10 Steps to write a GDPR Compliant Privacy Notice

Written By Maeve Dunne

If you are entering into the European Market for the first time OR if you are hoping to partner up with a European business or promote your services to the European consumer – then start with getting your website Privacy Notice right!  

1. Write your Privacy Notice as if it is the Homepage of your website!

Your Privacy Policy or Privacy Notice (call it what you will) should reflect your brand. Ask your Marketing team to write the copy to encourage brand trust and loyalty. 

2. Keep it Simple

Use clear, plain language and do not hide behind legal jargon.  Start with clear headings to give you a compliant framework. 

 3. Avoid Copy & Paste

OK I know everyone does it but….do not copy a policy from anther site.  These are YOUR data protection obligations to a consumer and you must be able to stand by them

4. Privacy vs Cookie

Your Privacy Policy and Cookie Policy are two separate pages. Do not merge them and I always suggest separate links.  Both links must be clearly accessible on your homepage. Do not start describing what a cookie is on your Privacy Policy!  Never merge your Terms & Conditions with your Privacy Policy.

Start - Introduce yourself

Provide a simple explanation of your business in one or two lines. If it is a complex setup with different brand names, a simple explanation provides clarity to the user. Provide: -

·      Full registered company name, address, phone number and company email

·      The contact details of your Data Protection Officer or person responsible for data protection. This does not have to be a named person on the site, you could simply use privacy@xx.  

·      State when you last reviewed & updated the policy

Opportunity to Raise a Concern

Offer the opportunity to contact your Privacy Officer with any questions or privacy concerns. You must also provide the contact details of the Data Protection Supervisory Authority of your country eg website or email, if they wish to raise a concern. State if you are registered with the Supervisory Authority and provide your registration number if applicable.

Opportunity to Opt-Out

Give them clear and easy opt-out options eg you can click on the unsubscribe button on all our communications (which you must have!). Contact us privacy@ or Click here. You can provide an address but this cannot be the only option. It must be EASY to opt-out.

Their Data – What, Why, Where, When

What - Explain what information you collect (name, email, DOB etc) other additional information. Explain the method of collection eg clear consent through the online registration process / ticking the specific offers etc…

Why – Be transparent about the purpose of collecting their details, especially if it is not obvious such as third-party advertisers. With your consent we will share your details with companies who have offers that may interest you. Be specific about the offers such as health cover, debt recovery etc

Where – List who will potentially receive the data. Rather than inserting a large table, simply provide a click here to see a list of our sponsors I have seen Privacy Policy where they have provided an opt-out option for each brand name – top marks for that!  

When – Inform how long you plan to hold their information for.  It is good marketing practice to refresh regularly or delete.   There is no specified time frame but a good rule for non-responders is 24mths. Make a business decision, state it and implement appropriate database rules.

Suppliers & Transfers

Again, be transparent about who, where and why data is transferred from your company to a supplier. This could include hosting provider, address enhancement provider etc. It is important to state if this processing is out of the region. For example; if your business is based in Europe and transferring data to the US for hosting – this is considered an International Transfer and appropriate security measures and agreements must be in place. A clear table or click here is good to explain company name, purpose for processing and location of hosting

Data Protection Rights

 They must be informed of their rights to access and control their own data. (These must be actioned within 30 days)

  • They can request to see a copy of the data you hold

  • Ask for the data to be transferred to another organisation (Include this even if it is not relevant to your business)

  • Encourage them to update you if their information is inaccurate

  • Unsubscribe at any time

Maeve Dunne
Next

Your CRM may well be with a ‘local’ provider but where is it hosted?