Creating a compliant privacy policy
Do you need a lawyer to draft a GDPR-compliant privacy policy? The short answer is, no. You do not need a lawyer to create a good privacy policy, and it is not at all necessary or desirable to use legal terms and jargon. If you can answer the questions listed in this guide accurately, you can create a good policy on how you handle personal data.
What is a privacy policy?
A good privacy policy should provide information about why and how companies collect and process personal data, as well as who they share it with and for what purpose. You privacy policy should show that you comply with relevant data protection laws and value the privacy of your customers and contacts. It should be posted on your site and anywhere you collect personal data.
The GDPR outlines a number of new and updated principles that companies must comply with when collecting and storing personal information. These changes aim to protect the privacy of EU citizens, requiring greater transparency from companies and granting private persons more rights regarding their own data. This trend in legislation has spread around the world, inspiring privacy laws that will affect almost every company worldwide. Even if your company is based in a region that does not have such stringent requirements for data privacy, if your website is available to EU citizens and others who enjoy the rights and protections of data regulations, your company is required to keep up with such laws.
If you haven’t done so yet, review your privacy policy and update it to show clearly that you handle people’s personal data as you should.
Privacy Policy requirements
The GDPR does not explicitly require companies to have a policy on how to handle personal data. However, publishing a well-written privacy policy is a great way for companies to meet a key requirement of the legislation: The disclosure requirement, as per Articles 13 and 14.
Let’s go over some important tips for writing a solid privacy policy and review some examples of what your policy should include.
Want to know more about protecting sensitive data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
6 questions your privacy policy should answer
1. What kind of data is collected, how, and why?
This section should describe the purposes for which personal data is collected. There are different types of personal data, so mention each type you collect; for example, profile data, behavioral data, etc. Then be specific when explaining why the data is collected.
2. How is the data processed and kept safely?
Describe and explain how your company processes personal data. Specify the security measures your company takes to protect data. For example, do you use user authentication? Do you have a secure, encrypted mail or a system that can receive and handle personal data securely in other ways?
3. What are your users’ rights?
One of the principles of the GDPR is that individuals have the right to access their own data. This lets individuals gain insight into which companies have their data. We recommend you acknowledge and list this right in your privacy policy.
4. Is your policy up to date?
Your privacy policy should always be accurate and reflect the most current relevant privacy legislation. Update your policy regularly and specify the date it was most recently updated.
5. How can individuals contact you?
Include contact information. This is a way to build trust and show that your company will follow up on any inquiries about personal data. If you provide a request portal along with your contact info, even better. Directing users who want to make data access requests to do so online makes the request process simple and frustration-free on all sides.
6. How should a person make a complaint, if needed?
Article 13.2d of the GDPR requires companies to “…provide the data subject with the following further information necessary to ensure fair and transparent processing: …the right to lodge a complaint with a supervisory authority”. Consent forms and privacy policies can include the right to file a complaint and direct people to the proper government agencies/contact information to do so.
Start your GDPR cleanup where it is needed the most
Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.
Download a free GDPR template here
In collaboration with DAHL, one of Denmark’s largest law firms, we have prepared a template for a standard privacy policy that you can adapt and use.
Try to answer the questions we’ve listed above in your privacy policy. Remember that specifics like the types of personal data collected and processed as well as who it is shared with and why vary enormously from company to company. So when you add details about your company’s use of personal data, make sure everything is:
- Clear and easy to understand, not vague
- Accurate and up to date, never misleading
The last one is especially important because you can be fined for providing inaccurate information. You are not required to have a legal team draft your policy or use contractual language but you should consult with others on your team to ensure you thoroughly understand how your company collects and uses personal data, to make sure all your statements are accurate.
Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →
