Once you’ve determined that your organization needs to comply with the EU General Data Protection Regulation (GDPR) as a “controller”, as defined in Article 4(7), where do you start with your compliance efforts? To be sure, there are plenty of articles and “how to” advice out there on the internet, but frankly not enough tools to help make compliance easier by walking you through the process, step by step. That’s why VeraSafe has created a Privacy Policy Checklist, which you can access below.
What Is a Privacy Policy?
A privacy policy (also called a “privacy statement” or “privacy notice”) is a document that you publish informing people how you gather, use, share, and manage their personal data. The GDPR imposes significant new requirements on what data controllers must disclose in their privacy policies. The specific items that must be addressed can be found in Articles 12-14 of the GDPR and are summarized in VeraSafe’s checklist.
Why Start with a Privacy Policy?
Creating a GDPR-compliant privacy policy (or updating your existing privacy policy in light of the GDPR) is a good place to begin your GDPR compliance efforts because it helps set a roadmap for you to follow when you begin to address other obligations under the regulation. VeraSafe’s Privacy Policy Checklist compiles a set of specific requirements that you, as a data controller, must address when preparing a GDPR-compliant privacy policy. Additionally, creating a privacy policy is one of the most important obligations imposed on data controllers under the GDPR.
Clear, Concise, Transparent, and Easy to Access
In addition to the substantive items that must be contained in your privacy policy, your organization’s privacy statement should be easy to read. As such, it should be written in clear and plain language. It should also be concise, transparent, and easy to access. Your goal should be to make your privacy policy as easy to find, read, and understand as possible.
VeraSafe’s Privacy Policy Checklist
If your organization is deemed a controller under the law, you’ll need to address the specific requirements set out in Articles 12-14 of the GDPR, including the name and contact details for your EU representative; if applicable, the name and contact details for your data protection officer (DPO); the types or categories of information that you collect and process; the purposes of your processing; the legal basis for your processing; your data retention policy; details about the rights of data subjects; and how you will communicate changes in your policy.
To help VeraSafe’s professional services team accomplish these objectives in the course of client engagements, VeraSafe has developed a Privacy Policy Checklist – and now you can access this checklist for free. Your organization is encouraged to review Articles 12-14 of the GDPR and to use VeraSafe’s Privacy Policy Checklist as a starting point for drafting or updating your privacy policy. Please note that the checklist isn’t meant as a substitute for legal advice and doesn’t amount to an interpretation of your particular circumstances.
Click here to download VeraSafe’s GDPR Privacy Policy Checklist.
Need a GDPR Expert?
VeraSafe’s strength lies at the intersection of law and IT. Two skillsets not traditionally found under the same roof, VeraSafe’s team combines American and European data protection attorneys, privacy professionals, and IT security experts. VeraSafe is dedicated to providing industry-leading privacy and security advice that matches the budget, risk tolerance, and needs of each client we serve.
With its focus on European privacy and cybersecurity law, VeraSafe provides a complete solution for your organization’s compliance with the GDPR. VeraSafe can assist you with identifying the precise extent of the GDPR’s applicability to your organization and provide expert support to operationalize your complex obligations under the law.
