GDPR
Privacy Policy

The General Data Protection Regulation
(GDPR) took effect on May 25, 2018.
If the GDPR applies to you, you’ll need to
make sure your Privacy Policy is updated.
UPDATE

Who the GDPR
Applies to

The GDPR will apply to your business if you:
Offer products or services to EU citizens, or
Collect personal information from EU citizens

Note that it doesn’t matter where your business
is located/headquartered. If you meet either of
these criteria, the GDPR applies to you.

For example, a U.S.-based business that simply
collects email addresses from users in the EU
will fall under the scope of the GDPR.
@

What the GDPR
Requires

(1) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Requirements_for_GDPR_Data_Controllers
(2) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Requirements_for_GDPR_Data_Processors
(3) Link to https://termsfeed.com/blog/data-protection-officer-dpo/
The GDPR comes with a number of enhancements
to the current privacy law in the UK - the Data
Protection Directive.
New responsibilities (1) for Data Controllers
Data Processors (2) are now covered by the law
The new role of Data Protection Officer (3) has
been created

The main focus of the GDPR is the protection of
personal data and digital privacy.
Users must be provided with thorough information
about how their personal data is processed.
Here’s where your Privacy Policy comes in.

GDPR-Compliant
Privacy Policy

(4) Link to https://gdpr-info.eu/art-12-gdpr/
Article 12 of the GDPR (4) requires that
you communicate information about your
processing of personal data in a way
that’s:
Concise
Transparent
In clear and plain language
Intelligible
Easily accessible
Free of charge

Most Privacy Policies tend to be long and
dense, filled with legal jargon and less than
clear for most readers.
The GDPR is working to avoid this.

Update your Privacy Policy by:
Cutting out legalese
Simplifying overly technical information
Using short, clear sentences
Writing with your average user in mind

In addition to the standard required components
of your Privacy Policy (5), your GDPR-compliant
policy will need to disclose more information.
(5) Link to https://termsfeed.com/blog/gdpr-privacy-policy/#Have_a_Privacy_Policy

The following 6 concepts must be covered
somewhere in your Privacy Policy.
They can be separate, standalone clauses,
or integrated into other existing clauses.
Just make sure you have the information
somewhere in your Policy.

1. Who is your data controller?
The data controller is the party in charge of
deciding what personal data is collected.
Let users know if this is your business or if
someone else is responsible for making
this important decision.
In most cases, it will be your company.

Make sure your users have a way to
contact you.
This is a fast, easy and important
update to make to your Privacy Policy
if needed.
2. Your contact information and your
DPO’s contact information, if applicable

If you have a Data Protection Officer (DPO),
include contact information for this individual
as well.

(6) Link to https://www.vividfish.co.uk/blog/gdpr-8-rights-under-gdpr
3. The 8 rights of users under the GDPR
Inform users of these 8 rights (6).
They don’t have to be explicitly listed out in
your Privacy Policy, but each point should
be addressed somewhere within it.

The 8 rights of users:
Right to be informed
Right of access
Right of rectification
Right to erasure
Right to restrict data processing
Right to data portability
Right to object
Rights of automated decision-making
and profiling

Twitter includes a separate chapter in its Privacy Policy to
address some of these rights:

Let users know what purposes you
use collected data for, such as for
communication and billing.
4. Your purposes for collecting the data

Let users know if you transfer their
personal data to a different country.
Include a description and explanation
of suitable safeguards you have in
place for the transfer, and how users
can obtain a copy of them.
5. Do you transfer data internationally?

The GDPR provides 6 lawful bases (7).
You’ll likely satisfy this requirement in
your clause that covers what data you
collect and how you use it.
6. Your legal basis for processing data
(7) Link to https://gdpr-info.eu/art-6-gdpr/

For example, you collect email addresses for communication purposes,
financial information for payment purposes, place cookies to remember
passwords and user preferences, etc.

Getting Agreement and
Consent to your Privacy
Practices

Whenever you get consent, use
checkmark boxes or another active
method of clickwrap (8).
(8) Link to https://termsfeed.com/blog/examples-click-accept/

Have Privacy
Notices

Because the GDPR focuses on creating
transparency and understanding for users,
having Privacy Notices will help you be
GDPR-compliant.

A Privacy Notice is a short, concise notice that
helps users understand why you’re requesting
their personal data.
They should be available at the point where
you’re requesting to collect the data.

The GDPR requires your Privacy Policy to
be more informative.
However, it requires that you provide this
information in a simplified, clear way.

Review the language in your Privacy Policy and
drop the legalese. Make it be easy to understand
by your average user
Update your Privacy Policy with the additional
information required by the GDPR
Use clickwrap when getting agreement and
consent
Add Privacy Notices to help users understand
what they’re consenting to
To summarize: