The General Data Protection Regulation (GDPR) gives European Union (EU) citizens more control over how companies use their data. GDPR regulations apply to anyone doing business in the European Economic Area (EEA). They also include data privacy guidelines that companies must follow.
GDPR privacy policy definition
GDPR privacy policies or notices govern how companies collect, store, and use customer data. Privacy policies inform website visitors about data collection. They ensure that organizations use data in line with GDPR rules.
Privacy policies show that companies use data transparently without concealing practices from customers. The policy tells customers exactly what happens to their personal data. Transparency builds trust and protects companies from regulatory penalties.
The EU can fine companies that violate privacy rights 4 percent of global turnover or a maximum of €20 million. If you sell to European customers, you need a GDPR Privacy Policy.
This article will explain how to create a GDPR privacy policy. Readers will learn exactly what is required and what to avoid. We will also provide a GDPR privacy policy template to simplify compliance tasks.
Key takeaways
- The GDPR provides EU citizens and residents with more control over their data. Compliant companies must create and maintain privacy policies that explain privacy protections and allow users to provide informed consent.
- Violating privacy rights under the GDPR can result in fines of up to 4 percent of global revenue or €20 million. Violations can include unclear privacy notices or privacy policies that include misleading information. A privacy notice is a public document that explains an organization's data processing activities. It documents how the company applies data protection principles to safeguard user data.
- Privacy notices must be concise, transparent, easily accessible, and written in clear and plain language. Before using the policy, companies should assess its content and whether it complies with GDPR requirements.
- Organizations must include specific information in their privacy notices. The content will vary depending on whether data is collected directly or indirectly. Data controllers have more responsibility to explain how they will protect user data.
Key elements of a GDPR privacy policy
A privacy notice is generally the first thing a customer encounters when they visit a GDPR-regulated website.
Privacy notices are public documents that allow customers to choose whether they want to engage with digital businesses. Compliant companies must provide a privacy notice before they start collecting customer data.
Some things should be included in every GDPR privacy notice. Privacy policy requirements under GDPR include:
- Collection. What data does the company collect? How websites or other services collect this data.
- Consent. Users must consent to the terms of the privacy notice. They must also be able to withdraw consent.
- Contact. Contact information for the company and relevant authorities. Includes the option to submit privacy complaints
- Data usage. What the company does with customer data. Details the legal basis for data collection. Also includes details about legally required data practices. For example, providing data to law enforcement bodies may be mandatory.
- Data sharing. Includes details about sharing data with marketing partners.
- Data protection practices. Measures to encrypt and shield data against external attackers.
- Cookies. How the company uses tracking cookies. What do these cookies do, and how do they gather user data?
- Automation tools. Details about automated data collection tools employed by the organization.
- Data retention. How the company stores data and data retention time limits.
- Data transfer. Information about international data transfers, if applicable.
Data privacy policy under GDPR
Writing a GDPR privacy policy requires a systematic approach. Compliance officers should refer to official guidance from the EU. However, organizations need tailored policies that reflect their business activities.
Privacy policies cannot be identical. Every organization uses data for specific purposes, and third-party data sharing varies between companies. Policies should reflect these differences. Readers need to know what will happen to their data when they browse websites or purchase products.
Privacy policies must also be readily available to readers. Just displaying the notice for website visitors is not enough. Companies must provide a link on their home page and provide access options for visually impaired visitors.
GDPR compliance privacy policy
Key things to think about when writing a GDPR-compliant privacy notice include:
- What are legitimate data disclosures under GDPR?
- What data does the organization collect, and what is the legal basis for data collection?
- What are the reasons for data collection?
- How does the company use personal data? Is there scope for expanding data usage in the future?
- How long does personal data remain on company servers?
- Are third-party data storage partners involved?
- Does the company share data with third parties?
A robust GDPR privacy notice answers these questions and provides customers with choices. Policies should explain how readers can withdraw consent to share information and direct customers to contact points where they can register complaints.
Remember the twin goals of GDPR: Companies must protect individual privacy, and customers should be free to choose how they share personal data. Well-crafted policies document how companies meet these requirements.
GDPR data protection policy
Data protection policies prove that an organization complies with legal obligations under GDPR relating to data security. This part of a privacy policy complies with section (e) of Article 5 of GDPR, which sets out a series of data processing principles.
