The EU General Data Protection Regulation (GDPR) came into force in May of 2018. One of the reasons that the EU introduced the law is to give people more control over their personal data.

To prepare for the GDPR, companies have had to think carefully about their data protection and privacy practices.

One of the most important requirements for companies that fall under the scope of the GDPR is that they provide transparent and accessible information about the personal data they're processing. The way to do this is by having a clear and comprehensive Privacy Policy.


What's Covered by the GDPR?

What's Covered by the GDPR?

The GDPR covers the "processing" of "personal data." Article 4 (1) of the GDPR defines personal data as information that can be used "directly or indirectly" to identify a person. This is a very broad definition. Aside from the obvious things like a person's name, it can also include a person's:

"Processing" is a broad term. The GDPR covers any sort of automated data processing activity or filing (electronic or otherwise). This might include:

  • Asking your customers to fill out a contact form on your website
  • Storing a list of phone numbers
  • Sending direct marketing emails

According to Article 3 of the GDPR, the regulation applies to any person or organization that:

  • Offers goods and services in the EU (whether they're charged for, or provided for free);
  • Monitors the behavior of people in the EU.

So, your company might not be "offering goods and services" in the EU. But you will still fall under the GDPR if you:

  • Target EU residents with advertising cookies, or
  • Store your EU users' IP addresses in your log files

Does the GDPR Apply Outside of the EU?

The GDPR covers all processing of the personal data of people in the EU - whether the actual act of processing is performed in the EU or not. Not only EU companies have to comply. Companies based anywhere else in the world - for example the United States, Canada, Russia - must comply, too.

While some laws, like the upcoming California Consumer Privacy Act, only apply to certain types of companies, the GDPR could apply to anyone that falls within its scope - including individuals, charities, public bodies and businesses.

Note that there are some exemptions, but most businesses will have to comply.

How to Comply with the GDPR

If the GDPR applies to you, you'll want to know how you can avoid infringing it.

EU data protection authorities can impose fines and other penalties on companies that breach the GDPR. It's not entirely clear how this will be enforced against non-EU businesses. But even the threat of a sanction will create a huge headache for your company.

The good news is that compliance is not all that difficult.

To comply with the GDPR:

Creating a GDPR-Compliant Privacy Policy

Creating a GDPR-Compliant Privacy Policy

Having a Privacy Policy is one of the ways that you can comply with a key principle of the GDPR - transparency.

Your Privacy Policy must be:

  • Written in clear and simple language that your users can easily understand,
  • Comprehensive, so that it covers all aspects of your personal data processing activities, and
  • Easily accessible, particularly at the point that you're collecting your users' personal data or soon after if you've received it from elsewhere.

You likely already have a Privacy Policy. It's required under other privacy laws such as:

  • The California Online Privacy Protection Act (CalOPPA);
  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA);
  • The EU's Data Protection Directive (the GDPR's predecessor).

However, you likely need to update your Privacy Policy to ensure that you're compliant with the GDPR as well.

Here's what your GDPR-compliant Privacy Policy should contain.

Your Company's Contact Details

Article 13 (1)(a) of the GDPR requires that you provide your users with:

"the identity and the contact details of the controller and, where applicable, of the controller's representative"

"The controller" refers to a "data controller" - someone who decides how and why personal data is processed.

Here's how cereal company Kellogg provides this information:

Kellogg UK Privacy Policy: Contact information clause for data controller and data protection officer

Article 13 (1)(b) of the GDPR also requires you to provide:

"the contact details of the data protection officer, where applicable"

Some organizations of a certain size, or those that routinely process sensitive personal data, need to have a Data Protection Officer (DPO).

Here's some information from the European Commission about appointing a DPO:

Screenshot of excerpt from European Commission's Policies, Information and Services on GDPR's DPO requirement

Here's how the UK's Bar Council provides information about contacting its DPO:

Bar Council UK Privacy Notice: Our Data Protection Officer contact information clause

Article 13 (1)(c) of the GDPR requires that you provide information about:

"the purposes of the processing for which the personal data are intended as well as the legal basis for the processing"

You can't process personal data unless you have a specific purpose for doing so. And for every type of data processing you do, you need to make sure you have a legal basis for doing it.

Think of it this way: your personal data belongs to you. Businesses aren't allowed to collect it or use it in any way - unless they have a lawful basis for doing so.

The GDPR sets out six legal bases at Article 6.

You can only process a person's personal data if at least one of the following apply:

  1. You have their consent to do it
  2. You need to process their personal data in order to fulfill or enter into a contract with them
  3. You're legally required to process their personal data
  4. Failing to process their personal data would put their life or someone else's life at risk
  5. You're carrying out a task in the public interest or with legal authority
  6. You have a legitimate interest in processing their personal data

In your Privacy Policy, you should link your purposes for processing people's data with your legal basis for doing so.

Here's how not-for-profit DACS does this:

DACS UK Privacy Policy: Processing of personal information clause with GDPR legal bases highlighted

If you think that processing personal data is in your legitimate interests (point "f", above), you're required to undertake a Legitimate Interests Assessment. The UK's data protection authority, the Information Commissioner's Office (ICO), provides some guidance on this.

Article 13 (1)(d) of the GDPR requires that if you're relying on legitimate interests for an act of data processing, you must provide information about what your legitimate interests are.

