How to Write a Privacy Policy That’s GDPR Compliant

In the digital era, when more people entrust their personal data to the internet and cloud services, there is a need like never before to inform them how their data is being used. In 2016, the EU legislation introduced a new privacy law, the General Data Protection Regulation (GDPR). It is an updated version that replaced the Data Protection Directive.

In this article, we’ll explain how to create a GDPR compliant privacy policy for your website, whom it protects, and what the customers’ rights are according to this law. Read on!

What Is a Privacy Notice?

A privacy notice is a document in which organizations explain they process their clients’ personal data, why, and how they keep it private. The main aim of a privacy notice is to encourage transparency i.e., to prevent keeping individuals in the dark about how their data is collected and used. A privacy notice is important for both parties. The organization collects the personal data they need, and the individual is satisfied knowing how the company’s data protection works and is reassured that the information will not be used beyond its original purpose. Articles 12, 13, and 14 of the GDPR can help you understand how to write a privacy policy because they contain detailed instructions on what a privacy policy should include.

Although the terms “privacy policy” and “privacy notice” do not appear in the GDPR text, they are still used interchangeably.

Every organization should publish a privacy policy on its website that should be:

• Written in clear and plain language
• Transparent, down-to-the-point, easily accessible, and intelligible
• Free of charge
• Distributed and updated in a timely manner

For apps, the privacy policy should be easily accessible within the app, usually no more than two clicks away.

What Is GDPR and Why Is It Important?

On May 25, 2018, the European Union adopted a new type of data regulation. Even today, it still remains the toughest online privacy law. Its main goal is to give individuals more insight and control over how organizations use their data and how the same data is protected from potential fraud by third parties.

Nevertheless, even if it was drafted and created to protect its EU citizens, its constraints are not limited to the EU. Whenever the majority in a given organization is from the EU, no matter the organization’s location, the organization still needs to comply with the GDPR privacy policy. Every website in the EU or a website dealing with EU citizens needs to have an appropriate privacy policy. Many companies are affected by this law and they need to be aware of its requirements.

The importance of GDPR lies in the fact that it enhances the protection of European citizens’ data rights, and gives companies and organizations a clear outline of what they must do to protect these rights. An owner of a company might be subject to hefty fines of up to 4% of their global revenue or twenty million euros, whichever is higher if they fail to comply with the GDPR requirements.

Key Takeaways

What Should a GDPR Compliant Privacy Policy Include?

There are a few things that should be included in the privacy policy according to the General Data Protection Regulation (GDPR):

Data

There are strict GDPR guidelines that state that the privacy policy should explain how personal data is collected and used. Here are a few questions that companies must address:

• What type of information is collected
• How the information is collected
• Who collects it (contact info)
• Who uses it
• How is the information stored

8 Rights Customer Have Under the GDPR

• The right to erasure

The right to erasure, a.k.a the right to be forgotten, is found in Article 17 of the GDPR. It means that individuals can ask an organization that has collected their data to erase it. The organization then has a legal obligation to act accordingly. This is done most often when the personal data collected are no longer necessary for the purposes for which it was collected in the first place.

• The right to rectification

Another right that organizations must mention in their GDPR privacy policy and comply with is the right to rectification. Namely, the individual (data subject) has the right to correct any data that is either outdated, incorrect, or incomplete.

• The right to restrict processing

European data subjects have the right to block any data processing or usage, especially when the controller no longer needs the data for its original purpose. Specifically, individuals can limit the way an organization uses its data.

• The right to access

After the data is collected, individuals have the right to request a copy of the personal information that an organization stores on them.

• The right to data portability

Another right mentioned in article 20 of the GDPR privacy notice is the right to data portability. This right allows European data subjects to transfer any data from one controller to another while transferring securely in a machine-readable format. Whenever possible, it also allows an automatic data transfer from one controller to another, without the data subject’s involvement.

• The right to object to processing

At any moment when customers feel as if their data is used without their explicit consent, they are free to object to the misuse of their data.

Whether you transfer data internationally

Organizations should state explicitly whether they’ll transfer the processed data outside of their jurisdictions in the privacy policy.

Legal basis for data collecting 

Under GDPR requirements, any organization needs to have a valid reason for using personal data. There are six lawful reasons for collecting and processing personal data:

• consent
• performance of a contract
• legitimate interest
• vital interest
• legal requirement
• public interest

Cookies 

Contrary to popular belief, cookies are not harmful for your browser. They are designed to personalize and collect information about each user’s session. The GDPR privacy notice should address the obvious: how the cookies are used and what types, along with how one can manage cookies. Apps and websites use cookies in various ways that could further improve the user experience. Boohoo Group PLC, for instance, explicitly explains what types of cookies their website uses and further allows customers to decide whether they want to accept all the cookies or only the necessary ones:

Possible Changes

A privacy policy should inform clients of any changes or updates relating to the processing of data on the website.

Contact information

A user should be able to easily contact someone from the company regarding the data the company holds on them. So giving an e-mail address or a telephone number is essential. Sainsbury’s GDPR privacy policy, for example, shows that they provide all the relevant contact information in case a client wants more details on how their data will be used:

Best Practices

Sometimes data controllers tend to use indefinite language, making the whole privacy policy difficult to understand which could lead to a misunderstanding between parties. Using clear, precise language, on the other hand, prevents differing interpretations. For instance, according to GDPR guidelines, a good privacy policy would be phrased similar to the example below:

The phrase is taken from the official PDF format found on the official GDPR site. It recommends using simple, yet meticulous language to make sure that the information is conveyed as clearly as possible.

Conclusion

We hope that this article will help your business stay compliant with the GDPR. If your organization or company is affected by the GDPR in any way, knowing what your privacy policy should include is very important. It will help you protect your clients’ and employees’ data as well as avoid paying any fines.