How to Write a GDPR Policy For Your Website (With Templates)

GDPR policy

To stay compliant with the law in the UK and EU, you’ll need to write and maintain GDPR policy documentation. This blog outlines the basics of GDPR, and explains how to create your own GDPR policy with and without templates.

Why Do You Need a GDPR Data Protection Policy?

GDPR is a relatively new law that brings data regulations into the digital age by strengthening the rights of ordinary citizens in relation to how information is gathered about them.

GDPR policy applies to a range of services and technologies, including:

  • Internet shopping
  • Smartphone apps
  • Website contact forms
  • Social media.

The new rules also introduce consistent standards of data protection across the European economic area. Information that travels via digital channels does not respect national boundaries.

Create an EU GDPR policy

Despite the UK’s pending departure from the EU, the government indicated that it will transfer the terms of the GDPR into national law.

One of the biggest changes introduced by the GDPR is the extra level of scrutiny and responsibility placed on organisations. There are stiff penalties for data protection and privacy breaches. If you don’t have a GDPR policy, your organisation could be fined up to €20m, or 4% of its turnover.

In order to remain compliant, businesses, charities, education and healthcare establishments, and government agencies must draw up GDPR policy documentation. This documentation is taken as working proof that an organisation has plans in place to protect personal data and privacy.

Not having a GDPR policy could be a breach and may lead to a fine.

Is GDPR Applicable in the USA?

The GDPR is designed to protect citizens’ data. So if your business collects data about anyone inside the European Union, it should have a cookie notice and should be GDPR compliant.

This applies to everything from your documentations to the way your web forms work.

Outside the EU, GDPR is even more complicated than it is inside the EU, and we recommend that you consult a lawyer to determine your position.

What Is a GDPR Policy?

In order to demonstrate compliance with the GDPR, organisations will be expected to produce two things:

  1. A data protection policy
  2. At least one privacy policy.

What Is a Data Protection Policy?

Your data protection policy will form the cornerstone of how you intend to stay compliant with the terms of the GDPR at a strategic level. As a policy document, the priority should be to set out the main principles behind your approach, covering areas such as:

  • Why compliance is necessary
  • Who holds responsibilities for data protection within the organisation
  • Procedures in the event of a breach.

Businesses will also be required to create detailed written procedures outlining the practical steps that will be taken to protect data and privacy, or deal with breaches, in specific circumstances.

You may choose to include these along with the data protection policy in a single GDPR policy document.

What Is a Privacy Policy?

A privacy policy (or privacy notice) sets out details of how you will guarantee the privacy of individuals in any data-collecting activity you are involved in.

Person holding computer mouse

Unlike a data protection policy, privacy policies are not internal documents. A privacy notice is a document written for customers, clients and stakeholders, laying out:

  • Your commitment to protecting their privacy
  • The steps you will take to do so.

It is therefore a crucial legally-binding document under the the GDPR.

Your GDPR policy document well end up having a very broad scope. But it need not be a tough task.

How to Write a GDPR Policy

Follow these 3 steps to prepare your GDPR policy..

Define Responsibilities Under GDPR

The GDPR sets out data protection obligations for any organisation that processes personal information, be it customer data captured for marketing campaigns or employee files.

Personal data has been expanded to include things like:

  • location data
  • IP addresses
  • data gathered from cookies
  • online identifiers used, for example, to target digital advertising
  • any data gathered about online browsing habits and preferences.
Person holding white ipad with black case

The precise rules for what can and cannot be done with this data, and what protections are expected, vary from function to function and industry to industry. There are, however, some universal principles, such as:

  • Individuals must be told what data is held on them, and why
  • Individuals have the right to demand access to the data held on them
  • Individuals have the right to opt out of data collection, or in some cases request data held to be deleted
  • Individuals have the right to expect that data will only be used for the purposes stated, and all reasonable steps will be taken to prevent misuse.

So to start, look at where and how personal data is collected and used. Then, look at how to achieve compliance.

Carrying out an in-depth audit of data use is one possible starting point.

Separate GDPR Policy and Procedure

Even if you choose to include policy and procedures, be clear on what is included in each, and what the differences are.

For a GDPR policy, there is no need to go into great levels of detail about how you intend to manage data protection in specific circumstances. Your policy is a top-level document which should focus on setting out:

  • A clear statement of what you want to achieve, and why
  • The scope of the document (i.e. an outline of the data processing activities your organisation is involved in)
  • Key objectives, which will depend to a large extent on the nature of your organisation and its activities
  • Guidelines for implementation, including how breaches will be managed
  • Names and contact details of duty holders and their responsibilities in relation to data protection.

One of the key principles of the GDPR is that organisations should be able to demonstrate ‘privacy by design’. In other words, how they have elevated data protection and privacy to a primary consideration at every level of operation. Your data protection policy is like an architect’s written proposal setting out the vision for the design, which is then fleshed out with technical drawings or procedural documents elsewhere.

Procedural documentation might include:

  • Explanation of the legal justification for processing personal data
  • Details of processing activities
  • Protocols for managing data breaches in specific contexts
  • Instructions for how people can opt in or out of data collection (often included in privacy notices).

