To stay compliant with the law in the UK and EU, you’ll need to write and maintain GDPR policy documentation. This blog outlines the basics and how to create your own GDPR policy.
What Is GDPR?
GDPR is a relatively new law that brings data regulations into the digital age by strengthening the rights of ordinary citizens in relation to how information is gathered about them.
GDPR policy applies to a range of services and technologies, including:
- Internet shopping
- Smartphone apps
- Website contact forms
- Social media.
The new rules also introduce consistent standards of data protection across the European economic area. Information that travels via digital channels does not respect national boundaries.
Despite the UK’s pending departure from the EU, the government indicated that it will transfer the terms of the GDPR into national law.
One of the biggest changes introduced by the GDPR is the extra level of scrutiny and responsibility placed on organisations. There are stiff penalties for data protection and privacy breaches. If you don’t have a GDPR policy, your organisation could be fined up to €20m, or 4% of its turnover.
In order to remain compliant, businesses, charities, education and healthcare establishments, and government agencies must draw up GDPR policy documentation. This documentation is taken as working proof that an organisation has plans in place to protect personal data and privacy.
Not having a GDPR policy could be a breach and may lead to a fine.
Types of GDPR Policy
In order to demonstrate compliance with the GDPR, organisations will be expected to produce two things:
- A data protection policy
What Is a Data Protection Policy?
Your data protection policy will form the cornerstone of how you intend to stay compliant with the terms of the GDPR at a strategic level. As a policy document, the priority should be to set out the main principles behind your approach, covering areas such as:
- Why compliance is necessary
- Who holds responsibilities for data protection within the organisation
- Procedures in the event of a breach.
Businesses will also be required to create detailed written procedures outlining the practical steps that will be taken to protect data and privacy, or deal with breaches, in specific circumstances.
You may choose to include these along with the data protection policy in a single GDPR policy document.
Unlike a data protection policy, privacy policies are not internal documents. A privacy notice is a document written for customers, clients and stakeholders, laying out:
- Your commitment to protecting their privacy
- The steps you will take to do so.
It is therefore a crucial legally-binding document under the the GDPR.
Your GDPR policy document well end up having a very broad scope. But it need not be a tough task.
Follow these 3 steps to prepare your GDPR policy..
Step 1: Define Responsibilities Under GDPR
The GDPR sets out data protection obligations for any organisation that processes personal information, be it customer data captured for marketing campaigns or employee files.
Personal data has been expanded to include things like:
- location data
- IP addresses
- data gathered from cookies
- online identifiers used, for example, to target digital advertising
- any data gathered about online browsing habits and preferences.
The precise rules for what can and cannot be done with this data, and what protections are expected, vary from function to function and industry to industry. There are, however, some universal principles, such as:
- Individuals must be told what data is held on them, and why
- Individuals have the right to demand access to the data held on them
- Individuals have the right to opt out of data collection, or in some cases request data held to be deleted
- Individuals have the right to expect that data will only be used for the purposes stated, and all reasonable steps will be taken to prevent misuse.
So to start, look at where and how personal data is collected and used. Then, look at how to achieve compliance.
Carrying out an in-depth audit of data use is one possible starting point.
Step 2: Separate GDPR Policy and Procedure
Even if you choose to include policy and procedures, be clear on what is included in each, and what the differences are.
For a GDPR policy, there is no need to go into great levels of detail about how you intend to manage data protection in specific circumstances. Your policy is a top-level document which should focus on setting out:
- A clear statement of what you want to achieve, and why
- The scope of the document (i.e. an outline of the data processing activities your organisation is involved in)
- Key objectives, which will depend to a large extent on the nature of your organisation and its activities
- Guidelines for implementation, including how breaches will be managed
- Names and contact details of duty holders and their responsibilities in relation to data protection.
Procedural documentation might include:
- Explanation of the legal justification for processing personal data
- Details of processing activities
- Protocols for managing data breaches in specific contexts
- Instructions for how people can opt in or out of data collection (often included in privacy notices).
Step 3: Use Policy Templates
Once you have determined the types of information to include in your policy, download one of the widely available online templates to guide your writing of the policy.
Templates are a good idea because:
- Your policy is a legally binding document and most templates will have been developed by people with appropriate legal expertise relating to the GDPR
- They will cover all the sections and information the regulations state must be included
- They will help you organise the large volumes of information you have, keeping procedural detail separate and creating a final document that is clear, logical and workable.
IT Governance produces a whole set of GDPR documentation templates, including for data protection policies and privacy notices, in its EU GDPR documentation toolkit.
At the bottom of this article, we’ll also share more templates that might be helpful.
Privacy policies deserve special attention.
They’re not internal policy papers intended to form the basis of managing compliance, nor are they formal procedural documentation meant for the eyes of regulators.
Privacy policies are aimed at the general public, and need to be written with that in mind.
- their personal details are being collected
- how they are collected
- why they are collected
- what their personal data will be used for.
Privacy policies empower people to exercise their right to:
- understand the data collection process, and
- opt out if they so wish.
Both are important pillars of what the GDPR sets out to achieve.
GDPR specifications spell out that privacy policies should be:
- Concise and easy to digest
- Written in plain language, including phrasing and word choice that would be accessible to a child.
So on the one hand, the regulations make clear that privacy policies should not get bogged down in great detail, resort to technical language, or be set out in a way that makes it difficult to scan and process, especially online.
On the other, the GDPR sets out a fairly detailed list of the information which should be included in a privacy notice, including:
- The type of data being collected (emails, phone numbers, IP addresses…)
- Why it is being collected (site registration, processing orders, using Live Chat, answering surveys…)
- What it will be used for (to serve the customer, process orders, collect feedback, add people to email marketing lists…)
- The legal basis for collecting it
- Whether or not it will be shared with third parties
- How long it will be kept
- How it will be secured
- What rights the individual has in relation to their own data.
Striking a balance between simplicity and the need to include all of this information presents its challenges, especially when trying to explain the law around data collection and what people’s rights are under the GDPR.
How to Put Together the Final GDPR Policy
So now we’ve done the prep work, it’s time to actually put together everything we need a GDPR policy.
At Red Robot, we don’t write legal documents. But we’ll give you some pointers on how to make this part much easier:
- Use simple section headers. This will help you to organise your privacy notices as you write.
- Stick to the points that are most relevant to your audience. For example, when explaining why you are collecting the data, you don’t need to go into a long explanation of your business processes. Just provide a simple outline of the purpose for collection.
- The GDPR states that privacy policies must be freely accessible at any point of contact with customers. As many of these contact points will be online, you should think about:
- how your policy appears on different devices.
Bonus Tip: 4 Free GDPR Policy Generators
Need a helping hand? GDPR policy generators are a good way to quickly create a policy that’s compliant at a basic level.
Here are some links to get you on the right path:
Remember: using a free generator for any legal document can be risky. You should read through the document carefully before putting on your website, just in case there are any missing details or mistakes.
Final Thoughts on Writing a DIY GDPR Policy
Writing a GDPR policy is a case of combining the right documents and ensuring that you have provided all the information you need to provide.
Templates can help, but there’s no substitute for sitting down and writing things yourself.
If you are looking for an impartial extra set of eyes to glance over your GDPR documentation, we would be happy to help.
We don’t claim to have a legal background or specialist knowledge of data protection regulations.
But we can certainly share our expertise in business copywriting, which we’ve built up over more than 10 years.
Please contact us today to get a quote and schedule a review of your GDPR documentation content.