How To Write Privacy Policy For Blog

To comply with the General Data Protection Regulation (GDPR), you need a GDPR-compliant privacy policy.

Without a GDPR privacy policy (also commonly referred to as a GDPR privacy notice or GDPR privacy statement), you're at risk of noncompliance fines that could put you out of business.

Read on to learn what the GDPR is, if you need to comply, why a privacy policy is mandatory under the GDPR, and what a GDPR privacy policy includes.

Download our free GDPR privacy policy template to easily get started on your own GDPR compliance journey.

Table of Contents

1. What Is the GDPR?
2. Do I Need to Comply with the GDPR?
3. What Is a GDPR Privacy Policy?
4. How Do I Make My Privacy Policy GDPR-Compliant?
5. GDPR Privacy Policy Examples
6. How to Write a GDPR Privacy Policy

The GDPR is a data privacy law in effect since May 25, 2018. Passed by the EU, but affecting companies around the world, the GDPR gives users more rights over the personal information they share with businesses, and penalizes companies that are negligent with this data.

The GDPR aims to protect the data rights of users in the European Economic Area (EEA). The EEA is comprised of the EU, Iceland, Liechtenstein, and Norway. Additionally, the GDPR applies to users in Switzerland.

Fines for noncompliance are up to $23 million, or 4% of your annual global turnover, depending on the severity of your compliance infraction.

As the GDPR applies to businesses around the world, you may be subject to this strict privacy law. Whether or not you need to comply with the GDPR will depend on your answers to two questions:

1. Do I collect personal information from users?

Personal information includes names, emails, credit card details, device data, and other pieces of information that can be linked to a specific individual. If you use cookies, collect online payments, allow user accounts, or email your site visitors, you collect personal information.

2. Do I have, or plan to have, users in the EEA?

If you currently have users in the EU, Iceland, Liechtenstein, Norway, or Switzerland, and you collect personal information, you must comply with the GDPR.

Keep in mind that if you currently answer no to either of the two questions above, but plan to collect personal information from EEA users in the future, you need to prepare to comply with the GDPR as soon as possible.

Do I Need a Privacy Policy to Comply with the GDPR?

To comply with the GDPR, you need a privacy policy.

GDPR guidelines focus on transparency, so companies must clearly explain how they collect, share, and process user data in a privacy policy.

Three articles within the GDPR address the privacy notice requirement:

• Article 12 — Information about data collection, storage, and transfer must be presented to users in writing.
• Article 13 — If you collect users' data, you need to provide them with certain information, such as your contact details and data-processing purposes.
• Article 14 — When data is not directly collected from the user, you need to provide details about relevant partners, affiliates, or third parties.

According to GDPR Recital 58, these articles can be satisfied by providing data-privacy information in electronic form through your website.

That is, you can satisfy three GDPR requirements by providing the right privacy policy on your website. If you built your website using WordPress, your WordPress privacy policy needs to meet GDPR requirements.

Privacy and data security laws around the world require privacy policies. To comply with the GDPR, your privacy policy needs to include certain information and meet specific requirements.

If you operate in Germany, Austria, or Switzerland, your website is legally required to have an impressum as well as a privacy policy. Many affected companies choose to combine the two.

A GDPR privacy policy is a notice on your website that clearly explains how you process the personal data of EEA users.

Your GDPR privacy policy doesn't need to be separate from your regular privacy policy. In fact, "GDPR privacy policy" only refers to a privacy policy that includes the necessary controls and information to meet GDPR requirements.

To comply with the GDPR, your privacy policy must be transparent in language and content, and contain specific clauses regarding how you collect, share, and process data.

Your privacy notice should be understandable to the average reader, and should give them clear insight into how you handle their data and what rights they have regarding their personal information.

GDPR Privacy Policy Requirements

The two overarching requirements for your GDPR privacy policy are that it must be: transparent and user-centric.

According to Article 12 of the GDPR, information about data processing must be presented:

…in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Although the use of technical terms is inevitable in a privacy policy, the information should be concise, and not hidden in dense paragraphs. Complicated legalese and unnecessary fine print are unacceptable.

To appreciate the importance of transparency, look at the recent Google GDPR fine. The tech giant was penalized for spreading important information across many of its policies, and misleading users.

A transparent GDPR privacy policy is inherently user-centric, and features simple language, appropriate visual elements, and a navigable layout.

Your GDPR policy should be written to help users make informed choices about sharing their personal data.

What to Include in a GDPR Privacy Policy

In addition to being transparent and user-centric, a GDPR-compliant privacy policy should contain several specific clauses.

Your GDPR privacy notice must contain the following sections:

Appropriate contact details

The contact details of the following individuals need to be included in your privacy policy:

• Data controllers: Data controllers determine how and why personal data is collected. If you collect personal data through your website such as login information or payment details, you are the data controller.
• Data processors: Data processors process user data on behalf of the data controller. For example, if you collect payment details through a checkout page on your website, you may be the data controller, but a third-party payment processing service (like Stripe or PayPal) may be the data processor.
• EU representatives (if applicable): If you process large amounts of data or highly-sensitive personal information, you may be required to appoint an EU representative (also known as an EU data representative) to represent your interests in the EEA.
• Data protection officers (if applicable): You need a data protection officer (DPO) if you are a public body, or your business processes large amounts of data as a core function. DPO's act as a security executive, and oversee the GDPR compliance of your company.

