GDPR Compliance Statement

GDPR Compliance Statement

Compliance with the EU General Data Protection Regulation (GDPR) takes a lot of work. A lot of this work will be reflected in your GDPR Privacy Policy. But much takes place behind the scenes.

A GDPR Compliance Statement is a way for you to let people know what steps your company has taken to meet the high standards of this important privacy law, the GDPR.

Unlike a Privacy Policy, a GDPR Compliance Statement is not a legal requirement. It's an opportunity to convey your company's values, and to show your customers that their personal data is safe in your company's hands.

We're going to look at how you can produce a Compliance Statement that showcases your company's data protection credentials.


What is a GDPR Compliance Statement?

A GDPR Compliance statement is a public-facing document that sets out the steps your company is taking, or that it has already taken, to become GDPR compliant.

You can use it to make people aware of everything you're doing to meet your obligations, for example:

  • The technical measures you're implementing to meet the GDPR's stringent data security standards.
  • The demands you're placing on any data processors with whom you share your customers' personal data.
  • The systems you're setting up to help people exercise their data subject rights.

Remember: A Compliance Statement is not a Privacy Policy. You have total control over what goes into it. No Data Protection Authority will try to fine you if you don't have one. But in terms of public relations and reputation management, it's very important to have one.

Does My Company Need a GDPR Compliance Statement?

Does My Company Need a GDPR Compliance Statement?

So, a GDPR Compliance Statement isn't mandatory. But it can be helpful for several reasons.

For example, any organization that shares personal data with another company must be able to demonstrate that they've researched that company's GDPR compliance. This is an essential part of due diligence.

Take a look at this set of search predictions for email marketing company Mailchimp:

Screenshot of Google search predictions for MailChimp and GDPR

GDPR compliance is clearly on the minds of people who work with MailChimp.

Any company that wants to work with yours is likely to research your data protection standards. What do you want them to see when they carry out this search? If they can't find anything of relevance, you risk losing their business.

But it's not only business customers who care about your data protection practices. The public is increasingly concerned about privacy. The response to Facebook's Cambridge Analytica scandal serves as evidence of this.

Consumers are aware of the GDPR, and while few will read your Privacy Policy from top to bottom, many will want to know what you're doing to keep their personal data safe.

And then there are the Data Protection Authorities operating in each EU country. While they won't demand that you produce a public-facing GDPR Compliance Statement, they may well require that you demonstrate what you're doing to meet your legal obligations.

Data Protection Authorities have a range of measures available to them when it comes to dealing with non-compliant companies, ranging from technical support and warnings to huge financial penalties. They have considerable discretion in how they enforce the law, and they will take a company's intentions and efforts into account.

A GDPR Compliance Statement is a great way to demonstrate to other businesses, consumers, and the authorities that your company is headed in the right direction and making solid efforts towards compliance.

What to Include in a GDPR Compliance Statement

What to Include in a GDPR Compliance Statement

Your GDPR Compliance statement should detail what you've done and/or what you're planning to do to become GDPR compliant. Every company will have to take different steps to comply, and so every Compliance Statement will be different.

There will, however, be some elements that many Compliance Statements have in common. Let's look at some sections that you should consider including, with some examples to put them in context.

Introduction

You should briefly tell your users what the GDPR is. It's best to keep your language as clear and simple as possible.

Here's how Basware explains the GDPR to its customers:

Basware GDPR Commitment: Definition of GDPR section

And here's a summary of the objectives of the GDPR from Xero:

Xero GDPR Centre: GDPR objectives section

This should be a very brief and non-technical explanation to put your Compliance Statement in context.

Your Company's GDPR Commitment

Your Compliance Statement is a chance for you to set out your company's vision for your users' privacy.

This section can take many different forms. It's up to you to set the tone of your Compliance Statement. Some companies take an informative approach, such as Advocately:

Advocately GDPR statement: Preparing for the GDPR section

Some get a little more creative, like recruitment company Parkhouse Bell:

Parkhouse Bell GDPR Commitment

The key is to write something that reflects your company's values and relates them to data protection.

Data Audit

Before you can implement the GDPR's requirements, you'll need an understanding of:

  • What personal data you are holding
  • How personal data flows into and around your systems
  • Where your data processing practices might be inadequate under the the GDPR

This means conducting a data audit. This should be your first step towards GDPR compliance. You can use your GDPR Compliance Statement to let people know that you've done this.

This is the first item on Clyde and Co's Compliance Statement:

Clyde and Co GDPR Compliance Statement: Data audit section

A data audit is also mentioned in the Compliance Statement of SICL:

SICL GDPR Public Statement: Data audit section

Privacy Policy

The GDPR's transparency obligations mean that almost every company affected by it will need to update its Privacy Policy.