This section requires compliant companies to:
- Ensure the security of personal data
- Protect against illegal data processing
- Protect against accidental loss or damage of data
- Apply technical measures to ensure data integrity
Data protection policies should not be excessively technical. They should be accessible to customers and internal employees. And they tend to include these common elements:
- Security controls. How the organization protects personal data and maintains data integrity. Measures could include encryption and access controls to prevent data breaches.
- Data handling. How the organization processes, moves, and destroys personal data. This section should document measures to protect data against accidental loss or damage.
- Breach responses. How the organization responds to data breaches. Incident responses should follow GDPR rules. Policies should commit to informing affected individuals within 72 hours of breach detection. The policy should also include processes to notify the data controller and the regulatory authority.
Writing an effective GDPR privacy policy
These best practices will help you write a GDPR privacy policy that meets your compliance obligations and informs customers.
Privacy notice guidance
Privacy notices should be concise and clear. Simple language should inform readers, and privacy notices should never create confusion. Readers should know what data they hand over to companies and quickly learn how companies use that data.
When writing policies, keep the following best practices in mind:
- Use active sentences and avoid passive constructions.
- Avoid terms like “might” or “could”. Use clear language without qualifiers.
- Employ bullet lists where possible to make the policy easier to read.
- Avoid complex jargon where possible.
- Use short paragraphs and choose a simple font.
- Avoid general terms like “services” or “research purposes.” Be precise at all times.
- Concise language is preferable. But always provide enough information to explain your data collection and usage policies.
Sometimes, companies need to use technical terms. If so, include a section defining key terms. This glossary allows readers to understand complex language. It usually comes at the end of the document. However, you can use links to refer readers to the glossary as they read earlier sections.
Personal data: definition and scope
Another best practice when writing a GDPR privacy notice is defining “personal data.” Privacy policies must explain what forms of private information an organization collects.
Under GDPR, personal data is any data that identifies an individual. This applies to single pieces of data. However, it also applies to groups of data that can identify an individual when used together.
Companies must take care when describing personal data. For example, organizations may strip out obvious identifiers such as names or addresses. But this data might still count as personal data. As a rule, companies should include the following personal data in privacy notices:
- Names
- IP addresses
- Postal addresses
- Phone numbers
- ID card numbers
- Email addresses
- Location data
- Phone identifiers
The policy should also define who is responsible for protecting personal data, also known as the data controller. The data controller is usually the same as the company issuing the notice. However, the policy must document whether a subsidiary acts as the data controller.
The policy should identify a point of contact for privacy complaints. Supplying the email address of the company’s Data Protection Officer is generally sufficient.
Data processing: consent and the lawful basis for information collection
Explaining the legal basis for data usage is a critically important best practice. Policies must clearly explain why the company requires personal data and how data collection practices meet legal requirements.
This part of the privacy notice varies between organizations. Elements of this section could include:
- Confirmation that the customer has provided consent to share or process data
- Data processing is contractually required between two legitimate parties.
- Data processing is necessary to comply with laws and regulations.
- Processing data protects the life or interests of the individual.
- There is a public interest in sharing data. For example, in the prevention of crime.
- Companies need to process data for other reasonable purposes. In this case, processing cannot compromise the rights of the individual.
As the list above suggests, there are plenty of legitimate reasons to share personal data. However, privacy notices must state the legal basis for sharing. Companies cannot assume consent, and readers must agree to data-sharing policies.
Mention automated data handling practices in a separate paragraph. For example, credit card companies may use automation systems to profile customers. This is legitimate. However, customers must know about the use of automated tools. They should also be able to request a review of the decisions made with these tools. Writers must detail the review process in the policy document.
Companies must also request consent to use and share information. Consent forms should be separate from the privacy notice. The form directs website visitors to the text of the privacy policy and includes the following information:
- The name of your organization (or the official data controller).
- A brief description of why you require customer data
- How you will use or process personal data
- How the user can withdraw consent
A best practice is to adopt a layered approach to requesting consent. The consent form can be simple and short. Providing it directs to a more comprehensive privacy notice, it will be GDPR-compliant.
