions.

Why Separation of Duties Matters

The GDPR's accountability principle (Article 5(2)) requires organisations not only to comply with the regulation but to be able to demonstrate that they comply. The document approval workflow supports this in several ways:

Independent Verification

When a privacy policy is reviewed and approved by someone other than its author, there is an independent check that the content is accurate and complete. This reduces the risk of errors, omissions, or bias.

Audit Trail

Every status transition is recorded with the user who initiated it and a timestamp. If a supervisory authority asks who approved your privacy policy and when, you have a clear, auditable answer.

Quality Assurance

The rejection mechanism ensures that substandard documents are identified and improved before they are published. This iterative process raises the overall quality of your compliance documentation.

Accountability

By recording who created, reviewed, and approved each document, GDPR4All creates a chain of accountability. Every person in the chain has a defined responsibility, and that responsibility is documented.

Practical Workflow Example

Here is a typical workflow for a Privacy Policy:

  1. The Compliance Officer generates a Privacy Policy from the Document Generator, which populates the template with data from the organisation's ROPA entries.
  2. The Compliance Officer reviews and customises the generated content, ensuring it accurately reflects current processing activities.
  3. Satisfied with the draft, the Compliance Officer submits it for review (Draft to Under Review).
  4. The DPO receives the document for review. They check it against the ROPA, verify the lawful bases are correctly stated, and ensure all required information under Articles 13 and 14 is present.
  5. The DPO identifies that the document is missing information about international transfers. They reject the document with the reason: "Section on international transfers is incomplete — please add details of transfers to US-based cloud provider and the SCCs in place."
  6. The document returns to Draft. The Compliance Officer updates the international transfers section and resubmits.
  7. The DPO reviews the updated document and approves it (Under Review to Approved).
  8. The Client Admin moves the document to Final and publishes it on the company website.
  9. Twelve months later, when the ROPA is updated with new processing activities, the document is archived and a new version is generated.

Tips for Smooth Approvals

  • Communicate before submitting — let your reviewer know a document is coming and give them context about any areas you would like them to focus on.
  • Address all rejection feedback — when a document is rejected, address every point raised by the reviewer before resubmitting. Partial fixes lead to repeated rejection cycles.
  • Review regularly — set a schedule for reviewing finalised documents. Privacy policies, cookie policies, and employee privacy notices should be checked at least annually, or whenever processing activities change.
  • Use the workflow for all important documents — even if you could skip the review process for a simple document, using the full workflow creates a consistent audit trail and maintains good habits.

The approval workflow is your quality gate. It ensures that every document your organisation relies on for GDPR compliance has been independently verified and is fit for purpose.

Related Articles

DPIA Workflows

Create Data Protection Impact Assessments, evaluate risks, and manage the approval workflow

7 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

Document Generator

Generate and manage GDPR documents — privacy policies, breach notifications, DPIA reports, and more

6 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

Was this article helpful?

Previous

Document Generator

Next

Training Academy