A key part of your EU GDPR (General Data Protection Regulation) compliance project is producing documentation to demonstrate you are fulfilling your responsibilities under the Regulation. One such document is a privacy notice. If you’re arriving to the GDPR party late (the Regulation came into effect in May), we suggest that you prioritize creating a privacy notice. You should display this to data subjects wherever you capture their data to prove you have begun efforts to comply.
How does a privacy notice differ from a data protection policy?
A privacy notice is a public statement of how your organization applies data protection principles to processing data. It should be a clear and concise document that is easily accessible by individuals.
A data protection policy is an internal document that goes into detail about data protection objectives, responsibilities, and how to handle violations. Read our blog post How to write a GDPR data protection policy for more information on creating a data protection policy.
Privacy notices under the GDPR
Articles 12, 13, and 14 of the GDPR outline the requirements for giving privacy information to data subjects. The GDPR says that the information you provide must be:
- Concise, transparent, intelligible, and easily accessible
- Written in clear and plain language, particularly if addressed to a child
- Free of charge
Help with creating a privacy notice template
The privacy notice should address the following to sufficiently inform the data subject:
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- Will the data be shared with any third parties?
- How will the information be used?
- How long will the data be stored for?
- What rights does the data subject have?
- How can the data subject raise a complaint?
If you’re looking for a complete set of GDPR templates to help with your compliance project, you may be interested in the market-leading EU GDPR Documentation Toolkit. This toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organizations worldwide. It includes:
- A complete set of easy-to-use and customizable documentation templates, which will save you time and money, and ensure GDPR compliance
- Helpful dashboards and project tools to ensure complete GDPR coverage
- Direction and guidance from expert GDPR practitioners
- Two licenses for the GDPR Staff Awareness E-learning Course
Are you a North American organization to which the GDPR applies?
Do you provide goods and services to EU residents, or monitor their behavior? Then the GDPR applies to you. Do you do so more than occasionally? If the answer is “yes” and you’re not a public authority, then Article 27 of the GDPR applies to you, and you will need to appoint a representative in an EU member state. The representative will act as a local contact for data subjects and supervisory authorities, and can act on your behalf in relation to your personal data processing activities. We could be your representative. Find out about our GDPR EU Representative service.