Last updated on 17 August 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
The GDPR is an EU privacy law that requires businesses to disclose their policies regarding the collection, use, storage and deletion of user data while also providing privacy rights to EU consumers.
Personal data is big business. Companies like Google and Facebook have revenues larger than some countries. They made their fortunes by processing people's personal data.
The GDPR sets the rules about how personal data should be processed in the EU. It also provides rights to individuals regarding their personal data. Without privacy laws like the GDPR, people would lose control over the information that businesses and governments have collected about them.
The GDPR is different. Its requirements are more rigorous than any of the above laws, and anything you produced to comply with these will likely not be sufficient under the GDPR.
An important thing to bear in mind is that this is a public-facing document, and is not written just for your customers. It should be aimed at anyone whose personal data you might process - including potential customers and visitors to your website.
Let's take a look at what you'll need to include.
You should include the legal name and business address of your company in the introduction.
Here's how MembersFirst does this:
You'll notice above that MembersFirst refers to itself as a "data controller." For the purposes of the GDPR, your company is probably a "data controller," too - if it makes decisions about how and why personal data is processed.
Some companies give their definitions directly from Article 4 of the GDPR. This is the approach of AEG:
This isn't actually all that helpful for a reader. Arguably, defining a "data subject" as "an identifiable natural person [...] who can be identified, directly or indirectly, in particular by reference to an identifier" does little to clarify what the term actually means to a layperson.
Here's another example from Edgbaston Park Hotel. Its definitions are more accessible and easy to understand.
You can see the differences here between writing in legalese versus writing in a common voice that is far easier to understand.
Article 5 of the GDPR contains six principles by which all personal data must be processed.
This is the approach taken by CRG:
Others take a more personalized approach, listing their company's specific principles and relating these to the GDPR's principles.
Here's an example from the International Institute for Environment and Development:
The GDPR's definition of "personal data" is very broad. The chances are that your company processes a lot of it.
Here's an example from Clearcast:
You can then further break down this information into more detailed categories.
Here's an example of how to do his:
Be as detailed and specific as possible when disclosing the types of personal data you collect and process. Try to disclose this information in a way that's as easy for your users to understand as possible.
This can also be a clause that describes "how" and "why" the data is used, so long as users are informed about what exactly you're doing with the data you collect.
The legal bases for processing a person's personal data are:
Some companies relate their legal bases to the types of personal data they process and their reasons for processing personal data.
Here's how Pint of Science does this:
Where you're relying on "legitimate interests," you need to specify what your legitimate interests are.
Where you're using "consent" as a legal basis, you must include reference to your users' right to withdraw consent. Here's how Sharp does this:
If your legal basis is "contract," you need to let people know what will happen if they fail to provide you with the personal data you need to carry out a contract.
Here's how Budget does this:
Make sure you know what your legal basis is (or are) and disclose this.
This won't always be a particular period (i.e. one week, two months, etc.). It may be determined by the length of time for which you need the data (e.g. until the person closes their account).
If you keep different types of data for different periods of time, disclose this as specifically as possible.
Note that the GDPR doesn't require you to list the names of every company with whom you share data, only the broad types of company (e.g. payment processors, mail carriers, etc.).
However, make sure you check the Terms and Conditions of companies with whom you have a Data Processing Agreement. Some of them, like Google, require you to name them specifically.
Here's an example of a clause that fulfills Google's disclosure requirements:
The clause explicitly states that "Google Analytics data is shared with Google" which lets users know that a third party (Google) is receiving some of their personal data.
These rights are:
Not all the rights are likely to apply to your company, but you need to be familiar with them regardless.
Here's how the University of Oxford provides information about some of these rights:
And here's how people can contact the University in connection with these rights:
The University of Cambridge, on the other hand, facilitates the right of access via an online form:
Requests relating to the other rights can be fulfilled via email:
You must also inform your users of their right to make a complaint to a Data Protection Authority, such as the Information Commissioner's Office (ICO) in the UK, or the Data Protection Commission (DPC) in Ireland.
Here's how charity Make-A-Wish does this:
Here's an example from Power to Change:
Here are some ways you can make sure it gets noticed
Here's how The Times does this:
Here's how Profile Editions does this when requesting direct marketing consent:
Here's an example from Waitrose:
Here is a list of frequently asked questions that you may find useful.
The GDPR applies to you if you:
More specific Privacy Templates are available on our blog.