How to write a GDPR privacy notice

If you’re just beginning your EU General Data Protection Regulation (GDPR) compliance journey, it’s unlikely you will be fully compliant by the time the Regulation is enforced on May 25, 2018.

An integral part of your GDPR compliance project should be producing appropriate documentation, including a privacy notice. Displaying a privacy notice to data subjects when you capture their data proves you are making an effort to comply with the GDPR.

How does a privacy notice differ from a data protection policy?

A privacy notice is a public statement of how your organization applies data protection principles to data processing. It should be a clear and concise document that can be easily accessed by data subjects.

It differs from a data protection policy, which is an internal document that goes into detail about data protection objectives and responsibilities, and how to handle violations. Read our blog How to develop a robust cybersecurity policy for more information on creating a data protection policy.

The privacy notice

The privacy notice should address the following:

  • Who is collecting the data?
  • What data is being collected?
  • What is the legal basis for processing the data?
  • Will the data be shared with third parties?
  • How will the information be used?
  • How long will the data be stored?
  • What rights does the data subject have?
  • How can the data subject raise a complaint?

ISO 27001 Cybersecurity Documentation Toolkit

If you don’t know where to begin when creating a privacy policy, take a look at our ISO 27001 Cybersecurity Documentation Toolkit.

This toolkit provides templates for all the documents you need to comply with ISO 27001, including policies, procedures, work instructions, and records.

The templates are also aligned with NIST SP 800-53 and the New York Department of Financial Services Cybersecurity Requirements.