22 January 2020
A GDPR Compliance Statement is a way for you to let people know what steps your company has taken to meet the high standards of this important privacy law, the GDPR.
We're going to look at how you can produce a Compliance Statement that showcases your company's data protection credentials.
A GDPR Compliance statement is a public-facing document that sets out the steps your company is taking, or that it has already taken, to become GDPR compliant.
You can use it to make people aware of everything you're doing to meet your obligations, for example:
So, a GDPR Compliance Statement isn't mandatory. But it can be helpful for several reasons.
For example, any organization that shares personal data with another company must be able to demonstrate that they've researched that company's GDPR compliance. This is an essential part of due diligence.
Take a look at this set of search predictions for email marketing company Mailchimp:
GDPR compliance is clearly on the minds of people who work with MailChimp.
Any company that wants to work with yours is likely to research your data protection standards. What do you want them to see when they carry out this search? If they can't find anything of relevance, you risk losing their business.
But it's not only business customers who care about your data protection practices. The public is increasingly concerned about privacy. The response to Facebook's Cambridge Analytica scandal serves as evidence of this.
And then there are the Data Protection Authorities operating in each EU country. While they won't demand that you produce a public-facing GDPR Compliance Statement, they may well require that you demonstrate what you're doing to meet your legal obligations.
Data Protection Authorities have a range of measures available to them when it comes to dealing with non-compliant companies, ranging from technical support and warnings to huge financial penalties. They have considerable discretion in how they enforce the law, and they will take a company's intentions and efforts into account.
A GDPR Compliance Statement is a great way to demonstrate to other businesses, consumers, and the authorities that your company is headed in the right direction and making solid efforts towards compliance.
Your GDPR Compliance statement should detail what you've done and/or what you're planning to do to become GDPR compliant. Every company will have to take different steps to comply, and so every Compliance Statement will be different.
There will, however, be some elements that many Compliance Statements have in common. Let's look at some sections that you should consider including, with some examples to put them in context.
You should briefly tell your users what the GDPR is. It's best to keep your language as clear and simple as possible.
Here's how Basware explains the GDPR to its customers:
And here's a summary of the objectives of the GDPR from Xero:
This should be a very brief and non-technical explanation to put your Compliance Statement in context.
Your Compliance Statement is a chance for you to set out your company's vision for your users' privacy.
This section can take many different forms. It's up to you to set the tone of your Compliance Statement. Some companies take an informative approach, such as Advocately:
Some get a little more creative, like recruitment company Parkhouse Bell:
The key is to write something that reflects your company's values and relates them to data protection.
Before you can implement the GDPR's requirements, you'll need an understanding of:
This means conducting a data audit. This should be your first step towards GDPR compliance. You can use your GDPR Compliance Statement to let people know that you've done this.
This is the first item on Clyde and Co's Compliance Statement:
A data audit is also mentioned in the Compliance Statement of SICL:
You can list this among the things you have done, or will do, in your efforts to become GDPR compliant. You don't need to go into detail about which sections were changed.
Here's an example from Anuncia:
The GDPR brings many companies under the remit of EU law for the first time. International transfers of personal data, i.e. transfers from an EU country to a non-EU country, may only legally take place under certain conditions.
If your company is based outside of the EU and processing personal data within it, or if it is based inside the EU and transferring personal data to companies outside of it, you may have adopted one of the GDPR's accepted transfer mechanisms. If so, it is important to explain this in your Compliance Statement.
For example, TenIntelligence states that it employs a number of safeguards on international transfers, including binding corporate rules and standard contractual clauses.
Make sure your users know that you're doing what you can to keep their data safe, even when transferring it away from your business.
The GDPR distinguishes between "data controllers," who make decisions about how and why personal data is processed, and "data processors," who carry out data processing on a data controller's behalf.
In every instance where a data controller and data processor work together, or where a data processor works with other data processors, there must be a Data Processing Agreement in place. This is a legally binding contract that sets out the obligations on all parties concerned.
Many companies use their Compliance Statement to explain the steps they have taken to put Data Processing Agreements in place with their partner companies. Here's an example from data processor Knack:
Here's another example, from Cloud Design Box (also a data processor):
Data controllers are also responsible for ensuring that a Data Processing Agreement is in place when they work with a data processor.
Data controller Donkey Republic uses its Compliance Statement to reassure its customers that it has fulfilled this obligation:
It's adequate to simply state that you have these agreements in place where necessary.
