GDPR Privacy Policy Example And Checklist

Posted by on May 18th, 2018  |  Last modified on May 31st, 2018

Last updated on May 31st, 2018 at 12:56 pm

On the 25th May 2018, the General Data Protection Regulation (GDPR) will come into force and supersede the existing UK Data Protection Act 1998 (DPA). Such legislation will expand the rights of individuals to control how their personal data is collected and processed, and places a range of new obligations on organisations to be more accountable for data protection.

1. Key elements under GDPR

a) Personal data

  • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
  • Individuals must be provided with information including: the purposes for processing their personal data, retention periods for that personal data, and who it will be shared with. This is known as ‘privacy information’.

b) Data Protection Officers

  • The GDPR introduces a duty to appoint a data protection officer (DPO) if an organisation is a public authority, or if certain types of processing activities are carried out.
  • DPOs assist in monitoring internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.

c) Right to erasure

  • The GDPR introduces a right for individuals to have personal data erased.
  • The right to erasure is also known as ‘the right to be forgotten’.
  • Individuals can make a request for erasure verbally or in writing.
  • There is a one month time period to respond to a request.

d) Right to rectification

  • The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.
  • An individual can make a request for rectification verbally or in writing.
  • There is a one month time period to respond to a request.

e) Right to restrict processing

  • Individuals have the right to request the restriction or suppression of their personal data.
  • This is not an absolute right and only applies in certain circumstances.
  • When processing is restricted,  personal data is permitted to be stored, but not used.
  • An individual can make a request for restriction verbally or in writing.
  • There is a one month time period to respond to a request.

2. GDPR fines for non-compliance

 There are two levels of administrative fines:

  • Up to €10 million or 2% annual global turnover of the previous financial year (whichever is higher); or
  • Up to €20 million or 4% annual global turnover of the previous financial year (whichever is higher).

3. GDPR Privacy Policies

Privacy policies, also known as privacy notices or statements, contain details of the types of personal data a company collects and describe how the organisation uses, collects, stores, secures and discloses personal data.

It should be noted that the revised requirements are intended to create greater transparency and fairness for the individual whose data is being handled. Furthermore, much of what GDPR is based around is the issue of consent. A GDPR compliant privacy policy will provide a way of obtaining consent from individuals in respect of the processing of their data. Note however the following purposes whereby consent for processing an individual’s data is not required:

  • A contract with an individual: e.g. to supply goods or services which the individual has requested or purchased from you on your website. This includes steps taken at the individual’s request before entering into a contract. Note that the processing must be necessary.
  • Compliance with a legal obligation: if you are required by common law or statute to process the data for a particular purpose, you can.
  • Legitimate interests: if you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit) whereby processing the data is necessary, unless this is outweighed by harm to the individual’s rights and interests (i.e. the ‘balancing test’).
  • Vital interests: you can process personal data if it is necessary to protect someone’s life (this is not limited to the individual to whom the data relates).
  • A public task: if you need to process personal data to carry out your official functions or a task in the public interest, and you have a legal basis for the processing under common law or statute, you can. This is usually only relevant to public authorities, but note that it can apply to any organisation that exercises official authority or carries out tasks in the public interest.

Further, note that prior consent to processing an individual’s data will be required if none of the above five purposes apply.

You can find an example of GDPR compliant privacy policy here on our own website.

4. Checklist of what to include and set out in a privacy policy for GDPR

  • Identification

One should be able to identify the entity which will decide how their data is handled. The data controller should include their full legal name and contact details. Companies which are based outside of Europe must include contact details of their European base. If there is a DPO then their contact details must also be provided.

  • Collection of personal data

Information as to how personal data is collected must be included, for instance where an individual’s name and address are collected for sending out marketing material to them. It should be noted that every type of collection must be listed including the types of cookies used if applicable.

  • Type of personal data

The definition of ‘personal data’ is wide but must be ascertained in order to inform individuals about what type of personal data is being collected. ‘Personal data’ means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

  • Reason for collecting personal data

You will need to inform individuals of the reason why their personal data is being collected and how the data controller intends to use the same. You should not use personal data for any reason other than as stipulated in the privacy policy. One should note also that the processing operations must be fair, transparency alone is not sufficient.

  • Sharing personal data

Companies must explain when an individual’s personal data may be disclosed to third parties and the reason for doing so, preferably also including links to the third party privacy policies.

  • Transferring personal data outside the European Economic Area (‘EEA’)

If personal data transfers take place outside the EEA the data controller must inform individuals in the privacy policy and specify mechanisms which will be used to protect the same (for instance the third party may have Privacy Shield certification).

  • Choice for individuals

The GDPR requires that individuals are to be given control over how their personal data will be used. Therefore, how and when individuals can exercise such control must be stated within the policy.

  • Duration for keeping personal data

Organisations must specify in their privacy policies how long personal data will be stored for. If it is not possible to provide a time frame, data controllers may instead specify the criteria used to determine how long personal data will be retained.

  • Legitimate interests

Details of all legitimate interests for processing data must be made clear and included in your privacy information. Please refer to the introductory paragraph to privacy policies above for further details.

  • Rights of individuals

Under the GDPR, individuals have the following rights:

  • requesting access to, rectification of or, deletion of their personal data;
  • requesting their personal data to be transferred to another person; and
  • complain to a supervisory authority.

Information on how individuals can exercise such rights must also be provided. It will be insufficient to only list these right in the privacy policy,

  • Displaying the policy

It would be prudent to display the privacy policy in a clear position on your website. Ideally, a link to the policy will appear on each page, although the homepage will be the most important one. It should also be in an obvious and accessible location on the website.

  • Policy language

Privacy policies should be clear and easy to understand by individuals who have no knowledge of privacy law. There should be a translation of the policy to the relevant local language made available if the website targets users of different countries.

  • When to provide the policy

It is recommended that individuals are provided with required information by companies from the first point of communication. The minimum amount of time for which individuals are provided with information which they require with regards to processing their personal data, is one month after such information is collected.

Further reading

GDPR and contacting potential clients without consent

UK ICO’s guidance on GDPR

GDPR: You’re Doing It All Wrong!

Consent is not the ‘silver bullet’ for GDPR compliance

Do I Need to Get Fresh Consent for my Email Marketing?

About Jonathan Lea

Jonathan is a specialist corporate and commercial solicitor who has over 13 years of experience at both large international City firms and smaller practices.

For the last five years Jonathan has worked on a self-employed basis with a network of other independent lawyers focused on serving the needs of entrepreneur-led businesses and startups around the UK and further afield.

If you'd like a competitive quote for any legal work please send an email to the address on the home page.

Follow Jonathan:

Tags: , ,