How to Ensure Your Privacy Policy Is GDPR-Compliant

I. Introduction

The General Data Protection Regulation (GDPR) is a significant piece of legislation that came into effect on May 25, 2018. It aims to strengthen and harmonize data protection for individuals within the European Union (EU), while also giving EU citizens more control over their personal data. The GDPR applies to any business, regardless of location, that processes the personal data of EU residents.

As a business owner, it’s important to understand the requirements of the GDPR and ensure that your business is compliant. Non-compliance can result in significant fines and damage to your reputation. In this blog post, we’ll outline the steps you need to take to ensure that your privacy policy is GDPR-compliant.

II. Determine whether the GDPR applies to your business

The GDPR applies to any business that processes the personal data of EU residents, regardless of the business’s location. This means that if you operate an online business that targets EU customers or if you collect personal data from EU residents in any way, you need to ensure that your business is compliant with the GDPR.

To determine whether the GDPR applies to your business, consider the following questions:

• Do you operate an online business that targets EU customers?
• Do you collect personal data from EU residents through any means (e.g. online forms, email, phone)?
• Do you process personal data for any purpose (e.g. marketing, customer service, payroll)?

If you answered “yes” to any of these questions, it’s likely that the GDPR applies to your business and you need to take steps to ensure compliance.

III. Review and update your privacy policy

One of the key requirements of the GDPR is that businesses provide clear and transparent information about how they process personal data. This means that you need to review your current privacy policy and make sure it meets the requirements of the GDPR.

Here are some key areas to consider when reviewing and updating your privacy policy:

• Purpose of data processing: You need to explain the specific purposes for which you are collecting and processing personal data. For example, if you collect personal data for marketing purposes, you need to specify this in your privacy policy.
• Legal basis for processing: The GDPR requires businesses to have a legal basis for processing personal data. This could be consent, contract, legal obligation, or legitimate interest. You need to specify the legal basis for your data processing in your privacy policy.
• Data subjects’ rights: Under the GDPR, individuals have certain rights in relation to their personal data, including the right to access, rectify, erase, and restrict the processing of their data. You need to explain these rights in your privacy policy and provide information on how individuals can exercise these rights.
• Data retention: You need to specify how long you will retain personal data in your privacy policy. The GDPR requires businesses to only retain personal data for as long as it is necessary for the purpose for which it was collected.
• Data transfers: If you transfer personal data outside of the EU, you need to ensure that appropriate safeguards are in place to protect the data. This could include using standard contractual clauses or relying on an adequacy decision (i.e. a decision by the European Commission that a third country provides an adequate level of data protection). You need to explain how you handle data transfers in your privacy policy.
• Data breaches: You need to have a process in place for responding to data breaches and notify individuals and the relevant supervisory authority if a breach is likely to result in a high risk to the rights and freedoms of individuals. You need to explain this process in your privacy policy.

Here are some examples of clauses from different platforms that address these issues:

• Purpose of data processing: “We collect and use your personal data for the following purposes: [list specific purposes]” (from Etsy’s privacy policy)
• Legal basis for processing: “We process your personal data on the following legal bases: [list legal bases]” (from Facebook’s privacy policy)
• Data subjects’ rights: “You have the right to access, rectify, erase, restrict the processing of, and object to the processing of your personal data. You also have the right to data portability and the right to withdraw your consent at any time. To exercise these rights, please contact us using the contact details provided in this privacy policy” (from Google’s privacy policy)
• Data retention: “We will retain your personal data for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law” (from Amazon’s privacy policy)
• Data transfers: “We may transfer your personal data to countries outside of the European Economic Area (EEA) for the purposes described in this privacy policy. Where we transfer your personal data to countries outside of the EEA, we will ensure that appropriate safeguards are in place to protect your personal data” (from Airbnb’s privacy policy)
• Data breaches: “In the event of a personal data breach, we will notify you and the relevant supervisory authority without undue delay, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. We will also provide you with information on the measures we

IV. Obtain consent

Under the GDPR, businesses must obtain explicit, affirmative consent from individuals before processing their personal data. This means that individuals must take a positive action, such as ticking a box or clicking a button, to give their consent. Simply providing a link to your privacy policy and assuming that individuals have read and understood it is not sufficient.