The theme of data security will run through many of the sections of your Compliance Statement. International transfer safeguards and Data Processing Agreements, for example, are both methods of ensuring data security.
But the GDPR also makes specific demands regarding the technical measures employed when processing personal data. For example, it suggests pseudonymization of personal data.
Woodpecker's Compliance Statement includes the pseudonymization of personal data among a list of steps the company has taken towards GDPR compliance:
Many companies' existing data security systems are already compliant with the GDPR. For these companies, a Compliance Statement is a way to demonstrate this to their customers.
You may also decide to adopt SSL/TLS encryption, or you may already be taking such a measure. This is worth mentioning in your Compliance Statement.
Spotterton's Compliance Statement lists SSL/TLS encryption among several data security measures it has taken:
Here's another example from Grid Dynamics:
Grid Dynamics mentions that its security measures align with ISO 27001:2013. This can be a good step towards compliance with the GDPR's data security requirements.
CIPFA mentions that part of its process of achieving GDPR compliance was to earn ISO 27001:2013 certification:
You can include both specific and general information about any security measures you have in place. The more secure your systems are, the more protected your users' data will be, and this will make the authorities as well as your users very happy.
When carrying out high-risk data processing or running projects that involve new technologies, you're required to carry out a Data Protection Impact Assessment (DPIA). This is a way to mitigate risks and assess the viability of carrying out the project safely.
Many companies involved in carrying out high-risk projects will have been conducting such assessments before the GDPR. This is another area that you should mention even if you're already compliant.
Here's how Effective Experiments addresses DPIAs in its Compliance Statement:
If you don't routinely carry out DPIAs but you're preparing to do so if required, you can still mention this in your Compliance Statement.
Here's how Mobivate addresses this (note that Mobivate uses the term "privacy impact assessment"):
The GDPR requires that companies have systems in place to enable them to respond effectively to data breaches.
Betsafe introduced a new data breach notification system in preparation for the GDPR, and it mentions this in its Compliance Statement:
Fisher German reviewed its data breach procedures as part of its GDPR compliance process, and also references this in its Compliance Statement:
A key period of the GDPR is storage limitation. You must not store personal data for longer than needed in connection with a specific purpose.
Home-Start Barnet mentions this in its Compliance Statement:
And here's the relevant section from the Compliance Statement of Liverpool Museums:
Note that these sections don't have to be long or specific. Just acknowledge that you have limits in place for retaining data.
The GDPR forced many companies to consider how they went about requesting consent.
Consent must be meaningful under the GDPR. There's no concept of "implied" consent. If you're asking for consent for a particular act of data processing, you should consider whether this fits the GDPR's standards.
If your company has changed the way its approach to requesting consent, you should mention in this in your Compliance Statement.
Here's an example from MISL. MISL has conducted a review of their consent records to ensure that they were obtained in a GDPR-compliant way:
And Hotjar, as a data processor, introduced new consent controls so that its customers could obtain valid consent under the new law.
Under the GDPR, individuals in the EU can exercise certain rights over their personal data. You should state how you can help facilitate data subject rights requests in your Compliance Statement. If you've set up a new system for this, then your Compliance Statement is an opportunity to tell your users about it.
Some companies give a fairly generic explanation of how they handle rights requests. Here's an example from Croner Group:
SurveyMonkey, which is a data processor in most respects, explains in its Compliance Statement how it provides account holders (who are data controllers) with controls that allow them to fulfill data subject rights requests:
Make sure to acknowledge that you're aware of and doing something to facilitate user rights under the GDPR.
Some companies are required to appoint a Data Protection Officer (DPO) to oversee GDPR compliance. If you have appointed a DPO or are planning to, you should mention this in your Compliance Statement.
Here's an example from Cello Health's Compliance Statement:
If you already have a DPO, you might mention that they are overseeing your GDPR compliance efforts, or that they can be contacted with any queries relating to your Compliance Statement.
Here's how Critchleys does this:
Include specific contact information whenever possible, such as the name of the DPO and at least one method to reach out to the DPO.
Companies who are subject to the GDPR but have no base in the EU must appoint an EU Representative. If your company is based in a non-EU country, you should mention that you have made this appointment in your Compliance Statement.
Here's the relevant part of Viafoura's Compliance Statement:
A GDPR Compliance Statement is your company's chance to tell the world about everything it is doing, and everything it's already done, to become GDPR-compliant.
You should include information about:
This free, downloadable template includes the following sections:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.