Nonetheless, this article lists and discusses critical pointers or tips for writing a privacy notice based on the standards set forth under the EU General Data Protection Regulation.
Tips for writing a GDPR-compliant privacy notice
1. The parts of a privacy notice: Discuss and explain how data is collected, processed, and used, as well as the options of website visitors
The privacy notice should be organized based on proper headings or section labels. Each section of the privacy notice should discuss and explain how data is collected, processed, or used, as well as the options of website visitors. Take note of the following recommended sections of a GDPR-compliant privacy notice:
• Processing of data: Describe how the collected data and information are processed, including the storage, retrieval, and deletion processes, as well as the security measures employed. Indicate the use of a database and explain how the data management system works. Discuss the security measures used to protect unauthorized access to data and information, specifically by mentioning the use of encryption technology, access management, cybersecurity, and internal policies and standards, among others.
• Use of data: Justify why data and information are needed to be collected from website visitors. To be specific, lists down and discuss in details the reasons or purposes for using such data and information. Explain how the use of data and information benefits the website owner and website visitors. In addition, mention the legal basis for collecting, processing, and using such. It is also possible to list down here the types of data and information that are collected with an added explanation of how and why such are used.
• Individual options: Inform the website visitors about the ways their data and information are handled, processed, and used. For example, explain that individuals can disable cookies in their web browsers or use incognito browsing to maintain Internet anonymity. Mention options for clearing browsing history. Furthermore, it is also important to tell website visitors that they can contact website owners or an appropriate representative to request for modification or deletion of collected data and information, as well as to object or restrict how such are collected, processed, and used.
2. Individual rights under GDPR: Remember to enumerate and explain the rights of individual website visitors in the privacy notice.
A privacy notice should inform website visitors about their rights. These rights can be discussed across the different sections of the document. However, remember the importance of organization and clarity of presentation. Note that the GDPR lists down eight individual rights. These are:
• The right to be informed, before any data and information are collected from them, about how their data and information being collected, processed, and stored, and for what purposes.
• The right to access their data and information after it has been collected and understand how it has been collected, processed, and stored, what data and information exist on them, and for what purposes.
• The right to rectification or the right to correct inaccurate or incomplete data and information.
• The right to be forgotten or have their data and information erased, not just by the individual or organization but by any other individual or organization their data and information were sold or transferred to.
• The right to restrict the processing of their data and information.
• The right to data portability, or the right to move, copy, or transfer personal data and information from one data controller to another safely, securely, and in a commonly used and machine-readable format.
• The right to object to processing without explicit consent, including the right to ban the inclusion of their data and information in direct marketing databases.
• The right to opt out of automated decision-making and demand that important decisions be made by humans, not algorithms.
3. Addressing GDPR standards: Other important considerations in writing a GDPR-compliant privacy notice
The GDPR has other strict guidelines on what constitutes an acceptable privacy notice. For example, under Article 12 of the law, the document should be written using clear and plain language, thus barring from overwhelming readers with too much unnecessary information, including excessive legalese or technical terminologies.
Remember that the GDPR also requires the privacy statement to explain the purpose for collection, processing, and using the data and information of website visitors, as well as the legal basis for doing so. In addition, the document must include the name and contact information of the individual or group of individuals, such as data controllers or data protection officers, responsible for controlling and managing data and information.
Note that the aforementioned GDPR standards can be addressed across the entire privacy notice. However, it is important to reiterate the need to make the entire document as organized and as readable as possible.
Conclusion: How to write a GDPR privacy notice