After all the talk and anticipation, it has finally arrived – the General Data Protection Regulations (GDPR) have come into force across the EU. To stay compliant, you’ll need to write and maintain GDPR policy documentation. This blog outlines the basics.
- 1 A Brief Introduction to GDPR
- 2 Types of GDPR Policy Documentation
- 3 How to Write a GDPR Data Protection Policy
- 5 More Help with GDPR Documentation
A Brief Introduction to GDPR
The GDPR is the biggest shake-up of data protection and privacy laws in a generation.
The main aim is to bring data regulations up to date with advances in digital technology, strengthening the rights of ordinary citizens in relation to how information is gathered about them from internet shopping, smartphone apps, social media and much more.
The new rules also introduce consistent standards of data protection across the European economic area, recognising that the way information travels via digital channels does not respect national boundaries. Despite the UK’s pending departure from the EU, the government has already indicated that it will transfer the terms of the GDPR into national law.
One of the biggest changes introduced by the GDPR is the extra level of scrutiny and responsibility placed on organisations. The regulations enforce much stiffer penalties for data protection and privacy breaches. If found liable for a breach, an organisation could be fined up to €20m, or 4% of turnover.
In order to remain compliant, businesses, charities, education and healthcare establishments, and government agencies must draw up policy documentation relating to the GDPR. This documentation is taken as working proof that an organisation has plans in place to protect personal data and privacy.
Not having documentation that meets the requirements of the GDPR can in itself be considered a breach and lead to a fine.
Types of GDPR Policy Documentation
In order to demonstrate compliance with the GDPR, organisations will be expected to produce a number of different types of documentation. The key ones are:
- A data protection policy
What is a Data Protection Policy?
Your data protection policy will form the cornerstone of how you intend to stay compliant with the terms of the GDPR at a strategic level. As a policy document, the priority should be to set out the main principles behind your approach, covering areas such as:
- Why compliance is necessary
- Who holds responsibilities for data protection within the organisation
- Protocols in the event of a breach.
Businesses will also be required to create detailed written procedures outlining the practical steps that will be taken to protect data and privacy, or deal with breaches, in specific circumstances. You may choose to include these along with the data protection policy in a single GDPR master document, but that is not a requirement.
A privacy notice is an example of a procedural document you will need to draw up. It sets out details of how you will guarantee the privacy of individuals in any data-collecting activity you are involved in.
Unlike a data protection policy, privacy policies are not internal documents. A privacy notice is a document written for customers, clients and stakeholders, laying out:
- Your commitment to protecting their privacy
- The steps you will take to do so.
It is therefore a crucial legally-binding document under the terms of the GDPR.
How to Write a GDPR Data Protection Policy
Getting started with writing a GDPR data protection policy may feel like a daunting task. Time is of the essence, and this document well end up having a very broad scope. Here are the steps:
Tip: Define your responsibilities first
The GDPR sets out data protection obligations for any organisation that processes personal information, be it customer data captured for marketing campaigns or employee files.
Personal data has been expanded to include things like:
- location data
- IP addresses
- data gathered from cookies
- online identifiers used, for example, to target digital advertising
- any data gathered about online browsing habits and preferences.
The precise rules for what can and cannot be done with this data, and what protections are expected, vary from function to function and industry to industry. There are, however, some universal principles, such as:
- Individuals must be told what data is held on them, and why
- Individuals have the right to demand access to the data held on them
- Individuals have the right to opt out of data collection, or in some cases request data held to be deleted
- Individuals have the right to expect that data will only be used for the purposes stated, and all reasonable steps will be taken to prevent misuse.
So to start, look at where and how personal data is collected and used. Then, look at how to achieve compliance. Carrying out an in-depth audit of data use is one possible starting point.
Tip: Separate policy and procedure
Even if you choose to include policy and procedures in the same master document, it is important to be clear from the start what needs to be included in each, and what the differences are.
For a policy, there is no need to go into great levels of detail about how you intend to manage data protection in specific circumstances. Your policy is a top-level document which should focus on setting out:
- A clear statement of what you want to achieve, and why
- The scope of the document (i.e. an outline of the data processing activities your organisation is involved in)
- Key objectives, which will depend to a large extent on the nature of your organisation and its activities
- Guidelines for implementation, including how breaches will be managed
- Names and contact details of duty holders and their responsibilities in relation to data protection.
