Writing a GDPR compliant Privacy Policy

All posts in Guides, 5 min read, 18th May 2018
Simon R Jones
Simon R Jones
Part of GDPR is a requirement to clearly communicate how you manage data privacy for your users. The following is a short(ish) guide to how to write a privacy policy that helps meet modern EU Data Protection laws.

Also see: Studio 24’s practical guide to GDPR

NOTE: Please note this is our advice as digital professionals and does not constitute legal advice. Please talk to a lawyer if you require legal advice.

Clear language

The first (and arguably most important) stipulation of the privacy policy is that it needs to be written in clear, understandable English, and must openly include details of how, what, when and where user’s information is stored.

Article 12 states that information must be provided in “a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”. (Article 12).

Article 12 (7) also states that the information must be provided in order to give an “easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing” (our emphasis).

This means no legalese language and no bamboozling technical information!

Overview

Here we are going to cover what you need to include within your own website’s privacy policy. You can use the following as a checklist of points to cover. Be sure to read through our guide and please be diligent in any special requirements and circumstances that affect your organisation.

Your privacy policy should include (but is not limited to) the following things:

  • Who we are
  • What information do we collect from you?
  • Third parties we share data with
  • Transfer of information outside of the European Union (EEA)
  • How you can access and update information
  • 16 or under consent
  • Data security
  • How we use profiling data

Who we are

It’s important to state who you are, so people know who is collecting data. Include your full organisation name, company or charity number, and registered address. If you have one, note your Data Protection office contact details here.

What information do we collect from you?

You should explain what personal data you collect from users. This should include any sensitive data such as health, genetic data, or biometric data. We recommend having a sub-heading for each different purpose of data collection on your site (e.g. a contact form, newsletter signup, analytics, etc).

You should include:

  • What data you collect
  • Why you collect it
  • What legal basis are you collecting it
  • How long you retain data for

For more details on some of the above topics see our introduction to GDPR article

Third parties we share data with

Name any third party services you will be using to collect data. Remember you’ll need to also specify how long this data will be stored for, and how users can make amendments to this data or exercise any of their rights.

Also, do some due diligence on third party suppliers to ensure that they are willing to be compliant with GDPR. MailChimp, Constant Contact, Hubspot and Salesforce are among the providers who report that they have certified with Privacy Shield, showing their intention to follow GDPR’s rules on the transfer of data between countries.

Transfer of information outside of the European Union (EEA)

GDPR applies to all citizens of the EEA, so even if you store data outside of that zone it still needs to comply to GDPR. You’ll need to let your users know about any processing that happens to their information outside of the EEA within your privacy policy.

You’ll need to ensure you have consent, or the normal lawful basis, for processing user data outside the EU. You also need to ensure non-EU service providers take data security seriously. See if they are accredited to the EU-U.S. Privacy Shield Framework.

Read more about GDPR international data transfers.

How you can access and update your information

Provide the means for users to update their information. This might be as simple as providing an email address and asking users to contact directly if they want to update any information.

If you provide any account or login based services, you could include a brief guide (or link to a guide) to help users manage their settings.

16 or under consent

If you process any personal data for children you need to ensure you take special consideration. You need to ensure your Privacy policy is understandable bu children and you detail what steps you take to protect their privacy.

Find out more at the ICO guide to GDPR and Children. 

Data security

It is good practice to detail what steps you take to ensure user’s data is kept private. For example, the use of HTTPS or data encryption. You may want to point out user’s data is hosted in the EU, or if it’s in the US (as many hosted services are) then the supplier is compliant with the EU Privacy Shield framework. This is all about giving users the confidence you take their security seriously.

How we use profiling data

If you profile user data in order to make automated decisions, then you need to make users aware of this in your Privacy policy. For example, if you use automated credit ratings to make a decision on your website or service. If this doesn’t apply to you, you can ignore this section.

For more information see Rights related to automated decision making including profiling (ICO).

Resources

Some nice examples of privacy policies: