How to Write a GDPR Compliant Privacy Policy

Almost every aspect of our daily lives revolves around data. Think about all the things you do online that’s tied back to you: shopping, banking, email, or social media. Every time you visit a website, you might be leaving a digital trail back to you.

Nearly everything we do online involves the collection and analysis of our personal data – from offering personalized recommendations to serving personalized advertising. Your name, email, credit card numbers, and more are stored by organizations. In many cases, the information is bundled and sold to marketers.

Your organization may already have a privacy policy in place that came out before the General Data Protection Regulation (GDPR) went in effect. If it hasn’t been updated to include the provision of the GDPR, you’re at risk.

The GDPR is more stringent than any privacy legislation and you’ll need to update your policies and your privacy policy under the terms of the GDPR if you haven’t done so already.

PRO TIP: Don’t waste your time and take the guesswork out of the legal jargon with this personalized privacy policy generator trusted by over 150,000 businesses.

What is GDPR?

The GDPR is a piece of legislation enacted by the European Union in 2016. It was an attempt by regulators to modernize the rules revolving around online privacy. It established a new set of rules designed to give EU citizens more control over what happens to their personal data.

capitalized "GDPR" white text with line vector images relating to data, security and computers on a blue background

GDPR sets guidelines for data management and gives rights back to the users. It is critical legislation for almost all companies who have something to do with citizens’ data, like social media websites, banks, insurance companies, etc.

This was the biggest shakeup of the data privacy rules and will supersede the existing Data Protection Directive 1995. Every organization in the world that deals with or is in control of the personal data of EU residents has to comply with strict rules set by GDPR or otherwise they may be heavily penalized.

6 GDPR Principles

The GDPR outlined six principles that formed the foundation for its requirements.

Lawfulness, Fairness, and Transparency

Besides making sure you are not breaking the law or hiding information from users, there is a requirement to be transparent. This means an easy-to-understand privacy policy that details what data you are collecting and how you plan to use it.

Limitation of Purpose

This means you are only allowed to collect personal data for a specific purpose, use it only for that purpose, and let users know the purposes or uses.

Data Minimization

Organizations are only allowed to process the data to achieve its stated purposes.


The GDPR says that “every reasonable step” must be taken to rectify (or erase) any data that is wrong or incomplete. Individuals have the retain to request inaccurate or incomplete be rectified within 30 days (or erased).

Storage Limitation

Organizations are required to delete personal data once it’s no longer needed for the expressed purpose.

Data Privacy and Integrity

Organizations are required to ensure the appropriate security of personal data. This includes unauthorized use or unlawful processing, accidental loss, damage, or destruction. Many of the heaviest fines for violations of the GDPR are aimed at companies that suffered data breaches.

Who Needs to Comply With the GDPR?

It doesn’t matter if you’re located in the European Union or located anywhere else in the world including Canada and the USA. The purpose of the GDPR was to provide improved privacy protection and control for EU citizens.

So, if you may potentially be doing business with EU residents, conducting transactions, or collecting, disseminating, or selling identifiable information about EU residents, you will need to comply.

It’s important to note that any small or medium-sized enterprise having less than 250 employees will be exempted from fulfilling the entire list of the GDPR clauses. A possible reason behind this relief is that smaller organizations pose much less data breach risk as compared to giants like Google, Facebook, etc.

The regulation identifies two types of organizations that need to comply: processors and controllers.


Think of controllers as those that control what data is collected on individuals, why it is collected, and how it is collected. If you own a website or app, you’re most likely a controller. GDPR regulates what information you can ask for and how you can use it.


Processers under the GDPR are those acting on behalf of the controller. They follow the instructions given by the controller.

Here’s an example: Let’s say you’re a local retailer that sells books. In the course of doing business, you collect names, addresses, and credit card numbers. You want to do a special mailing to customers, so you give the names and addresses in your database to a printer to create and mail. In this case, the retailer is the controller. The printer would be the processor.

While both are liable for complying with GDPR, controllers set the policies and have the overriding responsibility for controlling the data.

What to Include in a Privacy Policy to Comply With GDPR?

Privacy policy requirements are framed by the guidance provided in Article 12 of the GDPR. Communications about data processing must be:

  • Concise
  • Transparent
  • Intelligible using clear and plain language
  • Easily accessible
  • Free of Charge

Your privacy policy needs to avoid heavy legalese and jargon. It needs to be easy to understand and your users need to be able to find it easily. It must cover all aspects of your data collection, processing, and use.

The European Commission provided some examples of good compliant privacy policies that would be sufficient to meet the intent of the regulations:

Privacy Policy clause in GDPR website on a white background

As you can see in each of these examples, the specific use for data that is collected is clearly identified and explained in a language the average person should be able to understand.