You can list this among the things you have done, or will do, in your efforts to become GDPR compliant. You don't need to go into detail about which sections were changed.

Here's an example from Anuncia:

Anuncia GDPR Compliance Statement: Our GDPR Actions to Date - Updated Privacy Policy

You can consider linking your Privacy Policy to a statement like this to help people find your policy even easier.

International Data Transfers

The GDPR brings many companies under the remit of EU law for the first time. International transfers of personal data, i.e. transfers from an EU country to a non-EU country, may only legally take place under certain conditions.

If your company is based outside of the EU and processing personal data within it, or if it is based inside the EU and transferring personal data to companies outside of it, you may have adopted one of the GDPR's accepted transfer mechanisms. If so, it is important to explain this in your Compliance Statement.

For example, TenIntelligence states that it employs a number of safeguards on international transfers, including binding corporate rules and standard contractual clauses.

TenIntelligence GDPR Compliance Statement: International Data Transfers and Third-Party Disclosures section

Slack's Compliance Statement explains that its international transfers take place using two of the GDPR's safeguards: the Privacy Shield framework and standard contractual clauses.

Slack GDPR Compliance Statement: International Data Transfers: Privacy Shield and Contractual Terms section

Make sure your users know that you're doing what you can to keep their data safe, even when transferring it away from your business.

Data Processing Agreements

The GDPR distinguishes between "data controllers," who make decisions about how and why personal data is processed, and "data processors," who carry out data processing on a data controller's behalf.

In every instance where a data controller and data processor work together, or where a data processor works with other data processors, there must be a Data Processing Agreement in place. This is a legally binding contract that sets out the obligations on all parties concerned.

Many companies use their Compliance Statement to explain the steps they have taken to put Data Processing Agreements in place with their partner companies. Here's an example from data processor Knack:

Knack GDPR Compliance Statement: Agreements section

Here's another example, from Cloud Design Box (also a data processor):

Cloud Design Box GDPR Compliance Statement: What is Cloud Design Box doing to prepare for GDPR section

Data controllers are also responsible for ensuring that a Data Processing Agreement is in place when they work with a data processor.

Data controller Donkey Republic uses its Compliance Statement to reassure its customers that it has fulfilled this obligation:

Donkey Republic GDPR Compliance Statement: Agreements with third parties on data processing section

It's adequate to simply state that you have these agreements in place where necessary.

Data Security

The theme of data security will run through many of the sections of your Compliance Statement. International transfer safeguards and Data Processing Agreements, for example, are both methods of ensuring data security.

But the GDPR also makes specific demands regarding the technical measures employed when processing personal data. For example, it suggests pseudonymization of personal data.

Woodpecker's Compliance Statement includes the pseudonymization of personal data among a list of steps the company has taken towards GDPR compliance:

Woodpecker GDPR Compliance Statement: What is Woodpecker doing to comply - Pseudonymization and protecting personal data sections

Many companies' existing data security systems are already compliant with the GDPR. For these companies, a Compliance Statement is a way to demonstrate this to their customers.

You may also decide to adopt SSL/TLS encryption, or you may already be taking such a measure. This is worth mentioning in your Compliance Statement.

Spotterton's Compliance Statement lists SSL/TLS encryption among several data security measures it has taken:

Spotterton GDPR Compliance Statement: Information Security and Technical and Organisational Measures section

Here's another example from Grid Dynamics:

Grid Dynamics GDPR Compliance Statement: Information Security and Technical and Organisational Measures section

Grid Dynamics mentions that its security measures align with ISO 27001:2013. This can be a good step towards compliance with the GDPR's data security requirements.

CIPFA mentions that part of its process of achieving GDPR compliance was to earn ISO 27001:2013 certification:

CIPFA GDPR Compliance Statement: Certified to ISO for information security measures section

You can include both specific and general information about any security measures you have in place. The more secure your systems are, the more protected your users' data will be, and this will make the authorities as well as your users very happy.

Data Protection Impact Assessments

When carrying out high-risk data processing or running projects that involve new technologies, you're required to carry out a Data Protection Impact Assessment (DPIA). This is a way to mitigate risks and assess the viability of carrying out the project safely.

Many companies involved in carrying out high-risk projects will have been conducting such assessments before the GDPR. This is another area that you should mention even if you're already compliant.

Here's how Effective Experiments addresses DPIAs in its Compliance Statement:

Effective Experiments GDPR Compliance Statement: Risk Assessment DPIA section

If you don't routinely carry out DPIAs but you're preparing to do so if required, you can still mention this in your Compliance Statement.

