The General Data Protection Regulation or GDPR that took effect on 25 May 2018 has compelled individuals and organizations that operate websites with exposures in the European Union to create or update a Privacy Statement or Privacy Notice—also known as a Privacy Policy—that would effectively explain how data and information of website visitors and users are collected, processed, and used according to legal standards. In other words, these websites are required to have a particular Privacy Notice that meets the GDPR standards to continue reaching Internet users in the EU.
Nonetheless, this article lists and discusses critical pointers or tips for writing a privacy notice based on the standards set forth under the EU General Data Protection Regulation.
Tips for writing a GDPR-compliant privacy notice
1. The parts of a privacy notice: Discuss and explain how data is collected, processed, and used, as well as the options of website visitors
The privacy notice should be organized based on proper headings or section labels. Each section of the privacy notice should discuss and explain how data is collected, processed, or used, as well as the options of website visitors. Take note of the following recommended sections of a GDPR-compliant privacy notice:
• Collection of data: Explain in details how the website collects data and information. Mention the tools used for automated data and information collection, including the use of cookies, the providers of these tools such as Google Analytics or other tracking service providers, the use of tools to track ad performance. When applicable, also mention the use of online forms or other methods that enable website users to provide their data and information voluntarily. Furthermore, enumerate the types of data and information used.
• Processing of data: Describe how the collected data and information are processed, including the storage, retrieval, and deletion processes, as well as the security measures employed. Indicate the use of a database and explain how the data management system works. Discuss the security measures used to protect unauthorized access to data and information, specifically by mentioning the use of encryption technology, access management, cybersecurity, and internal policies and standards, among others.
• Use of data: Justify why data and information are needed to be collected from website visitors. To be specific, lists down and discuss in details the reasons or purposes for using such data and information. Explain how the use of data and information benefits the website owner and website visitors. In addition, mention the legal basis for collecting, processing, and using such. It is also possible to list down here the types of data and information that are collected with an added explanation of how and why such are used.
• Individual options: Inform the website visitors about the ways their data and information are handled, processed, and used. For example, explain that individuals can disable cookies in their web browsers or use incognito browsing to maintain Internet anonymity. Mention options for clearing browsing history. Furthermore, it is also important to tell website visitors that they can contact website owners or an appropriate representative to request for modification or deletion of collected data and information, as well as to object or restrict how such are collected, processed, and used.
2. Individual rights under GDPR: Remember to enumerate and explain the rights of individual website visitors in the privacy notice.
A privacy notice should inform website visitors about their rights. These rights can be discussed across the different sections of the document. However, remember the importance of organization and clarity of presentation. Note that the GDPR lists down eight individual rights. These are:
• The right to be informed, before any data and information are collected from them, about how their data and information being collected, processed, and stored, and for what purposes.
• The right to access their data and information after it has been collected and understand how it has been collected, processed, and stored, what data and information exist on them, and for what purposes.
• The right to rectification or the right to correct inaccurate or incomplete data and information.
• The right to be forgotten or have their data and information erased, not just by the individual or organization but by any other individual or organization their data and information were sold or transferred to.
• The right to restrict the processing of their data and information.
• The right to data portability, or the right to move, copy, or transfer personal data and information from one data controller to another safely, securely, and in a commonly used and machine-readable format.
• The right to object to processing without explicit consent, including the right to ban the inclusion of their data and information in direct marketing databases.
• The right to opt out of automated decision-making and demand that important decisions be made by humans, not algorithms.
3. Addressing GDPR standards: Other important considerations in writing a GDPR-compliant privacy notice
The GDPR has other strict guidelines on what constitutes an acceptable privacy notice. For example, under Article 12 of the law, the document should be written using clear and plain language, thus barring from overwhelming readers with too much unnecessary information, including excessive legalese or technical terminologies.
It is important for the website to have a separate webpage dedicated for the privacy notice. In addition, the document must be easily distinguishable from other non-privacy information or statements, including data protection policy, terms of use, or user agreement. It is also worth mentioning that the privacy notice can be delivered using a non-textual content such as an infographic or audio-video contents. However, GDPR requires that such privacy notice should always be available in a single and written document. The law also requires the document to be available orally by having a recorded version or having someone read it aloud if the need arises.
Remember that the GDPR also requires the privacy statement to explain the purpose for collection, processing, and using the data and information of website visitors, as well as the legal basis for doing so. In addition, the document must include the name and contact information of the individual or group of individuals, such as data controllers or data protection officers, responsible for controlling and managing data and information.
Note that the aforementioned GDPR standards can be addressed across the entire privacy notice. However, it is important to reiterate the need to make the entire document as organized and as readable as possible.
Conclusion: How to write a GDPR privacy notice
In a nutshell, writing a GDPR-compliant privacy notice—also known as a privacy statement or privacy policy—should answer the following questions: (1) Who is collecting the data and information? (2) What data and information are being collected? (3) What is the legal basis for processing the data and information? (4) Will the data and information be shared with any third parties? (5) How will the data information be used? (6) How long will the data and information be stored for? (7) What rights does the owner of data and information have? (8) How can the owner of the data and information raise a complaint?