The next section of the DACS Privacy Policy does this:

DACS UK Privacy Policy: Processing of personal information clause with GDPR legitimate interests highlighted

Whether You'll Be Sharing Your Users' Personal Data

Article 13 (1)(e) requires you to provide information about:

"the recipients or categories of recipients of the personal data, if any"

Note that you aren't required to necessarily provide the specific names of the companies with whom you share personal data - just the types of organization you might be sharing data with.

You might be sharing personal data in more ways than you realize. For example, if you use:

  • A third-party database like Microsoft's SQL Server
  • Shopping cart software like Shopify
  • An automated email service like MailChimp

Here's how travel gear company Wayks explains this to its customers:

Wayks Privacy Policy: Clause for sharing personal data with third parties

Whether You'll Be Transferring Personal Data To a Third Country

Article 13 (1)(f) of the GDPR requires that you provide information about:

"the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission"

A "third country" means a country outside of the EU. If you're hosting your website in the US, for example, and you're processing the personal data of people in the EU via that website, you're https://www.freeprivacypolicy.com/blog/transfer-data-outside-eu/.

The European Commission has a list of countries that it has decided have "adequate" data protection standards. If you're transferring data to a third country, you need to state whether this country is on the list.

You can see that the data protection situation in the US isn't considered "adequate" except for where the Privacy Shield framework is used is used. You can apply to join Privacy Shield if you're a US-based company and you meet the criteria. One of the criteria is having a GDPR-compliant Privacy Policy.

Logo of SendGrid

SendGrid is part of the Privacy Shield scheme. Here's how it explains this in its Privacy Policy:

SendGrid Website Privacy Policy: Excerpt of International Transfers clause

There are other GDPR-compliant ways to transfer data to third countries, set out in Article 46. One example is using "binding corporate rules."

This is the method used by pharma company GSK and explained in its Privacy Policy:

GSK Privacy Notice: Excerpt of clause discussing international transfers of information and binding corporate rules

How Long You'll Store Your Users' Personal Data

Article 13 (2)(a) of the GDPR requires that you inform your users:

"the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period"

Under the GDPR, it's important that you don't store personal data for longer than you need it.

Here's how the Chartered Institute of Management explains how long it stores different types of personal data in its Privacy Policy:

Chartered Institute of Management UK Privacy Policy: How long we retain your data clause

Your Users' Rights

Chapter 3 of the GDPR sets out the eight rights that people have over their data. The GDPR requires that you not only facilitate your users' access to these rights, but that you also make them aware of their rights in your Privacy Policy.

Here's how trade union Unison does this:

Unison UK Privacy Policy: Clause for rights of data subjects under the GDPR

You also need to explain how your users can make a complaint to their data protection authority.

Here's how UK political party The Labour Party includes this information in its Privacy Policy:

The Labour Party UK Privacy Policy: Contact clause with buttons for GDPR complaints

GDPR-Compliant Consent

In addition to the stricter requirements around Privacy Policies, the GDPR also contains a new definition of consent. This means users are able to make more informed choices about whether to give you permission to process their personal data.

However, it also requires a little extra work on your part.

You don't need consent for all aspects of personal data processing. There are five other legal bases which might be more appropriate in certain contexts.

However, for some activities, it's usually best to seek consent. Examples include:

  • Sending direct marketing emails to new customers
  • Using targeted advertising cookies
  • Storing sensitive personal data

Freely Given and Affirmative

Your users must have a genuine, free choice to either consent or not consent. If you're seeking their consent for something, you must offer both options. It should be just as easy to refuse consent as it is to grant it.

Your users must positively affirm that they consent to you processing their personal data. It's no longer acceptable to assume consent from a person's silence. In other words, consent must be opt-in, not opt-out.

Don't present your users with pre-ticked boxes, or use statements like "by continuing to use our website, you consent to..."

Here's a great example from the European Central Bank's cookie consent banner:

European Central Bank's cookie consent banner

Granular

If you've obtained a user's consent for one type of processing, this doesn't mean you've obtained consent for all types of processing.

Under the GDPR, you are supposed to offer your users "granular" consent, i.e. the ability to opt into some types of processing but not others.

Here's how The Independent does this. When a user clicks "Show Purposes" on the cookie consent banner, they're taken to this form where each purpose for using information is listed along with additional information and a radio button to turn each purpose on or off:

The Independent: Purposes for which we use your data screen with enable and reject buttons for consent

Easily Withdrawn

As well as being able to refuse consent, your users must be allowed to withdraw consent once they've agreed to it. Article 7(3) of the GDPR says: "it shall be as easy to withdraw as to give consent."

Article13 (2)(c) requires that you make your users aware of "the existence of the right to withdraw consent at any time."

Here's how The Law Society does this in its Privacy Policy:

The Law Society UK Privacy Policy: Withdrawing your consent clause

Summary of GDPR Compliance for Privacy Policies

Summary of GDPR Compliance for Privacy Policies

There are many benefits to having an up-to-date, GDPR-compliant Privacy Policy.

  • You have a chance to review your data protection practices, so you're less likely to suffer a data breach or be subject to a complaint.
  • If either of these things do happen, you can show data protection authorities that you've done the right thing.
  • Your customers will feel that their personal data is safe and their rights are respected.
  • Most importantly, if you want to operate in the EU it's legally required.

Your Privacy Policy needs to include information about:

  • How your users can contact you
  • Your purposes and legal basis for processing their personal data
  • Any intended third-party recipients of their personal data
  • Any intended transfers outside the EU
  • How long you intend to store their personal data
  • How users can exercise their rights under the GDPR

How to Create a Privacy Policy

FreePrivacyPolicy: Privacy Policy Generator - Steps How to Create Privacy Policy

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.