Creating a privacy notice is an important part of your EU GDPR (General Data Protection Regulation) compliance project, but knowing what it should say or where to start can be difficult.
Should GCC companies update their current privacy notice?
The GDPR, which came into effect on 25 May 2018, applies to any organisation in the world that offers goods and services to, or monitors the behavior of, EU residents. This means many GCC companies will be affected.
Your organisation should prioritise creating a GDPR-compliant privacy notice, and display this to your users wherever you collect data, to prove you are making an effort to comply.
The difference between a data protection policy and a privacy notice
A data protection policy is an internal document that goes into detail about data protection objectives, responsibilities and how to handle violations. For example, your policy might include instructions for staff who collect client data, specifying that they only collect as much data as is necessary for their task.
If you need more information about creating a data protection policy, read our blog post Get help writing your GDPR data protection policy.
A privacy notice is a public statement of how your organisation applies and complies with the GDPR’s data protection principles. It should be a clear and concise document that is easily accessible by data subjects.
Privacy notice under the GDPR
Under the GDPR, you are a data controller if you determine the purposes and means of processing personal data. You are required to tell data subjects that you are processing their personal data and provide them with certain information, outlined below.
Articles 12, 13 and 14 of the GDPR outline the requirements for giving privacy information to data subjects. The GDPR says that the information you provide must be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language, particularly if addressed to a child; and
- Free of charge.
Help with creating a privacy notice template
The privacy notice should address the following to sufficiently inform the data subject:
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- Will the data be shared with any third parties?
- How will the information be used?
- How long will the data be stored for?
- What rights does the data subject have?
- How can the data subject raise a complaint?
Below is an example of a customisable privacy notice template, available from IT Governance here, which can help you create a GDPR-compliant privacy notice in minutes.
Satisfy documentation requirements under the GDPR’s accountability principle
If you’re looking for a complete set of GDPR templates to help with your compliance project, you may be interested in the market-leading EU GDPR Documentation Toolkit. This toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. It includes:
- A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
- Helpful dashboards and project tools to ensure complete GDPR coverage;
- Two licences for the GDPR Staff Awareness E-learning Course.