Back to Insights

How To Write A Privacy Notice For GDPR?

Compliance 06/10/2020 - 13:17 by Swami Nathan

How to Write a GDPR Privacy Policy and Notices

The EU General Data Protection Regulation (GDPR) Privacy notice represents a first step towards giving EU people and their residents greater influence over how organizations use their data. If your company handles people’s personal information in the EU, then you must abide by the GDPR, regardless of where you are in the world. The fines for violating the new privacy rights of individuals can amount to up to 4 percent of your global revenue, or €20 million, whichever is higher.

A GDPR Privacy Notice is an effective way to help your clients make educated decisions about the data that you are gathering and using. We also collected some knowledge from the legislation itself and the EU guidance documents to help you understand the components of a successful privacy notification.

What is a Privacy Notice?

The EU General Data Protection Regulation (GDPR) requires data controllers to provide certain information to persons whose information they hold and use (personal data). One way of presenting this information is through a privacy notice. This is sometimes referred to as a fair notice for the processing.

A privacy notice with contact information for the data protection officer will describe who is the data controller. It will also clarify the reasons for which personal data will be obtained and processed, how the data will be used and released, for how long it will be retained, and the legal justification for processing for the controller.

How to Write a Privacy Notice?

For New Projects:

If you undertake processing that is likely to result in a high risk to the interests of individuals then you must complete a Data Protection Impact Assessment (DPIA) before starting your project. If you are unsure of the risk, we strongly advise you to complete a DPIA. This will help you identify the types of personal data that you process, the risks to the privacy involved, and the safeguards or controls that you need to have in place to meet your statutory requirements.

For Current Projects:

Any prior risk assessment you have previously done will be reviewed as part of your project for privacy risks. If you’ve already established those and placed them in certain controls, it’s unlikely you’ll need a new DPIA. You should complete a Data Protection Impact Assessment (DPIA) if you have not completed an earlier risk analysis with data protection elements.

To ensure that your purposes and/or techniques have not changed, you must schedule a review of your design against the original risk review for all new or old projects.

You will begin to explain these in your privacy notice, once you have identified the types of data you will be gathering and the processing you will be undertaking.

Under the GDPR, the information you provide about how you process the personal data of individuals must be as follows:

  1. Concise, simple, smart, and easy to navigate;
  2. Written in plain, clear language (especially when you are talking to kids); and
  3. Available for free.

Everywhere on your website, you must include a privacy notification that you are collecting data. Essentially, it’s a condensed version of your privacy policy tailored to each data capture.

When you write a privacy note, please be sure to address:

  1. What data is it that you collect?
  2. Who is the data gatherer?
  3. Will any other organization share that? If so, then Who?
  4. Why do you gather those data?
  5. How are you going to use the data?
  6. Will they consent later on to use their data by you?
  7. Include a link to your complete privacy policy where users can read in more detail on the above.

When Should You Produce a GDPR Privacy Notice?

The GDPR explains that data controllers have to provide a privacy notice whenever they get personal information from a data subject.

The only time that’s not needed is when:

  1. The data subject already has the data set out in the privacy notice;
  2. It would be impossible to provide such information, or would involve a disproportionate effort;
  3. Legally the organization is obliged to obtain the information; or
  4. The personal data shall remain confidential, subject to a professional secrecy obligation

When an organization obtains a third party’s personal information, it must provide a privacy notice within one month.

This should be done when the organization first communicates with the data subject or when it first shares personal data with another recipient.

The easiest way to issue a privacy notice is to post it on your website and to link to it whenever necessary.

If you do not have a website, a printed copy of your privacy policy should be made available.

The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help.

How to Write a Privacy Notice for GDPR? Generate your own GDPR compliant cookie policy. Easy to implement! Cookiebot automatically scans your cookies.