How to Write a GDPR Policy For Your Website (+Free Templates)

GDPR policy
Get our blogs by email
Table of Contents
Follow by Email

To stay compliant with the law in the UK and EU, you’ll need to write and maintain GDPR policy documentation. This blog outlines the basics of GDPR, and explains how to create your own GDPR policy with and without templates.

Why Do You Need a GDPR Data Protection Policy?

GDPR is a relatively new law that brings data regulations into the digital age by strengthening the rights of ordinary citizens in relation to how information is gathered about them.

GDPR policy applies to a range of services and technologies, including:

  • Internet shopping
  • Smartphone apps
  • Website contact forms
  • Social media.

The new rules also introduce consistent standards of data protection across the European economic area. Information that travels via digital channels does not respect national boundaries.

Create an EU GDPR policy

Now that the UK has left the EU, the government indicated that it will transfer the terms of the GDPR into national law under UK-GDPR.

One of the biggest changes introduced by the GDPR is the extra level of scrutiny and responsibility placed on organisations. There are stiff penalties for data protection and privacy breaches. If you don’t have a GDPR policy, your organisation could be fined up to €20m, or 4% of its turnover.

In order to remain compliant, businesses, charities, education, and healthcare establishments, and government agencies must draw up GDPR policy documentation. This documentation is taken as working proof that an organisation has plans in place to protect personal data and privacy.

Not having a GDPR policy could be a breach and may lead to a fine.

Is GDPR Applicable in the USA?

The GDPR is designed to protect EU and UK citizens’ data. If EU and UK visitors use your website, it should be GDPR compliant.

This applies to everything from your documentations to the way your web forms work.

We recommend that you consult a lawyer to determine your position.

What Is a GDPR Policy?

In order to demonstrate compliance with the GDPR, organisations will be expected to produce two things:

  1. A data protection policy
  2. At least one privacy policy.

You can use templates for these as long as the content is accurate.

What Is a Data Protection Policy?

Your data protection policy will form the cornerstone of how you intend to stay compliant with the terms of the GDPR at a strategic level. As a policy document, the priority should be to set out the main principles behind your approach, covering areas such as:

  • Why compliance is necessary
  • Who holds responsibilities for data protection within the organisation
  • Procedures in the event of a breach.

Businesses will also be required to create detailed written procedures outlining the practical steps that will be taken to protect data and privacy, or deal with breaches, in specific circumstances.

You can produce one GDPR document that contains your policies and procedures.

What Is a Privacy Policy?

A privacy policy (or privacy notice) sets out details of how you will guarantee the privacy of individuals in any data-collecting activity you are involved in.

Person holding computer mouse

Unlike a data protection policy, privacy policies are not internal documents. A privacy notice is a document written for customers, clients and stakeholders, laying out:

  • Your commitment to protecting their privacy
  • The steps you will take to do so.

It is therefore a crucial legally-binding document under the the GDPR.

Your GDPR policy document well end up having a very broad scope. But it need not be a tough task to produce one. There are many templates that you can use, and many are free.

How to Write a GDPR Policy

Now we understand a bit more about GDPR, we can see that several documents need to combined into one GDPR policy. You can break this down into a 3-step process.

1. Define Your Responsibilities Under GDPR

The GDPR sets out data protection obligations for any organisation that processes personal data. Personal data has been expanded to include things like:

  • location data
  • IP addresses
  • data gathered from cookies
  • online identifiers used, for example, to target digital advertising
  • any data gathered about online browsing habits and preferences
  • details about your employees.
Person holding white ipad with black case

The precise rules for what can and cannot be done with this data, and what protections are expected, vary from function to function and industry to industry. There are, however, some universal principles that apply to data subjects:

  • They must be told what data is held on them, and why
  • They have the right to demand access to the data
  • They have the right to opt out of data collection
  • They can use the right to erasure to ask for data to be deleted
  • They have the right to expect that data will only be used for the purposes stated, and all reasonable steps will be taken to prevent misuse.

So to start, look at where and how personal data is collected and used. Then, look at how to achieve compliance.

Carrying out an in-depth audit of data use is one possible starting point.

2. Consider GDPR Policy and Procedure

Even if you choose to combine policy and procedures with one GDPR template, be clear on what is included in each section, and what the differences are.

For a GDPR policy, there is no need to go into great levels of detail about how you intend to manage data protection in specific circumstances. Your policy is a top-level document which should focus on setting out:

  • A clear statement of what you want to achieve, and why
  • The scope of the document (i.e. an outline of the data processing activities your organisation is involved in)
  • Key objectives, which will depend to a large extent on the nature of your organisation and its activities
  • Guidelines for implementation, including how breaches will be managed
  • Names and contact details of duty holders and their responsibilities in relation to data protection.

One of the key principles of the GDPR is that organisations should be able to demonstrate ‘privacy by design’. In other words, how they have elevated data protection and privacy to a primary consideration at every level of operation. Your data protection policy is like an architect’s written proposal setting out the vision for the design, which is then fleshed out with technical drawings or procedural documents elsewhere.

Procedural documentation might include:

  • Explanation of the legal justification for processing personal data
  • Details of processing activities
  • Protocols for managing data breaches in specific contexts
  • Instructions for how people can opt in or out of data collection (often included in privacy notices).

