To stay compliant with the law in the UK and EU, you’ll need to write and maintain GDPR policy documentation. This blog outlines the basics of GDPR, and explains how to create your own GDPR policy with and without templates.
Why Do You Need a GDPR Data Protection Policy?
GDPR is a relatively new law that brings data regulations into the digital age by strengthening the rights of ordinary citizens in relation to how information is gathered about them.
GDPR policy applies to a range of services and technologies, including:
- Internet shopping
- Smartphone apps
- Website contact forms
- Social media.
The new rules also introduce consistent standards of data protection across the European economic area. Information that travels via digital channels does not respect national boundaries.
Now that the UK has left the EU, the government indicated that it will transfer the terms of the GDPR into national law under UK-GDPR.
One of the biggest changes introduced by the GDPR is the extra level of scrutiny and responsibility placed on organisations. There are stiff penalties for data protection and privacy breaches. If you don’t have a GDPR policy, your organisation could be fined up to €20m, or 4% of its turnover.
In order to remain compliant, businesses, charities, education, and healthcare establishments, and government agencies must draw up GDPR policy documentation. This documentation is taken as working proof that an organisation has plans in place to protect personal data and privacy.
Not having a GDPR policy could be a breach and may lead to a fine.
Is GDPR Applicable in the USA?
The GDPR is designed to protect EU and UK citizens’ data. If EU and UK visitors use your website, it should be GDPR compliant.
This applies to everything from your documentations to the way your web forms work.
We recommend that you consult a lawyer to determine your position.
What Is a GDPR Policy?
In order to demonstrate compliance with the GDPR, organisations will be expected to produce two things:
- A data protection policy
You can use templates for these as long as the content is accurate.
What Is a Data Protection Policy?
Your data protection policy will form the cornerstone of how you intend to stay compliant with the terms of the GDPR at a strategic level. As a policy document, the priority should be to set out the main principles behind your approach, covering areas such as:
- Why compliance is necessary
- Who holds responsibilities for data protection within the organisation
- Procedures in the event of a breach.
Businesses will also be required to create detailed written procedures outlining the practical steps that will be taken to protect data and privacy, or deal with breaches, in specific circumstances.
You can produce one GDPR document that contains your policies and procedures.
Unlike a data protection policy, privacy policies are not internal documents. A privacy notice is a document written for customers, clients and stakeholders, laying out:
- Your commitment to protecting their privacy
- The steps you will take to do so.
It is therefore a crucial legally-binding document under the the GDPR.
Your GDPR policy document well end up having a very broad scope. But it need not be a tough task to produce one. There are many templates that you can use, and many are free.
How to Write a GDPR Policy
Now we understand a bit more about GDPR, we can see that several documents need to combined into one GDPR policy. You can break this down into a 3-step process.
1. Define Your Responsibilities Under GDPR
The GDPR sets out data protection obligations for any organisation that processes personal data. Personal data has been expanded to include things like:
- location data
- IP addresses
- data gathered from cookies
- online identifiers used, for example, to target digital advertising
- any data gathered about online browsing habits and preferences
- details about your employees.
The precise rules for what can and cannot be done with this data, and what protections are expected, vary from function to function and industry to industry. There are, however, some universal principles that apply to data subjects:
- They must be told what data is held on them, and why
- They have the right to demand access to the data
- They have the right to opt out of data collection
- They can use the right to erasure to ask for data to be deleted
- They have the right to expect that data will only be used for the purposes stated, and all reasonable steps will be taken to prevent misuse.
So to start, look at where and how personal data is collected and used. Then, look at how to achieve compliance.
Carrying out an in-depth audit of data use is one possible starting point.
2. Consider GDPR Policy and Procedure
Even if you choose to combine policy and procedures with one GDPR template, be clear on what is included in each section, and what the differences are.
For a GDPR policy, there is no need to go into great levels of detail about how you intend to manage data protection in specific circumstances. Your policy is a top-level document which should focus on setting out:
- A clear statement of what you want to achieve, and why
- The scope of the document (i.e. an outline of the data processing activities your organisation is involved in)
- Key objectives, which will depend to a large extent on the nature of your organisation and its activities
- Guidelines for implementation, including how breaches will be managed
- Names and contact details of duty holders and their responsibilities in relation to data protection.