Use Policy Templates

Once you have determined the types of information to include in your policy, download one of the widely available online templates to guide your writing of the policy.

Templates are a good idea because:

  • Your policy is a legally binding document and most templates will have been developed by people with appropriate legal expertise relating to the GDPR
  • They will cover all the sections and information the regulations state must be included
  • They will help you organise the large volumes of information you have, keeping procedural detail separate and creating a final document that is clear, logical and workable.
Writing a GDPR policy note

IT Governance produces a whole set of GDPR documentation templates, including for data protection policies and privacy notices, in its EU GDPR documentation toolkit.

At the bottom of this article, we’ll also share more templates that might be helpful.

How to Write a Privacy Policy

Privacy policies deserve special attention.

They’re not internal policy papers intended to form the basis of managing compliance, nor are they formal procedural documentation meant for the eyes of regulators.

Privacy policies are aimed at the general public, and need to be written with that in mind.

The purpose of your privacy policy under GDPR is to inform people that:

  • their personal details are being collected
  • how they are collected
  • why they are collected
  • what their personal data will be used for.

Privacy policies empower people to exercise their right to:

  • understand the data collection process, and
  • opt out if they so wish.

Both are important pillars of what the GDPR sets out to achieve.

The Content of a GDPR Privacy Policy

GDPR specifications spell out that privacy policies should be:

  • Concise and easy to digest
  • Written in plain language, including phrasing and word choice that would be accessible to a child.

So on the one hand, the regulations make clear that privacy policies should not get bogged down in great detail, resort to technical language, or be set out in a way that makes it difficult to scan and process, especially online.

Writing a GDPR policy on a laptop

On the other, the GDPR sets out a fairly detailed list of the information which should be included in a privacy notice, including:

  • The type of data being collected (emails, phone numbers, IP addresses…)
  • Why it is being collected (site registration, processing orders, using Live Chat, answering surveys…)
  • What it will be used for (to serve the customer, process orders, collect feedback, add people to email marketing lists…)
  • The legal basis for collecting it
  • Whether or not it will be shared with third parties
  • How long it will be kept
  • How it will be secured
  • What rights the individual has in relation to their own data.

Striking a balance between simplicity and the need to include all of this information presents its challenges, especially when trying to explain the law around data collection and what people’s rights are under the GDPR.

How to Put Together the Final GDPR Policy

So now we’ve done the prep work, it’s time to actually put together everything we need a GDPR policy.

At Red Robot, we don’t write legal documents. But we’ll give you some pointers on how to make this part much easier:

  • Use simple section headers. This will help you to organise your privacy notices as you write.
  • Stick to the points that are most relevant to your audience. For example, when explaining why you are collecting the data, you don’t need to go into a long explanation of your business processes. Just provide a simple outline of the purpose for collection.
  • The GDPR states that privacy policies must be freely accessible at any point of contact with customers. As many of these contact points will be online, you should think about:
    • organisation
    • layout
    • readability
    • accessibility
    • how your policy appears on different devices.

We recommend that you start out by previewing your document on a smartphone, rather than a computer, as you put it together. This will push you towards a clear layout, lots of headings, and a concise and uncluttered appearance.

Every time you do a content audit, be sure to check that your privacy policy reflects the nature of your business. Just like any other page on your website, it may need to be updated from time to time.

Free GDPR Policy Generators

Need a helping hand? GDPR policy generators are a good way to quickly create a policy that’s compliant at a basic level.

Here are some links to get you on the right path:

  • Free Privacy Policy Generator from Shopify: You don’t have to use Shopify to use this generator, and it’s not specific to Shopify websites, but it is geared towards ecommerce businesses rather than general websites. You will be signed up for a 14-day trial of Shopify in exchange for using the generator.
  • FreePrivacyPolicy.com Generator: Using a series of checkboxes, this privacy policy generator will build a document compliant with GDPR. However, the contents are skewed towards US law, and some sections will be alien to EU users. We liked the fact that it asked whether the site is PCI compliant and secure, and it also collects very detailed answers about your use of tools like Google Analytics. You’ll need to provide your email address to receive your policy.
  • SEQ Legal Privacy Policy Templates: Basic privacy policy templates from this UK law firm. This isn’t quite the same as a generator, since the policy is provided in Word, and you’ll need to go through and edit it. However, the wording is suitable for UK businesses ‘out of the box’, and you can use the finished policy without paying as long as you don’t delete link back to the SEQ Legal website. A more detailed version is available for a fee of £10 including VAT.
  • If you have a WordPress site, you’ll find that will automatically generate a privacy policy for you. But never publish this without reading it carefully and filling in the blanks in the document first.

Remember: using a free generator for any legal document can be risky. You should read through the document carefully before putting on your website, just in case there are any missing details or mistakes.

Where Can I Get Help With My GDPR Policy?

Writing a GDPR policy is a case of combining the right documents and ensuring that you have provided all the information you need to provide.

If you are looking for an impartial extra set of eyes to glance over your GDPR documentation, we would be happy to help. We don’t claim to have a legal background or specialist knowledge of data protection regulations. But we can certainly share our expertise in business copywriting, which we’ve built up over more than 10 years.

Please contact us today to get a quote and schedule a review of your GDPR documentation content.