3. Use GDPR Policy Templates to Bring it Together

Once you have determined the types of information to include in your GDPR policy, you might want to use a template to create your own. Templates are a good idea because:

  • Your policy is a legally binding document and most templates will have been developed by people with appropriate legal expertise relating to the GDPR (although this can’t substitute legal advice)
  • Templates will cover all the sections and information the regulations state must be included, so you can easily see what’s missing
  • Templates will help you organise the large volumes of information you have, keeping procedural detail separate and creating a final document that is clear, logical and workable.
Writing a GDPR policy note

At the bottom of this article, we’ll share links to free templates and policy generators.

How to Write a Privacy Policy

If you prefer to write your own privacy policy, we recommend that you get legal advice.

Privacy policies are not internal policy papers intended to form the basis of managing compliance, nor are they formal procedural documentation meant for the eyes of regulators.

Privacy policies are aimed at the general public, and need to be written with that in mind.

The purpose of your privacy policy under GDPR is to inform people that:

  • their personal details are being collected
  • how they are collected
  • why they are collected
  • what their personal data will be used for.

Privacy policies empower people to exercise their right to:

  • understand the data collection process, and
  • opt out if they so wish.

Both are important pillars of what the GDPR sets out to achieve.

The Content of a GDPR Privacy Policy

GDPR specifications spell out that privacy policies should be:

  • Concise and easy to digest
  • Written in plain language, with good readability
  • Not too heavy on detail or technical language
  • Easy to read, especially online.

Every time you do a content audit, be sure to check that your privacy policy still reflects the nature of your business. Just like any other page on your website, it may need to be updated from time to time.

Writing a GDPR policy on a laptop

That’s not to say that you can write whatever you want. The GDPR sets out a fairly detailed list of the information which should be included in a privacy notice, including:

  • The type of data being collected (emails, phone numbers, IP addresses…)
  • Why it is being collected (site registration, processing orders, using Live Chat, answering surveys…)
  • What it will be used for (to serve the customer, process orders, collect feedback, add people to email marketing lists…)
  • The legal basis for collecting it
  • Whether or not it will be shared with third parties
  • How long it will be kept
  • How it will be secured
  • What rights the individual has in relation to their own data.

Striking a balance between simplicity and the need to include all of this information presents its challenges, especially when trying to explain the law around data collection and what people’s rights are under the GDPR.

How to Put Together the Final GDPR Policy

So now we’ve done the prep work, it’s time to actually put together everything we need a GDPR policy. At Red Robot, we don’t write legal documents. But we’ll give you some pointers on how to make this part much easier:

  • Use simple section headers. This will help you to organise your privacy notices as you write.
  • Stick to the points that are most relevant to your audience. For example, when explaining why you are collecting the data, you don’t need to go into a long explanation of your business processes. Just provide a simple outline of the purpose for collection.
  • The GDPR states that privacy policies must be freely accessible at any point of contact with customers. As many of these contact points will be online, you should think about:
    • organisation
    • layout
    • readability
    • accessibility
    • how your policy appears on different devices.

We recommend that you start out by previewing your document on a smartphone, rather than a computer, as you put it together. This will push you towards a clear layout, lots of headings, and a concise and uncluttered appearance.

Free GDPR Policy Templates and Generators

Need a helping hand? GDPR policy templates and generators are a good way to quickly create a policy that’s compliant at a basic level.

Here are some links to get you on the right path:

  • Free Privacy Policy Generator from Shopify: You don’t have to use Shopify to use this generator, and it’s not specific to Shopify websites, but it is geared towards ecommerce businesses rather than general websites. You will be signed up for a 14-day trial of Shopify in exchange for using the generator.
  • Generator: Using a series of checkboxes, this privacy policy generator will build a document compliant with GDPR. However, the contents are skewed towards US law, and some sections will be alien to EU users. We liked the fact that it asked whether the site is PCI compliant and secure, and it also collects very detailed answers about your use of tools like Google Analytics. You’ll need to provide your email address to receive your policy.
  • SEQ Legal Privacy Policy Templates: Basic privacy policy templates from a UK law firm. This isn’t quite the same as a generator, since the policy is provided in a free template created in Word. You’ll need to go through and edit it. However, the wording is suitable for UK businesses ‘out of the box’, and you can use the finished policy without paying as long as you don’t delete links back to the SEQ Legal website. A more detailed version is available for a fee of £10 including VAT.
  • WordPress privacy policy: If you have a WordPress site, you’ll find that will automatically generate a privacy policy for you. Don’t be tempted to use this as a shortcut. Read it carefully and filling in the blanks in the document first.
  • IT Governance produces a whole set of GDPR documentation templates, including for data protection policies and privacy notices, in its EU GDPR documentation toolkit.

Remember: using a free template or a generator for any legal document is risky. You should read through the document carefully and seek advice from a lawyer if you have questions about GDPR compliance.

Where Can I Get Help With My GDPR Policy?

Writing a GDPR policy is a case of combining the right documents and ensuring that you have provided all the information you need to provide.

A template can get you part way there. But you may need someone to help you bring it all together.

The business writers here at Red Robot would be happy to help. Please contact us today to get a quote and schedule a review of your GDPR documentation content.

Do You Need to Update Your User Guides for Brexit?

Once you have your GDPR documentation ready, you might need to update your user guides for Brexit.

The new UKCA mark replaces the CE mark, and UK businesses will need to update their documents to stay legal. Read our guide on updating your user guides with the new UKCA mark to find out more.