There are several requirements that businesses need to meet when obtaining consent:

• Consent must be freely given: Individuals must have a genuine choice and should not be subjected to any form of coercion or pressure to give their consent.
• Consent must be specific: Consent must be obtained for specific purposes. For example, if you collect personal data for marketing and customer service purposes, you need to obtain separate consent for each purpose.
• Consent must be informed: Individuals must be provided with clear and concise information about how their personal data will be used. This includes information about the purpose of the data processing, the types of personal data that will be collected, and how the personal data will be used.
• Consent must be unambiguous: It must be clear that the individual is giving their consent. Pre-ticked boxes or opt-out consent (i.e. consent that is assumed unless the individual opts out) are not acceptable under the GDPR.
• Consent must be easily withdrawn: Individuals must be able to easily withdraw their consent at any time. You need to provide a clear and simple process for withdrawing consent and ensure that individuals are aware of their right to withdraw consent.

Here are some examples of consent clauses from different platforms:

• “By ticking the box below and completing the registration process, you confirm that you have read and understood the terms of our Privacy Policy and agree to the processing of your personal data for the purposes described in the Privacy Policy” (from LinkedIn’s consent form)
• “I give my consent to [name of company] to process my personal data for the purposes described in the Privacy Policy. I understand that I can withdraw my consent at any time by contacting [name of company] using the contact details provided in the Privacy Policy” (from a generic consent form)

It’s important to note that businesses cannot rely on consent as the legal basis for processing sensitive personal data, such as data related to health, race, or religion. In these cases, businesses need to rely on another legal basis, such as legal obligation or vital interests.

In addition to obtaining consent for data processing, businesses also need to obtain separate consent for marketing activities. This means that if you want to use personal data for marketing purposes, you need to obtain explicit consent from individuals to receive marketing communications.

V. Implement appropriate technical and organizational measures

The GDPR requires businesses to implement appropriate technical and organizational measures to protect personal data. This means that you need to have appropriate safeguards in place to prevent unauthorized access, use, disclosure, or destruction of personal data.

Here are some examples of technical and organizational measures that you can implement to protect personal data:

• Encryption: Encrypting personal data can help to protect it from unauthorized access.
• Access controls: Implementing access controls, such as login credentials and permissions, can help to prevent unauthorized access to personal data.
• Regular testing and review: Regularly testing and reviewing your security measures can help to identify and address any vulnerabilities.
• Data minimization: Only collect and process the personal data that is necessary for the specific purpose for which it is being collected.
• Training: Provide training to your employees on data protection best practices.

It’s important to note that the appropriate technical and organizational measures will depend on the specific risks to personal data and the size and complexity of your business. You may need to seek guidance from a data protection officer or a cybersecurity expert to determine the appropriate measures for your business.

In addition to implementing technical and organizational measures, it’s also important to have a process in place for responding to data breaches. This should include a plan for containing and mitigating the breach, as well as a process for notification and communication with affected individuals and the relevant supervisory authority.

VI. Appoint a data protection officer (DPO)

Under the GDPR, businesses may be required to appoint a data protection officer (DPO) if they carry out certain types of data processing activities or if they process large amounts of personal data.

A DPO is responsible for monitoring compliance with the GDPR and other data protection laws, advising the business on data protection obligations, and cooperating with the relevant supervisory authority.

You may need to appoint a DPO if your business:

• Carries out large-scale processing of special categories of data (e.g. data related to health, race, or religion)
• Carries out large-scale monitoring of individuals (e.g. through tracking online behavior)
• Processes large amounts of personal data

It’s important to note that the DPO must be independent and should not have any conflicts of interest. The DPO should also have the necessary skills and expertise to fulfill their role.

If you are not required to appoint a DPO, you may still choose to do so as a way to demonstrate your commitment to data protection and to ensure compliance with the GDPR.

VII. Ensure compliance with data subject rights

Under the GDPR, individuals have certain rights in relation to their personal data, including the right to:

• Access: Individuals have the right to access their personal data and to obtain a copy of their personal data.
• Rectification: Individuals have the right to have their personal data rectified if it is inaccurate or incomplete.
• Erasure: In certain circumstances, individuals have the right to have their personal data erased (also known as the “right to be forgotten”). This includes situations where the personal data is no longer necessary for the purpose for which it was collected or where the individual withdraws their consent and there is no other legal basis for the processing.
• Restriction of processing: Individuals have the right to request the restriction of the processing of their personal data in certain circumstances, such as where they have contested the accuracy of the data or where they have objected to the processing.
• Objection to processing: Individuals have the right to object to the processing of their personal data in certain circumstances, such as where the processing is based on legitimate interests or for the purposes of direct marketing.

It’s important for businesses to have processes in place to handle requests from individuals exercising their rights. This may include establishing a process for individuals to make a request, designating a point of contact for handling requests, and responding to requests in a timely manner.

