Andrew Leahey

View Original

GDPR Compliant Privacy Policy Template

The GDPR is complex and can have serious ramifications for your business. If you’d like to discuss the GDPR and how it impacts your business, get in contact.

I have written on privacy policies a bit before and covered in some detail the rise of the General Data Protection Regulation (GDPR) in the European Union (EU) and the various GDPR “loopholes.” It is real, it is here, and any business that may be doing business with a person or entity in the EU needs to comply.

To catch you up, the GDPR is a privacy regulation from the EU that took effect in 2018. It aimed to create a unified data privacy legal framework in the EU and to codify EU resident’s rights to data protection. It broadly applies to people and businesses that interface with EU residents — that is to say, you need not have an office in the EU for the GDPR to apply to you.

What does the GDPR require?

In short, it requires that you have a privacy policy and you abide by that policy. You need to lay out your policy in plain language and make it readily available to anyone you could plausibly collect information from — i.e. visitors to your site, customers on your online store, etc. Your policy should lay out at least the following points:

  • The identity of the data controller and data processor;

  • if you have a data protection officer, the contact information for that officer;

  • for what purpose you are utilizing collected data — legitimate interest;

  • how data is being processed;

  • where consent is required and how it is obtained;

  • data subject rights;

  • any vendors or subsidiaries you share data with and assurances they will comply with the GDPR;

  • whether and where you will transfer data across jurisdictions — especially out of the EU;

  • your data retention policies; and

  • how an individual can request their data be removed.

Generally speaking your GDPR privacy policy will be placed prominently on your website. Best practice now is to request users to read and agree to it using an overlay upon first visiting the site. You should also refer users to it any time they are providing you with new information — e.g. submitting a form, signing up for a mailing list, etc.

Please note, this list is not exhaustive. The GDPR applies in different ways and to different degrees depending on the kind of data collecting and processing you are doing, where you are doing it, and why you are doing it. Simply reading off the above list (or any broad list you find on the internet) and comparing it against your privacy policy is almost certainly not enough.

GDPR Compliant Privacy Policy Template

Download my boilerplate GDPR Compliant Privacy Policy Template (PDF)

Please note, this is a boilerplate — that means it is not tailored at all to your specific needs. It should not be taken and used without thought, nor should sections be lifted from it and used unless you know their meaning and utility. Please get in touch if you want to discuss any of the ramifications for your business.