At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. What is the GDPR?
- 2.1. Introduction
- 2.2. Definitions
- 2.3. Principles for Processing Personal Data
- 2.4. Types of Personal Data You Process
- 2.5. How You Process Personal Data
- 2.6. Legal Basis
- 2.7. Retention of Personal Data
- 2.8. Who You Share Personal Data With
- 2.9. International Transfers of Personal Data
- 2.10. Data Rights
- 3.1. On Your Website
- 3.2. On Your Mobile App
- 3.3. In Your Communications
- 4. FAQs about GDPR Privacy Policies
What is the GDPR?
The GDPR is an EU privacy law that requires businesses to disclose their policies regarding the collection, use, storage and deletion of user data while also providing privacy rights to EU consumers.
Personal data is big business. Companies like Google and Facebook have revenues larger than some countries. They made their fortunes by processing people's personal data.
The GDPR sets the rules about how personal data should be processed in the EU. It also provides rights to individuals regarding their personal data. Without privacy laws like the GDPR, people would lose control over the information that businesses and governments have collected about them.
- The California Online Privacy Protection Act (CalOPPA)
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
- Australia's Privacy Act
- The GDPR's predecessor, the Data Protection Directive
The GDPR is different. Its requirements are more rigorous than any of the above laws, and anything you produced to comply with these will likely not be sufficient under the GDPR.
An important thing to bear in mind is that this is a public-facing document, and is not written just for your customers. It should be aimed at anyone whose personal data you might process - including potential customers and visitors to your website.
Let's take a look at what you'll need to include.
You should include the legal name and business address of your company in the introduction.
Here's how MembersFirst does this:
You'll notice above that MembersFirst refers to itself as a "data controller." For the purposes of the GDPR, your company is probably a "data controller," too - if it makes decisions about how and why personal data is processed.
Some companies give their definitions directly from Article 4 of the GDPR. This is the approach of AEG:
This isn't actually all that helpful for a reader. Arguably, defining a "data subject" as "an identifiable natural person [...] who can be identified, directly or indirectly, in particular by reference to an identifier" does little to clarify what the term actually means to a layperson.
Here's another example from Edgbaston Park Hotel. Its definitions are more accessible and easy to understand.
You can see the differences here between writing in legalese versus writing in a common voice that is far easier to understand.
Principles for Processing Personal Data
Article 5 of the GDPR contains six principles by which all personal data must be processed.
- Lawfulness, fairness, and transparency: Obey the law, only process personal data in a way that people would reasonably expect, and always be open about your data protection practices.
- Purpose limitation: You must normally only process personal data for the specific reason you collected it and nothing else.
- Data minimization: don't process any more data than you need.
- Accuracy: Make sure that any personal data you hold is adequate and accurate.
- Storage limitation: Don't store personal data for longer than you need to.
- Integrity and confidentiality: Always process personal data securely.
This is the approach taken by CRG:
Others take a more personalized approach, listing their company's specific principles and relating these to the GDPR's principles.
Here's an example from the International Institute for Environment and Development:
Types of Personal Data You Process
The GDPR's definition of "personal data" is very broad. The chances are that your company processes a lot of it.
Here's an example from Clearcast:
You can then further break down this information into more detailed categories.
Here's an example of how to do his:
Be as detailed and specific as possible when disclosing the types of personal data you collect and process. Try to disclose this information in a way that's as easy for your users to understand as possible.
How You Process Personal Data
This can also be a clause that describes "how" and "why" the data is used, so long as users are informed about what exactly you're doing with the data you collect.
The legal bases for processing a person's personal data are:
- Consent: You have earned their permission in a GDPR-compliant way
- Contract: You need to process their personal data to fulfill a contract
- Legal obligation: You'd be breaking the law if you didn't process their personal data
- Vital interests: Their life (or someone else's life) depends on you processing their personal data
- Public task: You need to process their personal data to carry out a task that's in the public interest
- Legitimate interests: Processing their personal data is in your interests, and you've carried out a Legitimate Interests Assessment
Some companies relate their legal bases to the types of personal data they process and their reasons for processing personal data.
Here's how Pint of Science does this:
Where you're relying on "legitimate interests," you need to specify what your legitimate interests are.
Where you're using "consent" as a legal basis, you must include reference to your users' right to withdraw consent. Here's how Sharp does this:
If your legal basis is "contract," you need to let people know what will happen if they fail to provide you with the personal data you need to carry out a contract.
Here's how Budget does this:
Make sure you know what your legal basis is (or are) and disclose this.
Retention of Personal Data
This won't always be a particular period (i.e. one week, two months, etc.). It may be determined by the length of time for which you need the data (e.g. until the person closes their account).
If you keep different types of data for different periods of time, disclose this as specifically as possible.
Who You Share Personal Data With
Note that the GDPR doesn't require you to list the names of every company with whom you share data, only the broad types of company (e.g. payment processors, mail carriers, etc.).
However, make sure you check the Terms and Conditions of companies with whom you have a Data Processing Agreement. Some of them, like Google, require you to name them specifically.
Here's an example of a clause that fulfills Google's disclosure requirements:
The clause explicitly states that "Google Analytics data is shared with Google" which lets users know that a third party (Google) is receiving some of their personal data.
International Transfers of Personal Data
These rights are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (known as "the right to be forgotten")
- The right to restrict processing
- The right to data portability
- The to object
- Rights in relation to automated decision-making
Not all the rights are likely to apply to your company, but you need to be familiar with them regardless.
Here's how the University of Oxford provides information about some of these rights:
And here's how people can contact the University in connection with these rights:
The University of Cambridge, on the other hand, facilitates the right of access via an online form:
Requests relating to the other rights can be fulfilled via email:
You must also inform your users of their right to make a complaint to a Data Protection Authority, such as the Information Commissioner's Office (ICO) in the UK, or the Data Protection Commission (DPC) in Ireland.
Here's how charity Make-A-Wish does this:
Here's an example from Power to Change:
Here are some ways you can make sure it gets noticed
On Your Website
Here's how The Times does this:
Here's how Profile Editions does this when requesting direct marketing consent:
On Your Mobile App
In Your Communications
Here's an example from Waitrose:
FAQs about GDPR Privacy Policies
Here is a list of frequently asked questions that you may find useful.
The GDPR applies to you if you:
- Are located in the EU, or
- Offer goods and services to individuals located in the EU, or
- Monitor the behavior of individuals located in the EU
- You must include your legal basis for processing personal information
- You must disclose the GDPR-granted user rights
- You must let users know how long you retain their personal information for
- International data transfers must be addressed in detail, with safeguards listed
- Including additional clauses and information such as the GDPR user rights, your legal basis for processing personal information, how you safeguard any international transfers of data you engage in, and contact information for your Data Protection Officer and EU Representative, if applicable
- Account sign-up forms
- Email newsletter sign-up forms
- Email communications
- Contact forms
- Ecommerce payment/checkout screens
- App store listings for mobile apps
- Within mobile apps in a menu, such as an "About" or "Legal" menu
- An introduction that explains the purpose of the document
- Your company's name and contact details
- Name and contact details for important roles (DPO, EU Rep, etc.)
- Your data protection principles
- The types of personal data you process
- How and why you process personal data
- Your legal bases for each act of processing
- How long you retain personal data
- The types of third parties with whom you share personal data
- Details of any transfers to non-EU countries
- Collecting and Using Personal Information
- Usage Data
- Use of Personal Information
- Transfer of Personal Information
- Disclosure of Personal Information
- Security of Personal Information
- GDPR Privacy
- Links to Other Websites
- Contact Information
More specific Privacy Templates are available on our blog.