It’s also important to note that businesses are required to provide individuals with information about their rights and how to exercise them. This should be included in your privacy policy and any other relevant documents, such as consent forms.

VIII. Frequently Asked Questions

1. What is the GDPR?

The General Data Protection Regulation (GDPR) is a set of regulations that went into effect in May 2018 to strengthen and unify data protection for all individuals within the European Union (EU). It applies to any company that processes the personal data of EU citizens, regardless of where the company is located.

2. What information must be included in a GDPR-compliant privacy policy?

A GDPR-compliant privacy policy must include:

• The identity and contact details of the data controller (i.e., the company or organization that determines how personal data is collected, used, and processed)
• The purposes for which personal data is collected and processed
• The legal basis for processing personal data (e.g., consent, legal obligation, legitimate interests)
• The categories of personal data that are collected and processed
• The recipients or categories of recipients to whom the personal data will be disclosed
• The retention period for personal data, or the criteria used to determine the retention period
• The rights of the data subject (i.e., the individual whose personal data is being collected and processed), including the right to access, rectify, erase, restrict, or object to the processing of personal data
• The right to withdraw consent at any time (if consent is the legal basis for processing)
• The right to lodge a complaint with a supervisory authority
• The existence of automated decision-making, including profiling, and the consequences of such processing
• The source of the personal data (if it was not collected directly from the data subject)

3. How can I make sure that my privacy policy is clear and easy to understand?

To make sure that your privacy policy is clear and easy to understand, you should:

• Write in plain language, avoiding legal jargon
• Use headings and bullet points to break up the text
• Use clear and concise sentences
• Provide examples to illustrate your points
• Include links to further information or resources

4. What happens if I don’t comply with the GDPR?

If you don’t comply with the GDPR, you could face fines of up to €20 million or 4% of your annual global turnover, whichever is higher. You could also be ordered to rectify the situation or stop processing personal data altogether.

5. How can I ensure that my company remains GDPR-compliant?

To ensure that your company remains GDPR-compliant, you should:

• Appoint a Data Protection Officer (DPO) if you are a public authority, if you carry out large-scale processing of special categories of personal data (e.g., data about health, racial or ethnic origin, political opinions, etc.), or if you carry out large-scale monitoring of individuals (e.g., through tracking their online activities)
• Conduct regular data protection impact assessments (DPIAs) to identify and mitigate any risks to the rights and freedoms of individuals
• Keep records of your processing activities
• Implement appropriate technical and organizational measures to protect personal data
• Train your employees on data protection and privacy
• Review and update your policies and procedures regularly to ensure that they are still effective and compliant with the GDPR

6. Do I need to obtain explicit consent from individuals to process their personal data under the GDPR?

Yes, under the GDPR, you must obtain explicit consent from individuals to process their personal data. This means that the individual must take a positive action to give their consent, such as ticking a box or clicking a button. You must also provide information about the purposes for which their personal data will be processed, and you cannot use pre-ticked boxes or any other default consent mechanisms.

7. Can I transfer personal data to countries outside the EU?

Yes, you can transfer personal data to countries outside the EU, but you must ensure that the recipient country provides an adequate level of data protection. One way to do this is to enter into standard contractual clauses (also known as model contracts) with the recipient, which set out the rights and obligations of the parties with regard to the processing of personal data. Alternatively, you can rely on an adequacy decision by the European Commission, which determines that a particular country or territory outside the EU provides an adequate level of data protection.

8. What should I do if I receive a request from an individual to exercise their rights under the GDPR?

If you receive a request from an individual to exercise their rights under the GDPR (e.g., the right to access their personal data, the right to rectify their personal data, etc.), you should:

• Confirm the identity of the individual making the request
• Respond to the request within one month (you can extend this period by a further two months if the request is particularly complex or if you have received a large number of requests)
• Provide the requested information in a clear and concise manner, using plain language
• Inform the individual of their right to complain to a supervisory authority if they are not satisfied with your response

9. What should I do if I experience a personal data breach?

If you experience a personal data breach (e.g., the unauthorized access or disclosure of personal data), you should:

• Assess the risks to the rights and freedoms of individuals
• Notify the supervisory authority (usually the data protection authority in the country where you are based) without undue delay, and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals
• If the breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify the affected individuals without undue delay
• Keep a record of any personal data breaches, regardless of whether or not you are required to notify the supervisory authority

10. How can I demonstrate compliance with the GDPR?

To demonstrate compliance with the GDPR, you should:

