An auditor asks to see how your policies reflect GDPR compliance. Which document should you present?