How to Write a Successful GDPR Compliant Privacy Policy

Privacy policies used to be some of the most unread documents around - until GDPR reminded the public why they matter. The General Data Protection Regulation (GDPR) exists to better protect personal data and digital privacy, so it makes sense that the regulation would affect most companies’ privacy policies.

However, rewriting or tweaking a privacy policy to align with GDPR compliance can be confusing -- especially for US-based businesses. Organizations have to remember that GDPR applies to anyone offering products or services to citizens of the European Union (EU) or collecting personal data from EU citizens. It doesn’t matter where your business is located or registered. If your product could potentially deal with EU citizens, your website should be on its way to GDPR compliance.

Before we get into a checklist of things your privacy policy now needs under GDPR, let’s talk about the biggest takeaway from making your policy more compliant.

GDPR exists just as much for the people it protects as it does for companies to protect themselves from legal action. With that in mind, it’s imperative that whatever language you use for your organization’s privacy policy be easily understood. Don’t confuse your readers with legalese. Simple explanations of a privacy policy will actually do more to build trust between your organization and interested readers.

Here are 8 items you’ll want to make sure your updated privacy policy has to better align with GDPR:

1. What data you collect

   This seems like a no-brainer, and most companies already have the general specifics of data collection in older privacy policies. However, it's easy to forget a few types of data, so take the opportunity to make sure your privacy policy includes every bit of information users give your company. For reference, here's how we've laid out our own privacy policy:

   

   It’s important to note that GDPR applies to personally identifiable information, and it’s imperative to explain how that type of information is collected, stored, used, and potentially shared.

2. Why your business/website is collecting the data

   Now that people know what data your website collects, they'll want to know how and why you use that data. Provide a specific explanation and avoid generalized statements like "to improve user experiences." If you gather emails or credit card information, explain that it’s for your newsletter or a personalized price chart. Are you communicating with them via the data they’re giving? Are you going to use it for billing? Registering them for an event? This might be one of the most important parts of the privacy policy. Your team will want to make sure this part of the document uses clear, straightforward language.

3. The name of your Data Controller

   

   Data Controller is more than likely your organization unless your group serves as a data processor for other organizations.

4. Contact information for the Data Controller

   Your privacy policy probably already has this information in it. However, if it doesn't have your business's contact information, this is your reminder to add it.

5. A list of the 8 rights they now have under GDPR

   While your privacy policy doesn’t have to list every single right verbatim, it should address the themes of each throughout your privacy policy. If you have questions on how to do this for your organization, consult with a legal professional to ensure clarity.

   Those involved with GDPR compliance for your organization (or ideally most of your organization) should understand how to respect these 8 rights and how those rights affect information security and usage.

6. f you transfer data internationally

   You'll also need the international laws relevant to the scope of your international dealings. This applies to if that information transfer falls under another legal framework like the EU-US Privacy Shield. If you don’t have those, then provide a suitable safeguard you have in place to ensure a smooth and safe transfer of information.

7. Your organization’s legal basis for protecting data

   GDPR requires a lawful basis in order to process someone’s personal data. Two of the most common ones are that a person give consent for data processing for a particular purpose (see number 5) or that the processing is needed for a legitimate interest.

8. Any third party that will also have access to the data and links to their privacy regulations

   

   If you're at all involved in e-commerce, there's a good chance your website collaborates with third-party sites and embeds like MailChimp or Google Adwords. While those websites have separate privacy policies, you'll still need to give your website visitors an idea of how that information is used between your company and theirs. Go one step further and link to each third-party website's privacy policy page.

EDITORIAL NOTE: This article is only meant to be an offering of general advice and assistance. It is not intended to be a substitute for professional legal advice. Always consult with your organization’s legal team before publishing privacy policies, terms and conditions, or other legal documentation.