• Appoint a DPO (if required) and implement appropriate technical and organizational measures to protect personal data
• Conduct DPIAs (if required) and keep records of your processing activities
• Respond to requests from individuals to exercise their rights under the GDPR in a timely and appropriate manner
• Notify the supervisory authority of any personal data breaches (if required)
• Implement policies and procedures to ensure that your processing of personal data is in compliance with the GDPR, and train your employees on these policies and procedures
• Keep records of your compliance efforts and make them available to the supervisory authority upon request

11. How can I ensure that my privacy policy is transparent?

To ensure that your privacy policy is transparent, you should:

• Use plain language and avoid legal jargon
• Clearly explain the purposes for which personal data is collected and processed
• Provide information about the legal basis for processing personal data
• Describe the categories of personal data that are collected and processed
• Explain the rights of the data subject and how they can exercise these rights
• Provide information about the recipients or categories of recipients to whom the personal data may be disclosed
• Describe the retention period for personal data, or the criteria used to determine the retention period
• Explain the existence of automated decision-making, including profiling, and the consequences of such processing

12. Can I process personal data for multiple purposes?

Yes, you can process personal data for multiple purposes, but you must ensure that you have a legal basis for each purpose. For example, if you are processing personal data for the purpose of fulfilling a contract with an individual, you might rely on the legal basis of contract performance. If you are processing personal data for the purpose of sending marketing communications, you might rely on the legal basis of consent. You must also ensure that the purposes for which you are processing personal data are compatible with each other.

13. Can I continue to process personal data after the original purpose for which it was collected has been fulfilled?

Yes, you can continue to process personal data after the original purpose for which it was collected has been fulfilled, but you must have a legal basis for doing so. This might be the legal basis of legitimate interests (e.g., if you have a legitimate interest in using the personal data for research or statistical purposes), or it might be another legal basis, such as public interest or legal obligation.

14. Can I use personal data for direct marketing purposes?

Yes, you can use personal data for direct marketing purposes, but you must have a legal basis for doing so. The most common legal basis for direct marketing is consent. You must obtain explicit consent from individuals to use their personal data for direct marketing purposes, and you must provide them with the opportunity to opt out of receiving marketing communications at any time. You must also respect the individual’s right to object to the processing of their personal data for direct marketing purposes.

15. Can I use personal data for research and statistical purposes?

Yes, you can use personal data for research and statistical purposes, but you must have a legal basis for doing so. The most common legal basis for research and statistical purposes is legitimate interests. You must ensure that the processing of personal data for research and statistical purposes is necessary for the pursuit of your legitimate interests, and that it is not overridden by the interests or rights of the data subject. You should also consider whether you can use pseudonymized or anonymous data instead of personal data, and you should implement appropriate technical and organizational measures to protect the personal data that you do process.

16. Can I share personal data with third parties?

Yes, you can share personal data with third parties, but you must have a legal basis for doing so. You must also ensure that the third party has a legal basis for processing the personal data, and that they provide an adequate level of data protection. You should also consider whether you need to enter into a data processing agreement with the third party, which sets out the rights and obligations of the parties with regard to the processing of personal data.

17. Can I transfer personal data to a third party in a country outside the EU?

Yes, you can transfer personal data to a third party in a country outside the EU, but you must ensure that the recipient country provides an adequate level of data protection. One way to do this is to enter into standard contractual clauses (also known as model contracts) with the recipient, which set out the rights and obligations of the parties with regard to the processing of personal data. Alternatively, you can rely on an adequacy decision by the European Commission, which determines that a particular country or territory outside the EU provides an adequate level of data protection.

18. What should I do if I receive a request from a third party for personal data that I hold?

If you receive a request from a third party for personal data that you hold, you should:

• Verify the identity of the third party making the request
• Check that you have a legal basis for disclosing the personal data to the third party
• Check that the request is in compliance with the GDPR and any other applicable data protection laws
• If the request is for the purpose of direct marketing, check that the individual has given their explicit consent to receive marketing communications from the third party
• If the request is for the purpose of scientific or historical research, check that the processing of the personal data is necessary for the research and that appropriate safeguards are in place to protect the rights and freedoms of the individuals concerned
• Respond to the request in a timely and appropriate manner

19. Can I use personal data for profiling or automated decision-making?

Yes, you can use personal data for profiling or automated decision-making, but you must have a legal basis for doing so. You must also ensure that the processing of personal data for these purposes is fair, transparent, and does not have a disproportionate effect on the rights and freedoms of the individuals concerned. You must also provide individuals with information about the logic involved in the automated decision-making process and the significance and envisaged consequences of such processing for the data subject.

