To comply with the General Data Protection Regulation (GDPR), you need a GDPR-compliant privacy policy.
Without a GDPR privacy policy (also commonly referred to as a GDPR privacy notice or GDPR privacy statement), you’re at risk of noncompliance fines that could put you out of business.
Read on to learn what the GDPR is, if you need to comply, why a privacy policy is mandatory under the GDPR, and what a GDPR privacy policy includes.
Download our free GDPR privacy policy template to easily get started on your own GDPR compliance journey.
The GDPR is a data privacy law in effect since May 25, 2018. Passed by the EU, but affecting companies around the world, the GDPR gives users more rights over the personal information they share with businesses, and penalizes companies that are negligent with this data.
The GDPR aims to protect the data rights of users in the European Economic Area (EEA). The EEA is comprised of the EU, Iceland, Liechtenstein, and Norway. Additionally, the GDPR applies to users in Switzerland.
Understanding GDPR basics is critical for any website or business that collects personal data from citizens of the EEA, as the law applies equally to companies in the US as it does to those in the EEA.
Fines for noncompliance are up to $23 million, or 4% of your annual global turnover, depending on the severity of your compliance infraction.
As the GDPR applies to businesses around the world, you may be subject to this strict privacy law. Whether or not you need to comply with the GDPR will depend on your answers to two questions:
1. Do I collect personal information from users?
Personal information includes names, emails, credit card details, device data, and other pieces of information that can be linked to a specific individual. If you use cookies, collect online payments, allow user accounts, or email your site visitors, you collect personal information.
2. Do I have, or plan to have, users in the EEA?
If you currently have users in the EU, Iceland, Liechtenstein, Norway, or Switzerland, and you collect personal information, you must comply with the GDPR.
Keep in mind that if you currently answer no to either of the two questions above, but plan to collect personal information from EEA users in the future, you need to prepare to comply with the GDPR as soon as possible.
Small businesses are also subject to comply with the GDPR if they collect personal information from EEA users. If you’re a small business owner, customize our Data protection policy template for small businesses to meet GDPR requirements.
To comply with the GDPR, you need a privacy policy.
GDPR guidelines focus on transparency, so companies must clearly explain how they collect, share, and process user data in a privacy policy.
Three articles within the GDPR address the privacy notice requirement:
Article 12 — Information about data collection, storage, and transfer must be presented to users in writing.
Article 13 — If you collect users’ data, you need to provide them with certain information, such as your contact details and data-processing purposes.
Article 14 — When data is not directly collected from the user, you need to provide details about relevant partners, affiliates, or third parties.
According to GDPR Recital 58, these articles can be satisfied by providing data-privacy information in electronic form through your website.
That is, you can satisfy three GDPR requirements by providing the right privacy policy on your website. If you built your website using WordPress, your WordPress privacy policy needs to meet GDPR requirements.
Having a privacy policy is also a requirement under the California Online Privacy Protection Act (CalOPPA) and California Consumer Privacy Act (CCPA), and your privacy policy can easily be written to meet these laws as well as the GDPR.
Privacy and data security laws around the world require privacy policies. To comply with the GDPR, your privacy policy needs to include certain information and meet specific requirements.
If you operate in Germany, Austria, or Switzerland, your website is legally required to have an impressum as well as a privacy policy. Many affected companies choose to combine the two.
A GDPR privacy policy is a notice on your website that clearly explains how you process the personal data of EEA users.
Your GDPR policy template doesn’t need to be separate from your regular privacy policy. In fact, “GDPR privacy policy” only refers to a privacy policy that includes the necessary controls and information to meet GDPR requirements.
To comply with the GDPR, your privacy policy must be transparent in language and content, and contain specific clauses regarding how you collect, share, and process data.
Your privacy notice should be understandable to the average reader, and should give them clear insight into how you handle their data and what rights they have regarding their personal information.
Privacy Policies and Terms and Conditions Policies agreements are both, as the names imply, legally binding contracts. The main difference between these two types of agreements is this: A Privacy Policy agreement exists to protect your clients. A T&C agreement exists to protect you, the company.