Procedural documentation might include:
- Explanation of the legal justification for processing personal data
- Details of processing activities
- Protocols for managing data breaches in specific contexts
- Instructions for how people can opt in or out of data collection (often included in privacy notices).
3. Use GDPR Policy Templates to Bring it Together
Once you have determined the types of information to include in your GDPR policy, you might want to use a template to create your own. Templates are a good idea because:
- Your policy is a legally binding document and most templates will have been developed by people with appropriate legal expertise relating to the GDPR (although this can’t substitute legal advice)
- Templates will cover all the sections and information the regulations state must be included, so you can easily see what’s missing
- Templates will help you organise the large volumes of information you have, keeping procedural detail separate and creating a final document that is clear, logical and workable.
At the bottom of this article, we’ll share links to free templates and policy generators.
Privacy policies are not internal policy papers intended to form the basis of managing compliance, nor are they formal procedural documentation meant for the eyes of regulators.
Privacy policies are aimed at the general public, and need to be written with that in mind.
- their personal details are being collected
- how they are collected
- why they are collected
- what their personal data will be used for.
Privacy policies empower people to exercise their right to:
- understand the data collection process, and
- opt out if they so wish.
Both are important pillars of what the GDPR sets out to achieve.
GDPR specifications spell out that privacy policies should be:
- Concise and easy to digest
- Written in plain language, with good readability
- Not too heavy on detail or technical language
- Easy to read, especially online.
That’s not to say that you can write whatever you want. The GDPR sets out a fairly detailed list of the information which should be included in a privacy notice, including:
- The type of data being collected (emails, phone numbers, IP addresses…)
- Why it is being collected (site registration, processing orders, using Live Chat, answering surveys…)
- What it will be used for (to serve the customer, process orders, collect feedback, add people to email marketing lists…)
- The legal basis for collecting it
- Whether or not it will be shared with third parties
- How long it will be kept
- How it will be secured
- What rights the individual has in relation to their own data.
Striking a balance between simplicity and the need to include all of this information presents its challenges, especially when trying to explain the law around data collection and what people’s rights are under the GDPR.
How to Put Together the Final GDPR Policy
So now we’ve done the prep work, it’s time to actually put together everything we need a GDPR policy. At Red Robot, we don’t write legal documents. But we’ll give you some pointers on how to make this part much easier:
- Use simple section headers. This will help you to organise your privacy notices as you write.
- Stick to the points that are most relevant to your audience. For example, when explaining why you are collecting the data, you don’t need to go into a long explanation of your business processes. Just provide a simple outline of the purpose for collection.
- The GDPR states that privacy policies must be freely accessible at any point of contact with customers. As many of these contact points will be online, you should think about:
- how your policy appears on different devices.
Free GDPR Policy Templates and Generators
Need a helping hand? GDPR policy templates and generators are a good way to quickly create a policy that’s compliant at a basic level.
Here are some links to get you on the right path:
- IT Governance produces a whole set of GDPR documentation templates, including for data protection policies and privacy notices, in its EU GDPR documentation toolkit.
Remember: using a free template or a generator for any legal document is risky. You should read through the document carefully and seek advice from a lawyer if you have questions about GDPR compliance.
Where Can I Get Help With My GDPR Policy?
Writing a GDPR policy is a case of combining the right documents and ensuring that you have provided all the information you need to provide.
A template can get you part way there. But you may need someone to help you bring it all together.
The business writers here at Red Robot would be happy to help. Please contact us today to get a quote and schedule a review of your GDPR documentation content.
Do You Need to Update Your User Guides for Brexit?
Once you have your GDPR documentation ready, you might need to update your user guides for Brexit.
The new UKCA mark replaces the CE mark, and UK businesses will need to update their documents to stay legal. Read our guide on updating your user guides with the new UKCA mark to find out more.