If you use multiple data processors, we recommend linking directly to their privacy policies within your own privacy policy, rather than listing out their unique contact details.

The basis on which data is being processed

Article 6 of the GDPR establishes the following six legal bases on which data can be lawfully processed:

• With consent of the data subject
• For GDPR legitimate interest
• For the performance of a contract
• To comply with a legal obligation
• To protect the vital interests of the data subject
• In public interest

A standard GDPR privacy policy must include which of these bases applies next to each data-processing activity. As seen in the example below, companies must clearly explain how they process user information.

Our free template includes the section above, which introduces a data policy based on a variety of business purposes.

Automated decision-making and/or auto-profiling

Article 22 of the GDPR explains that individuals have the right not to be subject to a decision made solely by automated processing (without any human involvement). This is a unique requirement of the GDPR, as specifying such decision-making activity was not previously mandated by any privacy law.

If you implement an automated profiling system, it's important to outline in your privacy policy how and why you conduct this type of decision making or profiling.

To whom data may be transferred

The GDPR requires companies to say who is involved in data processing. You need to list all categories of third-parties, partners, and affiliates with whom data may be shared.

As seen above, if such data sharing could occur as part of a merger or acquisition, you need to state this too.

To which countries data may be transferred

Your privacy policy needs to state which countries data is transferred to, and what systems facilitate these international transfers.

If cookies and other tracking technologies are used

Under the GDPR, information collected via cookies and other tracking technologies (such as pixel tags) is considered personal data.

Therefore, cookies should be listed as a data-collection method, and treated with the same considerations as other methods.

How long data may be stored

The GDPR requires you to state how long data will be stored, and advises you to include the reasoning behind these time periods.

What rights users have under the GDPR

GDPR Articles 12–22 establish the eight fundamental rights of data subjects:

1. The right to be informed
2. The right to access
3. The right to rectification (correction)
4. The right to erasure (to be forgotten)
5. The right to restriction of processing
6. The right to data portability
7. The right to object
8. The right to not be subject to automated decision making

Your privacy policy should include a section which lists these basic rights granted by the GDPR.

How users can act on those rights

The list of data subject rights needs to include directions on how users can act upon those rights. GDPR privacy policies should give directions, information, and appropriate links to assist users who wish to act upon any of the rights listed above.

Now that you know what a GDPR privacy policy should contain, let's look at how well-known companies have accomplished this.

These are all good examples of GDPR privacy policies, but remember that they aren't templates for GDPR compliance. Copying another company's clauses without modification will confuse users, and lead to legal trouble.

Example #1: Information Commissioner's Office (ICO) GDPR Privacy Policy

The UK's ICO has a model example of a GDPR privacy policy, with a navigational list on the left to allow users easy accessibility.

As you can see, the ICO's privacy policy clearly lists out user rights under the GDPR, includes a brief explanation of each, and even provides links for users to learn how they can act on their rights.

Example #2: Etsy GDPR Privacy Policy

Etsy's privacy policy was written with GDPR compliance in mind. It follows a standard ecommerce template layout, and begins with an easily navigable menu.

Contact information for Etsy's data protection officer is displayed prominently, as are details for its data protection authority.

If users are skeptical about Etsy's data collection practices — or if they have a complaints — they know exactly who to reach.

Example #3: LinkedIn GDPR Privacy Policy

LinkedIn's privacy policy is another good example of a GDPR privacy statement. As well as explaining all necessary information, the policy provides brief summaries for readability.

The networking site also includes a video version of its privacy policy. While this is overkill for small businesses, it's worth noting the effort prominent companies are taking to make their policies accessible and GDPR compliant.

Example #4: Quickbooks GDPR Privacy Policy

Quickbooks' privacy policy is another great example of a user-centric GDPR privacy statement. It offers various controls through its GDPR centre, and includes links to its privacy policy and other relevant documents.

Having a dedicated GDPR privacy page on your site allows you to house all relevant policies together — such as your terms of use, cookie policy, and disclaimer. Although only a privacy notice is required by the GDPR, these other policies provide critical legal protection.

You should now have a good idea of what a privacy statement is, and all the key clauses and characteristics it must include to be compliant under the GDPR.

To write a GDPR privacy policy, simply download our free GDPR privacy policy template (UK and US compliant), and customize each section for your website and the specific needs of your business.

Alternatively, use our free privacy policy generator to create a compliant GDPR privacy notice in minutes. Our builder will ask some details about your business and help you answer tricky questions about your data practices and GDPR compliance measures.

Our GDPR privacy policy template, as well as our privacy policy builder, are suitable for:

• Small businesses
• Websites (including WordPress)
• Blogs
• Ecommerce platforms (e.g., Shopify, Woocommerce)

Without a GDPR privacy policy, your business is at risk. Download and customize your own template or build a privacy policy for free, but don't wait to comply with the GDPR.

Not the template you need? Download and edit one of our other privacy policy templates:

How To Write Privacy Policy For Blog

Source: https://termly.io/resources/templates/gdpr-privacy-policy/

Posted by: boucherleopragues.blogspot.com

Share this post