20. Can I retain personal data for longer than the retention period specified in my privacy policy?

Yes, you can retain personal data for longer than the retention period specified in your privacy policy, but you must have a legal basis for doing so. This might be the legal basis of legitimate interests (e.g., if you have a legitimate interest in retaining the personal data for historical, statistical, or research purposes), or it might be another legal basis, such as public interest or legal obligation. You should also consider whether it is necessary to retain the personal data for the extended period, and whether you can achieve the same purposes through other means (e.g., by pseudonymizing or anonymizing the personal data).

21. Can I use personal data for machine learning or artificial intelligence (AI) purposes?

Yes, you can use personal data for machine learning or AI purposes, but you must have a legal basis for doing so. You must also ensure that the processing of personal data for these purposes is fair, transparent, and does not have a disproportionate effect on the rights and freedoms of the individuals concerned. You should also consider whether you can use pseudonymized or anonymous data instead of personal data, and you should implement appropriate technical and organizational measures to protect the personal data that you do process.

22. Can I use personal data for cybersecurity purposes?

Yes, you can use personal data for cybersecurity purposes, but you must have a legal basis for doing so. The most common legal basis for cybersecurity purposes is legitimate interests. You must ensure that the processing of personal data for cybersecurity purposes is necessary for the pursuit of your legitimate interests, and that it is not overridden by the interests or rights of the data subject. You should also consider whether you can use pseudonymized or anonymous data instead of personal data, and you should implement appropriate technical and organizational measures to protect the personal data that you do process.

23. Can I use personal data for fraud prevention purposes?

Yes, you can use personal data for fraud prevention purposes, but you must have a legal basis for doing so. The most common legal basis for fraud prevention purposes is legitimate interests. You must ensure that the processing of personal data for fraud prevention purposes is necessary for the pursuit of your legitimate interests, and that it is not overridden by the interests or rights of the data subject. You should also consider whether you can use pseudonymized or anonymous data instead of personal data, and you should implement appropriate technical and organizational measures to protect the personal data that you do process.

24. Can I use personal data for compliance purposes?

Yes, you can use personal data for compliance purposes, but you must have a legal basis for doing so. The most common legal basis for compliance purposes is legal obligation. You must ensure that the processing of personal data for compliance purposes is necessary to comply with a legal obligation that applies to you, and that it is not overridden by the interests or rights of the data subject. You should also consider whether you can use pseudonymized or anonymous data instead of personal data, and you should implement appropriate technical and organizational measures to protect the personal data that you do process.

25. Can I use personal data for other purposes not specified in my privacy policy?

Yes, you can use personal data for other purposes not specified in your privacy policy, but you must have a legal basis for doing so and you must inform the individuals concerned of the new purposes before you start processing their personal data for those purposes. You should also consider whether the new purposes are compatible with the original purposes for which the personal data was collected, and whether you can achieve the same purposes through other means (e.g., by pseudonymizing or anonymizing the personal data).

26. Can I use personal data for internal purposes, such as HR or management purposes?

Yes, you can use personal data for internal purposes, such as HR or management purposes, but you must have a legal basis for doing so. The most common legal basis for internal purposes is legitimate interests. You must ensure that the processing of personal data for internal purposes is necessary for the pursuit of your legitimate interests, and that it is not overridden by the interests or rights of the data subject. You should also consider whether you can use pseudonymized or anonymous data instead of personal data, and you should implement appropriate technical and organizational measures to protect the personal data that you do process

• 27. Can I use personal data for customer relationship management (CRM) purposes?

Yes, you can use personal data for CRM purposes, but you must have a legal basis for doing so. The most common legal basis for CRM purposes is legitimate interests. You must ensure that the processing of personal data for CRM purposes is necessary for the pursuit of your legitimate interests, and that it is not overridden by the interests or rights of the customers concerned. You should also consider whether you can use pseudonymized or anonymous data instead of personal data, and you should implement appropriate technical and organizational measures to protect the personal data that you do process.

• 28. Can I use personal data for network and information security (NIS) purposes?

Yes, you can use personal data for NIS purposes, but you must have a legal basis for doing so. The most common legal basis for NIS purposes is legitimate interests. You must ensure that the processing of personal data for NIS purposes is necessary for the pursuit of your legitimate interests, and that it is not overridden by the interests or rights of the data subjects concerned. You should also consider whether you can use pseudonymized or anonymous data instead of personal data, and you should implement appropriate technical and organizational measures to protect the personal data that you do process.