Data protection measures and user rights
A privacy notice must inform customers about their privacy rights under GDPR. These data protection rights include:
- The right to information about privacy protection
- The right to access personal data
- The right to rectify errors in data records
- The right to erase personal data
- The right to limit data processing
- The right to move data if desired
- The right to contest data usage policies
- The right to opt out of automated data processing
Policies should briefly explain how the company handles these rights if they are relevant. Explain what the rights mean from a customer’s perspective.
For example, companies must include a clause that explains how customers can change their personal data. The policy should provide contact details and instructions about how to request changes. Listing user rights is not enough. Readers must know how to exercise their rights as well.
Data retention and transfer policies
Privacy policies must document data transfers to non-EU jurisdictions. Explain the reasons for transferring data and briefly note the data protection policies of partners who receive that data.
The privacy notice should be transparent about partners that apply less strict data security practices. Readers should have the right to opt out of data transfers if desired.
Notices must also document if an organization seeks to retain personal data. The policy should inform readers:
- How long their data will remain on company servers
- What data does the organization store about them
- Processes for deleting personal data securely
Under GDPR, companies can retain data if they have a business reason. But they cannot keep data forever. Privacy policies must document time limits for data retention. If retention is legally required, the policy should explain why.
Ensuring Compliance and Accountability
GDPR compliance is complex. And companies need to create privacy policies carefully. Writing effective policies requires testing before implementation. Auditing during the policy’s lifetime is also crucial.
Begin with a Privacy Impact Assessment (PIA). This assessment considers the risks associated with handling private data. The PIA should identify data flows and locations. Compliance officers can use this information to inform individuals how the organization uses their data. They can also ensure that the organization only collects data with user consent.
The Data Protection Officer should carry out regular compliance exercises. Annual audits should check whether customer opt-outs are functioning correctly. They should assess whether customers can change or remove personal data. And they should verify that security controls effectively protect stored personal data.
Audits should lead to changes in the GDPR privacy notice. If you need to record new types of personal data, inform website visitors. The same applies to new marketing arrangements with third parties.
User awareness and control
When writing and updating GDPR policies, keep user control in mind. GDPR regulations seek to give individuals more power over how organizations use their personal data. Every section of the privacy policy should reflect this principle.
Design consent forms that are clearly laid out and user-friendly. Avoid large blocks of text. Use simple phrases that communicate the need for consent to use and share data.
Add consent management options in line with GDPR rules. Individuals should have the option of opting out of data sharing with third parties. And they must know what they are agreeing to. State your identity. Be transparent about how you use personal data and what data you collect.
Consent doesn’t end when users sign up with businesses. Under GDPR, individuals can withdraw consent at a later date. Withdrawing consent must be as simple as agreeing to share personal data. Companies must explain the process of withdrawing consent in their privacy policies.
Privacy standards and compliance measures
There are ways to simplify the GDPR challenge. However, there is no official certification procedure to show that companies are committed to GDPR privacy principles.
GDPR is not as specific as the Payment Card Industry-Data Security Standard (PCI-DSS). Under GDPR, companies must take reasonable steps to protect privacy. But the EU does not set out specific requirements about how companies achieve this.
External security and privacy experts can provide employee training or execute privacy audits. Audits can guide organizations as they create privacy policies. However, companies cannot assume that their systems are GDPR-compliant after third-party assessments.
Couple audits with internally recognized privacy frameworks to create robust privacy policies. ISO 27701 is a good starting point. It focuses on privacy information management and includes a checklist tailored to companies trying to achieve GDPR compliance.
ISO 27701 certification is not an exact match for GDPR, but it comes very close. EU regulators see certification as sufficient evidence that organizations take privacy seriously, making it a recommended standard for businesses with GDPR concerns.
Put privacy at the heart of your GDPR strategy
Privacy is at the heart of the General Data Protection Regulation. Companies selling to EU customers need policies to protect user privacy and request consent to use customer data.
Good GDPR privacy policies inform readers how companies use their personal data. They explain what data companies collect. They also request consent to share data with external partners. This sounds simple, but crafting privacy policies takes time and concentration. However, companies can meet EU standards by following privacy policy best practices.
When writing your policy, refer to our GDPR privacy policy template. It shows the level of clarity and detail required. And it includes every section needed to ensure GDPR compliance.
Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.