Is your business required to have a GDPR compliant privacy policy?
Whether it’s your first time creating a privacy policy, or you want to bring an existing one into line with the latest regulations, there are a number of distinct compliance requirements outlined in the General Data Protection Regulation (GDPR).
First, we’ll cover off what a good privacy policy should contain at a base level, before diving into extra information that must be included in a GDPR policy.
What should be in a privacy policy?
At a very basic level, your privacy policy should explain to users what personal data you collect about them and why, and how your business keeps it safe.
Equally as important is that your policy is written in clear, plain language, so that it can be understood by all readers and is easily accessible at any time.
So, if you have a website, you might feature a link to your policy in your website’s footer, or you may need to upload a policy and Terms of Service to your app’s listing on the App Store or Play Store.
Depending on your business, you may also need to include information about:
- Any sensitive personal data you collect
- Cookies and any other third-party analytics tools your website or app uses
- Your policy around any email communications you send out to users
- Whether you share data with any third parties (such as Google or Facebook when advertising online)
- Your policy around user-generated content
- Other special disclosures required by privacy laws that apply to your business
To ensure your policy remains aligned with your current privacy practices and the latest data privacy legislation, you must review it regularly and update it as required.
You must also notify your customers of what’s changing, so that they’re not in for any surprises around how their data is being handled.
What extra disclosures should be in a GDPR policy?
The aim of the GDPR is to give users more control over their data and ensure businesses are transparent about their privacy practices.
While the laws re-affirm a lot of existing data privacy protections, they have expanded and added clearer definitions to certain privacy concepts and measures that businesses must take to keep their customers’ personal information safe.
Our GDPR privacy policy template includes the following key sections that should be included for compliance:
- What legal bases you have to process personal information.
The GDPR outlines six legal bases through which organisations can lawfully process personal data.To comply with this requirement, you’ll need to make sure your data processing activities are done in accordance with at least one of these legal bases.Your policy should explain why your collection and use of people’s data is justified through any given legal basis.
- The data subject’s rights around their personal data.
All citizens based in the EU are entitled to certain rights over their personal data. Your policy must disclose what rights your users and customers have over the data they share with you.
- How long you keep personal data.
The GDPR states that you should only keep data for as long as you need it (i.e. to fulfill the purposes for which you collect and use it).So, while there is technically no limit on how long you cankeep someone’s data, your policy must disclose how long this data is retained and why.
- Business transfers.
In the event that you decide to sell or merge your business with another, you’ll need to inform users of what will happen to their data – that is, whether it will still be kept confidential and used for the same purposes it was initially collected for, or if it’ll be deleted, sold, or shared with people or organisations outside of your business.
- International data transfers.
The GDPR has some restrictions on transferring data outside of the European Economic Area (EEA), as not all countries uphold the same data privacy and security standards as the regulations require.If a business or organisation must transfer data, then they will need to secure the consent of users and follow the GDPR’s rules around international transfers.For example, you may be permitted to transfer data to countries deemed to have “adequate” data protection measures in place.Your policy must disclose whether or not your business transfers or stores data in other countries, and what safeguards are present or will be implemented to keep data safe.
- Your Data Protection Officer (DPO)
If your business meets the GDPR’s criteria for hiring a DPO, you’ll need to disclose who they are, what they do, and how people or other data protection authorities can contact them about any data privacy concerns.
- Children’s privacy.
Given that children are unlikely to be as discerning as adults when it comes to their online privacy, the GDPR has special protections and conditions for processing children’s data.
According to Article 8 of the GDPR, you can only process the data of children aged under 16 with their parents consent.In some circumstances, there may be special provisions to process data, however the child must be aged at least 13 and over.As part of your privacy policy, you should include an easy-to-understand privacy notice for children and parents on your website or app so that they are informed of how they handle their data and what rights they have over it.
When creating your own GDPR-compliant policy, you should consult a legal professional to help review your current privacy practices, the current legislation, and how detailed your policy will need to be.
Our policy templates are all based on legal best practice, and are a great starting point for small to medium-sized businesses looking to achieve compliance.
Generate a GDPR privacy policy with GetTerms.io
Create a custom GDPR-ready privacy policy for your business with GetTerms.io.
Use our GDPR-compliant Privacy Policy Generator.