One of the key principles of the GDPR is that organisations should be able to demonstrate ‘privacy by design’. In other words, how they have elevated data protection and privacy to a primary consideration at every level of operation. Your data protection policy is like an architect’s written proposal setting out the vision for the design, which is then fleshed out with technical drawings or procedural documents elsewhere.
Procedural documentation might include:
- Explanation of the legal justification for processing personal data
- Details of processing activities
- Protocols for managing data breaches in specific contexts
- Instructions for how people can opt in or out of data collection (often included in privacy notices).
Tip: Use a data protection policy template
Once you have determined the types of information to include in your policy, it is strongly recommended that you download one of the widely available online templates to guide your writing of the policy. Templates are a good idea because:
- Your policy is a legally binding document and most templates will have been developed by people with appropriate legal expertise relating to the GDPR
- They will cover all the sections and information the regulations state must be included
- They will help you organise the large volumes of information you have, keeping procedural detail separate and creating a final document that is clear, logical and workable.
IT Governance produces a whole set of GDPR documentation templates, including for data protection policies and privacy notices, in its EU GDPR documentation toolkit.
Privacy policies deserve special attention.
They’re not internal policy papers intended to form the basis of managing compliance, nor are they formal procedural documentation meant for the eyes of regulators.
Privacy policies are aimed at the general public, and need to be written with that in mind.
- their personal details are being collected
- how they are collected
- why they are collected
- what their personal data will be used for.
Privacy policies empower people to exercise their right to:
- understand the data collection process, and
- opt out if they so wish.
Both are important pillars of what the GDPR sets out to achieve.
GDPR specifications spell out that privacy policies should be:
- Concise and easy to digest
- Written in plain language, including phrasing and word choice that would be accessible to a child.
So on the one hand, the regulations make clear that privacy policies should not get bogged down in great detail, resort to technical language, or be set out in a way that makes it difficult to scan and process, especially online.
On the other, the GDPR sets out a fairly detailed list of the information which should be included in a privacy notice, including:
- The type of data being collected (emails, phone numbers, IP addresses…)
- Why it is being collected (site registration, processing orders, using Live Chat, answering surveys…)
- What it will be used for (to serve the customer, process orders, collect feedback, add people to email marketing lists…)
- The legal basis for collecting it
- Whether or not it will be shared with third parties
- How long it will be kept
- How it will be secured
- What rights the individual has in relation to their own data.
Striking a balance between simplicity and the need to include all of this information presents its challenges, especially when trying to explain the law around data collection and what people’s rights are under the GDPR.
Our advice would be to use simple section headers based on the information that you need to include. This will help you to organise your privacy notices.
Stick to the points that are most relevant to your audience. For example, when explaining why you are collecting the data, you don’t need to go into a long explanation of your business processes – just stick to a simple outline of the purpose.
As many of these contact points will be online, you should think about:
- how your policy appears on different digital devices.
We recommend that you start out by previewing your document on a smartphone, rather than a computer, as you put it together. This will push you towards a clear layout, lots of headings, and a concise and uncluttered appearance.
We recommend that you write your own if you can. But if you’re really struggling, here are some free generators you could look at:
We liked SEQ Legal’s documents best, since they were the easiest to adapt, and didn’t include US-specific wording. But remember: using a free generator for any legal document can be risky. You should read through the document carefully before putting on your website, just in case there are any missing details or mistakes.
More Help with GDPR Documentation
If you are looking for an impartial extra set of eyes to glance over your GDPR documentation, we would be happy to help.
Red Robot does not claim to have a legal background or specialist knowledge of data protection regulations, so we are not the right people to advise on the content of your policies or notices, or to write them from scratch.
But if you’re looking for someone to edit and proofread your GDPR documents, and offer advice on readability, we can certainly share our expertise in those areas. We can also check over the contents of free privacy policies to ensure they’re correctly formatted and clearly written.
Please contact us today to get a quote and schedule a review of your GDPR documentation content.