Top tips for writing a GDPR-compliant privacy policy

After this past week, in which your inboxes were no doubt overloaded with emails about updated privacy policies, you might want a long break from those two words. But if your organisation didn’t contribute to the plethora of privacy policy epistles, you’re going to be stuck thinking about them a little longer.

Organisations are required to update their privacy policy and share it with data subjects in order to comply with the EU General Data Protection Regulation (GDPR). Failure to do so means you are in violation of several of the GDPR’s requirements and could face strict disciplinary action.

Writing a privacy policy

Your privacy policy should explain the ways you are accountable for data protection and how individuals can exercise their data subject rights. It’s different from a data protection policy, which is an internal document that details your organisation’s data protection objectives, responsibilities and how you intend to handle violations.

Articles 12, 13 and 14 of the GDPR outline the requirements for privacy policies. They essentially say that you need to inform data subjects that you have their information, and let them know how you are collecting it, where it is being stored and how long you intend to keep it (the GDPR states that information can only be kept for “as long as necessary”).

Other issues you need to explain are:

Who is collecting the data (your organisation or a third party);
The legal basis you are using for processing; and
Whether the data will be shared with third parties.

Finally, you should explain how individuals can exercise their data subject rights. The most important rights to address are:

The right of access: Individuals must be allowed to submit subject access requests, which require organisations to provide a copy of any personal data pertaining to them.
The right to rectification: If the information an organisation holds is inaccurate or incomplete, individuals can request that it be updated.
The right to erasure (also known as ‘the right to be forgotten’): In some circumstances, individuals can request that the organisation deletes their personal data.
The right to restrict processing: As an alternative to erasing data, there are times when individuals might prefer to restrict processing (such as when they contest the personal data’s accuracy).

Individuals have eight rights in total, which you can read about in more detail on our blog.

Wording

The GDPR has strict requirements for how privacy policies should be worded and structured. They must be:

Concise, transparent, intelligible and easily accessible. Organisations should present the information in as few words as possible, each policy should be presented separately and the whole section must be clearly differentiated from non-privacy-related information.
Clear and written in plain language. The policy must definitively state what the organisation intends to do with the information (avoiding vague terms such as ‘may’, ‘some’ and ‘possibly’). It must also be written in a way that an average member of the intended audience will understand. Organisations should make special provisions if they expect to provide information to children or vulnerable people.
In writing. Although non-written means are permitted (videos, voice alerts, cartoons and infographics will be helpful – particularly for children or vulnerable people), privacy policies must always be available to read in a single, written document.
Available orally upon request. Organisations should have a recorded version of the policy (or someone available to read it aloud) if the need arises.

More advice on GDPR compliance

To find out more about complying with the Regulation, take a look at EU GDPR – A Pocket Guide. Written by Alan Calder, IT Governance’s founder and executive chairman, this book gives you a clear understanding of the GDPR, explaining: