How to Write a That’s GDPR Compliant

In the digital era, when more people entrust their personal data to the internet and cloud services, there is a need like never before to inform them how their data is being used. In 2016, the EU legislation introduced a new privacy law, the General Data Protection Regulation (GDPR). It is an updated version that replaced the Data Protection Directive.

In this article, we’ll explain how to create a GDPR compliant for your website, whom it protects, and what the customers’ rights are according to this law. Read on!

What Is a Privacy Notice?

A privacy notice is a document in which organizations explain they process their clients’ personal data, why, and how they keep it private. The main aim of a privacy notice is to encourage transparency i.e., to prevent keeping individuals in the dark about how their data is collected and used. A privacy notice is important for both parties. The organization collects the personal data they need, and the individual is satisfied knowing how the company’s data protection works and is reassured that the information will not be used beyond its original purpose. Articles 12, 13, and 14 of the GDPR can help you understand how to write a because they contain detailed instructions on what a should include.

Although the “” and “privacy notice” do not appear in the GDPR text, they are still used interchangeably.

Every organization should publish a on its website that should be:

• Written in clear and plain language
• Transparent, down-to-the-point, easily accessible, and intelligible
• Free of charge
• Distributed and updated in a timely manner

For apps, the should be easily accessible within the app, usually no more than two clicks away.

DID YOU KNOW: Organizations need to do everything in their power to ensure that their clients have read the and fully understand the GDPR requirements.

What Is GDPR and Why Is It Important?

On May 25, 2018, the European Union adopted a new type of data regulation. Even today, it still remains the toughest online privacy law. Its main goal is to give individuals more insight and control over how organizations use their data and how the same data is protected from potential fraud by third parties.

Nevertheless, even if it was drafted and created to protect its EU citizens, its constraints are not limited to the EU. Whenever the majority in a given organization is from the EU, no matter the organization’s location, the organization still needs to comply with the GDPR . Every website in the EU or a website dealing with EU citizens needs to have an appropriate . Many companies are affected by this law and they need to be aware of its requirements.

The importance of GDPR lies in the fact that it enhances the protection of European citizens’ data rights, and gives companies and organizations a clear outline of what they must do to protect these rights. An owner of a company might be subject to hefty fines of up to 4% of their global revenue or twenty million euros, whichever is higher if they fail to comply with the GDPR requirements.

Key Takeaways

The privacy notice should make it easy to understand how an organization will use an individual’s data.

The website privacy notice should be short and written in simple language so that all s will understand it easily.

Transparency is a key principle of GDPR, preventing companies from processing data without s’ consent.

According to the GDPR, individuals have the right to be informed about how their data is processed and protected.

What Should a GDPR Compliant Include?

There are a few things that should be included in the according to the General Data Protection Regulation (GDPR):

Data

There are strict GDPR guidelines that state that the should explain how personal data is collected and used. Here are a few questions that companies must address:

• What type of information is collected
• How the information is collected
• Who collects it ( info)
• Who uses it
• How is the information stored

DID YOU KNOW: For some, paying attention to all the details when creating a could be a nightmare. That’s why many prefer to use generators that help you draft the best policy.

 

8 Rights Customer Have Under the GDPR

• The right to erasure

The right to erasure, a.k.a the right to be forgotten, is found in Article 17 of the GDPR. It means that individuals can ask an organization that has collected their data to erase it. The organization then has a legal obligation to act accordingly. This is done most often when the personal data collected are no longer necessary for the purposes for which it was collected in the first place.

• The right to rectification

Another right that organizations must mention in their GDPR and comply with is the right to rectification. Namely, the individual (data subject) has the right to correct any data that is either outdated, incorrect, or incomplete.

• The right to restrict processing

European data subjects have the right to block any data processing or usage, especially when the controller no longer needs the data for its original purpose. Specifically, individuals can limit the way an organization uses its data.

• The right to access

After the data is collected, individuals have the right to request a copy of the personal information that an organization stores on them.

• The right to data portability

Another right mentioned in article 20 of the GDPR privacy notice is the right to data portability. This right allows European data subjects to transfer any data from one controller to another while transferring securely in a machine-readable format. Whenever possible, it also allows an automatic data transfer from one controller to another, without the data subject’s involvement.

• The right to object to processing

At any moment when customers feel as if their data is used without their explicit consent, they are free to object to the misuse of their data.

Whether you transfer data internationally

Organizations should state explicitly whether they’ll transfer the processed data outside of their jurisdictions in the .

Legal basis for data collecting 

Under GDPR requirements, any organization needs to have a valid reason for using personal data. There are six lawful reasons for collecting and processing personal data:

• consent
• performance of a contract
• legitimate interest
• vital interest
• legal requirement
• public interest

Cookies 

Contrary to popular belief, cookies are not harmful for your browser. They are designed to personalize and collect information about each ’s session. The GDPR privacy notice should address the obvious: how the cookies are used and what types, along with how one can manage cookies. Apps and websites use cookies in various ways that could further improve the experience. Boohoo Group PLC, for instance, explicitly explains what types of cookies their website uses and further allows customers to decide whether they want to accept all the cookies or only the necessary ones:

Possible Changes

A should inform clients of any changes or updates relating to the processing of data on the website.

information

A should be able to easily someone from the company regarding the data the company holds on them. So giving an e-mail address or a telephone number is essential. Sainsbury’s GDPR , for example, shows that they provide all the relevant information in case a client wants more details on how their data will be used:

DID YOU KNOW: It’s not always easy for SME enterprises to comply with GDPR. However, following a small business template and using a GDPR checklist will certainly help.

Best Practices

Sometimes data controllers tend to use indefinite language, making the whole difficult to understand which could lead to a misunderstanding between parties. Using clear, precise language, on the other hand, prevents differing interpretations. For instance, according to GDPR guidelines, a good would be phrased similar to the example below:

The phrase is taken from the official PDF format found on the official GDPR site. It recommends using simple, yet meticulous language to make sure that the information is conveyed as clearly as possible.

Conclusion

We hope that this article will help your business stay compliant with the GDPR. If your organization or company is affected by the GDPR in any way, knowing what your should include is very important. It will help you protect your clients’ and employees’ data as well as avoid paying any fines.