In this article, you will come across many elements of a GDPR policy template. For example, what areas it should include, what areas should be excluded and much more.
The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018. The motive behind introducing such a regulation was to provide data subjects with more control over their personal data.
In order to ensure GDPR compliance, companies have had to give some thought and handle things more diligently in relation to data protection and privacy.
How to become a GDPR compliant?
Companies that don’t follow the rules mentioned under the GDPR are more likely to receive huge fines — not following the rules under GDPR means, providing no structure to governing the data, or managing its security effectively. This can lead to a number of potential breaches.
Well, there is nothing to worry about; compliance is not that difficult.
For GDPR compliance
- Abide by the principles of the GDPR.
- Process your users’ personal information legally.
Creating a compliant GDPR policy template
- It must be written in a simple language so your users can easily understand it.
- It must be comprehensive, which means it covers every aspect of your personal data processing activities.
- Contact details of your company
Article 13 (1)(a) of the GDPR requires that you provide your users with: “The identity and the contact details of the controller and, where applicable, of the controller’s representative.” Article 13 (1)(b) of the GDPR also requires you to provide: “The contact details of the data protection officer, where applicable.”
- Legal basis and purpose of processing
Article 13 (1)(c) of the GDPR requires that you provide information about:
“The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.” If you don’t have any specific purpose, you are not allowed to process the personal data of an individual. And if you have a purpose for personal data processing, make sure you are doing it legally. The GDPR has set out six legal bases in Article 6. You are only allowed to process personal data of a person if you meet at least one of the following:
1. You have their consent for processing.
2. You are required to process their personal data to fulfil a contract with them.
3. You are legally required to process their personal data.
4. Failing to process their personal data would put their life or someone else’s life at risk.
5. You are carrying out a task in the public interest or with legal authority.
6. You have a legitimate interest in processing their personal data.
- If sharing your user’s personal data
Article 13 (1)(e) requires you to provide information about: “The recipients or categories of recipients of the personal data, if any.” Here, you are not asked to provide the name of a company with whom you are sharing personal data. Instead, you must mention the types of organisations with whom you share your data.
- When you are transferring personal data to a third country
Article 13 (1)(f) of the GDPR requires that you provide information about:
“The fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission.” The third country means if you are transferring data to any country outside the EU. For instance, if you are hosting your site in the US and processing the personal information of EU people through your website, you are transferring it to the third country. The EU Commission has also declared several countries to have adequate data privacy standards. This enables the free flow of data from the EU to the countries that have been listed.
- For how long you can keep your user’s personal data?
Article 13 (2)(a) of the GDPR requires that you inform your users: “The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period,” GDPR states you cannot to retain a person’s personal data longer than you need.
- Give a free choice to your users
When consent is relied upon for the processing of data, you must provide users with a free choice. When taking consent from the users, you must offer them both options. Users should positively affirm that they permit you to process their personal data.
- Easily withdrawn
Frequently Asked Questions (FAQs)
- Do I need a GDPR policy template?