6 Tips for Writing a GDPR-Compliant Privacy Policy

We’re down to the wire now; the GDPR compliance deadline is next Friday, May 25. As organizations scramble to get ready for the most far-reaching data privacy law ever put on the books, consumers’ email inboxes are being inundated with notices of privacy policy updates.

In addition to fundamentally transforming their data governance, most companies will need to update their website’s privacy policy to meet GDPR standards. Following are six tips for writing a GDPR-compliant privacy policy.

Use Clear, Plain Language

Attempting to overwhelm or confuse your site visitors by inundating them with pages of legalese is a big no-no. Article 12 of the GDPR mandates that privacy policies be written “using clear and plain language, in particular for any information addressed specifically to a child.”

Inform Users of Their 8 Individual Rights Under the GDPR

Your privacy policy should inform users of their new individual data collection rights under the law:

1. The right to be informed, before any data is collected from them, about how their data is being collected, processed, and stored, and for what purposes.
2. The right to access their data after it has been collected and understand how it has been collected, processed, and stored, what data exists on them, and for what purposes.
3. The right to correct inaccurate or incomplete data (also known as the “right to rectification”).
4. The right to be forgotten/have their data erased, not just by your company but by any other firm you sold or transferred their data to.
5. The right to restrict the processing of their data.
6. The right to data portability, or the right to move, copy, or transfer personal data from one data controller to another safely, securely, and in a commonly used and machine-readable format.
7. The right to object to processing without explicit consent, including the right to ban the inclusion of their data in direct marketing databases.
8. The right to opt out of automated decision-making and demand that important decisions be made by humans, not algorithms.

Explain How You Will Collect & Use Users’ Personal Data

Your privacy policy must clearly specify:

* Exactly what personal data is being collected and who will receive it.
* Whether users’ personal data is going to be transferred to a different country or an international organization.
* Your organization’s data retention policy. The GDPR bars companies from retaining user data beyond a “reasonable” period of time.
* Whether any automated processing will take place (remember, users can opt out of this).
* Whether the sharing of personal data is mandatory. For example, if users must provide personal data to create user names and gain access to certain parts of a website, the privacy policy must clearly explain what will happen if a user refuses.

Explain Your Legal Basis for Processing Users’ Personal Data

Your privacy policy must clearly state your company’s purpose and legal basis for processing users’ personal data. The GDPR outlines six circumstances under which personal data can be lawfully processed:

1. The user has provided consent for processing for one or more specific purposes.
2. The processing is necessary as part of a contract with the user.
3. The processing is necessary for compliance with a legal obligation to which the controller is subject.
4. The processing is necessary to protect the vital interests of the data subject or another natural person.
5. The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6. The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the consumer, in particular if the consumer is a child.

Include Contact Information

Your privacy policy must include the name and contact details of your company’s data controller and any representative, as well as your data protection officer (DPO), if your company must appoint a DPO.

Seek the Help of a GDPR Compliance Expert

GDPR compliance is complex and can be very confusing, and the penalties for non-compliance are staggering. To ensure your company doesn’t run afoul of the GDPR, it’s best to seek help from a reputable IT compliance expert.

Is your organization ready for the GDPR compliance deadline on May 25? As part of our commitment to helping everyone prepare, Lazarus Alliance is offering a free GDPR readiness tool. Click here to take your GDPR readiness assessment and download your free report today!