Here's how Mobivate addresses this (note that Mobivate uses the term "privacy impact assessment"):

Mobivate GDPR Compliance Statement: Privacy impact assessments DPIA section

Data Breach Protocol

The GDPR requires that companies have systems in place to enable them to respond effectively to data breaches.

Betsafe introduced a new data breach notification system in preparation for the GDPR, and it mentions this in its Compliance Statement:

Betsafe GDPR Statement: Compliance steps taken

Fisher German reviewed its data breach procedures as part of its GDPR compliance process, and also references this in its Compliance Statement:

Fisher German GDPR Compliance Statement: Reviewing data breach procedures section

Data Retention

A key period of the GDPR is storage limitation. You must not store personal data for longer than needed in connection with a specific purpose.

Home-Start Barnet mentions this in its Compliance Statement:

Home-Start Barnet GDPR Compliance Statement: Data Retention section

And here's the relevant section from the Compliance Statement of Liverpool Museums:

Liverpool Museums GDPR Compliance Statement: Retention of Data section

Note that these sections don't have to be long or specific. Just acknowledge that you have limits in place for retaining data.

The GDPR forced many companies to consider how they went about requesting consent.

Consent must be meaningful under the GDPR. There's no concept of "implied" consent. If you're asking for consent for a particular act of data processing, you should consider whether this fits the GDPR's standards.

If your company has changed the way its approach to requesting consent, you should mention in this in your Compliance Statement.

Here's an example from MISL. MISL has conducted a review of their consent records to ensure that they were obtained in a GDPR-compliant way:

MISL GDPR Compliance Statement: Review of consents section

And Hotjar, as a data processor, introduced new consent controls so that its customers could obtain valid consent under the new law.

Hotjar GDPR Compliance Statement: Necessary changes and improvements - Feedback Consent Controls section

Data Subject Rights

Under the GDPR, individuals in the EU can exercise certain rights over their personal data. You should state how you can help facilitate data subject rights requests in your Compliance Statement. If you've set up a new system for this, then your Compliance Statement is an opportunity to tell your users about it.

Some companies give a fairly generic explanation of how they handle rights requests. Here's an example from Croner Group:

Croner Group GDPR Compliance Statement: Right to be Forgotten and Subject Access Requests sections

SurveyMonkey, which is a data processor in most respects, explains in its Compliance Statement how it provides account holders (who are data controllers) with controls that allow them to fulfill data subject rights requests:

SurveyMonkey GDPR Compliance Statement: User rights and requests section

Make sure to acknowledge that you're aware of and doing something to facilitate user rights under the GDPR.

Data Protection Officer

Some companies are required to appoint a Data Protection Officer (DPO) to oversee GDPR compliance. If you have appointed a DPO or are planning to, you should mention this in your Compliance Statement.

Here's an example from Cello Health's Compliance Statement:

Cello Health GDPR Compliance Statement: DPO section

If you already have a DPO, you might mention that they are overseeing your GDPR compliance efforts, or that they can be contacted with any queries relating to your Compliance Statement.

Here's how Critchleys does this:

Critchleys GDPR Compliance Statement: DPO section

Include specific contact information whenever possible, such as the name of the DPO and at least one method to reach out to the DPO.

EU Representative

Companies who are subject to the GDPR but have no base in the EU must appoint an EU Representative. If your company is based in a non-EU country, you should mention that you have made this appointment in your Compliance Statement.

Here's the relevant part of Viafoura's Compliance Statement:

Viafoura GDPR Compliance Statement: EU Representative contact section

Summary of Your GDPR Compliance Statement

A GDPR Compliance Statement is your company's chance to tell the world about everything it is doing, and everything it's already done, to become GDPR-compliant.

You should include information about:

  • What the GDPR is
  • Your company's commitment to safeguarding its users' personal data
  • Any data audit you've conducted
  • Updates to your Privacy Policy
  • The safeguards you employ when transferring personal data out of the EU
  • The Data Processing Agreements you have in place with your partners
  • The technical measures you have taken to ensure data security
  • Your willingness to conduct Data Protection Impact Assessments
  • Your procedure for reporting data breaches
  • Whether you have reviewed your data retention practices
  • Your methods of earning GDPR-compliant consent
  • How you will facilitate data subject rights requests
  • Whether you have appointed a Data Protection Officer and/or EU Representative and contact information when available

Download GDPR Compliance Statement Template

Download our GDPR Compliance Statement Template as a PDF file, DOCX file or Google Document.

This free, downloadable template includes the following sections:

  • Your GDPR Principles
  • Data Subjects Rights under GDPR
  • Your GDPR compliance plan
  • Contact information for GDPR-related questions

Sample: GDPR Compliance Statement Template

Other Categories:

Robert Bateman

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.