Chapter 13 of GDPR details the rights of data subjects and covers what information you need to provide when personal data is obtained, including:

  • The name and contact information of the controller and, where applicable, a controller’s representative
  • The name and contact details for an organizations’ Data Protection Officer, is one if appointed
  • The legal basis for processing data
  • The purpose for which the data is being gathered
  • The type of personal data you collect
  • How long you plan on storing the data
  • If you will transfer the data internationally
  • Whether data is used in automated decision-making
  • Which third parties you share data with
  • How you will notify users if your privacy policy changes

A significant piece of the privacy policy is informing people about their rights under the GDPR. There are 8 specific rights spelled out in the regulation that must be included in your privacy policy:

  • The right to be informed
  • The right of access
  • The right of rectification
  • The right to erasure (the right to be forgotten)
  • The right to restriction of processing
  • The right to data portability
  • The right to object
  • The right to not be subject to automated decision-making

What is Considered Personal Data Under GDPR?

The General Data Protection Regulation defines personal data very broadly. While some are more obvious – such as name, address, email, or credit card information – others are less conspicuous.

For example, IP addresses, browser type, or cookies that are identifiable to an individual are all considered personal data. RFID tags, location data, and even identification numbers are all considered personal data under the GDPR.

Article 4 of the GDPR describes it this way:

"Personal data" clause in GDPR Definitions on a white background

When it comes to the application of GDPR, there are some exceptions too. Anti-doping agencies, journalists, historical and scientific researchers have been exempted under the GDPR and they can handle users’ data according to their work requirement.

How Do I Get Consent From My Users Under GDPR?

One major clause of GDPR is the need of taking explicit consent from the users and the companies have to demonstrate unambiguous consent taken from its users in order to process their data.

Consent should be taken through affirmative action and any passive or implied consent won’t be acceptable under GDPR. Following are the ways through which companies can take consent from its users to comply with GDPR:

  • The consent should be free and should not be linked to negative consequences in case of denial.
  • The purpose of the consent once taken can’t be extended further.
  • Companies should provide a detailed account of the usage of data and if they fail to provide the necessary information to the user, the consent will automatically be nullified.
  • Pre-ticked boxes can’t be used for consent; they should include affirmative action, like ticking a box, to be considered as consent.
  • Consent request shouldn’t be buried in the terms and conditions agreement and should be separately sent to the user.
  • Inform people clearly how they can withdraw their consent.
  • In case you are already taking consents but not sure whether they are according to GDPR standard to not, it’s better to run a re-permission program, refresh the consent form, update the subscribers’ list and remove those who didn’t give consent.

Devising a foolproof consent request which won’t be categorized as GDPR non-compliance is a real challenge. Companies should keenly consider the above-mentioned tips and take the help of experts when planning a consent request.

Penalties and Fines for Non-Compliance With GDPR

Failing to comply with GDPR can lead to warnings, reprimands, and suspension of data transfers. It can lead to a temporary or permanent ban on data processing. It can also lead to huge fines.

For example, not processing people’s data in the correct way, not notifying the supervising authority and victims about a data breach, and not evaluating the impact of a data breach will most certainly be reasons for a hefty fine.

There are two tiers that can be levied:

Lower Level GDPR Penalties

Fines of up to €10 million (USD $11.8 million), or 2% of a company’s global annual revenue – whichever is higher.

Higher Level GDPR Penalties

Fines of up to €20 million (USD $23.6 million), or 4% of a company’s global annual revenue – whichever is higher.

British AirwaysGoogle, and Marriott all have been hit with multi-million-dollar fines. British Airways was fined a record-setting $230 million. Individuals and businesses of all sizes (local shops, restaurants, and healthcare providers have been fined. It’s not just EU companies that have been fined. Organizations around the world, including the U.S. and Canada, have been hit with GDPR fines.

GDPR Compliance Checklist Infographic

A visual representation of Compliance Checklist of GDPR Privacy Policy

How to Write a GDPR Compliant Privacy Policy?

A privacy policy is a way to inform your visitors about your data collection, storing, and distribution practices. Having and displaying a privacy policy on a business website is mandatory. It’s a legal document that has consequences.

Failing to comply with the GDPR and other privacy legislation can lead to fines. The penalties for failing to comply are significant. For some businesses, it can be a death sentence.

If you’re ever forced to go to court regarding your data privacy practices and policies, you’ll be held accountable for what’s in your privacy policy or what’s not in it that’s required.

As you can see, it can get complex very quickly. You simply can’t afford to take chances when you’re writing your privacy policy that is compliant with the General Data Protection Regulation.

Share with your friends & colleagues!
Olivia Adams

Olivia is an experienced data privacy compliance consultant with years of experience. Throughout her career, she helped hundreds of small to mid-size businesses with comprehensive advice on compliance with privacy laws.

Share to...