In this article, you will come across many elements of a GDPR policy template. For example, what areas it should include, what areas should be excluded and much more.
The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018. The motive behind introducing such a regulation was to provide data subjects with more control over their personal data.
In order to ensure GDPR compliance, companies have had to give some thought and handle things more diligently in relation to data protection and privacy.
Providing consumers with transparent and accessible information regarding their personal data is a legal obligation on companies under GDPR. One clear way to do so is to have a comprehensive privacy policy as well as all the other key policies and documents that are required to become compliant with the GDPR.
How to become a GDPR compliant?
Companies that don’t follow the rules mentioned under the GDPR are more likely to receive huge fines — not following the rules under GDPR means, providing no structure to governing the data, or managing its security effectively. This can lead to a number of potential breaches.
Well, there is nothing to worry about; compliance is not that difficult.
For GDPR compliance
- Create a GDPR compliant privacy policy.
- Abide by the principles of the GDPR.
- Process your users’ personal information legally.
Creating a compliant GDPR policy template
A privacy policy is an important way to ensure compliance with a key GDPR principle regarding transparency. A compliant privacy policy must cover:
- It must be written in a simple language so your users can easily understand it.
- It must be comprehensive, which means it covers every aspect of your personal data processing activities.
- It must be easily accessible, particularly prior to the point that you’re collecting your users’ data or soon after if you’ve received it from elsewhere. However, you should update your privacy policy, whenever there are changes to the processing activities, in order to show compliance with GDPR.
You will find many GDPR policy templates, but an effective and complaint privacy policy should incorporate the following:
- Contact details of your company
Article 13 (1)(a) of the GDPR requires that you provide your users with: “The identity and the contact details of the controller and, where applicable, of the controller’s representative.” Article 13 (1)(b) of the GDPR also requires you to provide: “The contact details of the data protection officer, where applicable.”
- Legal basis and purpose of processing
Article 13 (1)(c) of the GDPR requires that you provide information about:
“The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.” If you don’t have any specific purpose, you are not allowed to process the personal data of an individual. And if you have a purpose for personal data processing, make sure you are doing it legally. The GDPR has set out six legal bases in Article 6. You are only allowed to process personal data of a person if you meet at least one of the following:
1. You have their consent for processing.
2. You are required to process their personal data to fulfil a contract with them.
3. You are legally required to process their personal data.
4. Failing to process their personal data would put their life or someone else’s life at risk.
5. You are carrying out a task in the public interest or with legal authority.
6. You have a legitimate interest in processing their personal data.
- If sharing your user’s personal data
Article 13 (1)(e) requires you to provide information about: “The recipients or categories of recipients of the personal data, if any.” Here, you are not asked to provide the name of a company with whom you are sharing personal data. Instead, you must mention the types of organisations with whom you share your data.
- When you are transferring personal data to a third country
Article 13 (1)(f) of the GDPR requires that you provide information about:
“The fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission.” The third country means if you are transferring data to any country outside the EU. For instance, if you are hosting your site in the US and processing the personal information of EU people through your website, you are transferring it to the third country. The EU Commission has also declared several countries to have adequate data privacy standards. This enables the free flow of data from the EU to the countries that have been listed.
- For how long you can keep your user’s personal data?
Article 13 (2)(a) of the GDPR requires that you inform your users: “The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period,” GDPR states you cannot to retain a person’s personal data longer than you need.
- Give a free choice to your users
When consent is relied upon for the processing of data, you must provide users with a free choice. When taking consent from the users, you must offer them both options. Users should positively affirm that they permit you to process their personal data.
- Easily withdrawn
Along with being able to refuse, you users should be allowed to withdraw consent, once they have agreed. Article 7(3) of the GDPR says: “It shall be as easy to withdraw as to give consent.” Article 13 (2)(c) requires that you make your users aware of “the existence of the right to withdraw consent at any time.” If you keep your privacy policy updated, you will be able to enjoy many privileges along with ensuring compliance.
Frequently Asked Questions (FAQs)
- Can you write your own privacy policy?
If you do not have the means to write a privacy policy yourself, there are tools such as the Seers policy generator that can help you create a tailored policy that is appropriate for your business. Do not just use a privacy policy template from the internet, as the policies should be specific.
- Do I need a GDPR policy template?
GDPR requires you to inform your consumers about how you are handling their personal data. If GDPR applies to you, then you must have a GDPR privacy policy.
- Do I need a lawyer to draft a privacy policy?
No, it is not essential for the lawyer to draft your terms of use and privacy policy for your app or website. You can also utilise a policy generator to produce these documents for your business.