GDPR Privacy Policies in 2022

In May of 2022, the EU published brand new guidelines on administrative penalties related to General Data Protection Regulation (GDPR) infractions.

To say that the results were frightening to some companies would be an understatement. Medium sized businesses being hit with fines in the six to seven figure range was a possibility for the worst infractions. This means that the wrong privacy breach, the wrong set of disclosures, or the wrong privacy lawsuit could simply bankrupt a company.

Now more than ever, it’s important to get your company’s GDPR compliant privacy policy in order. So let’s go over some quick tips, and then discuss how you can get help with U.K, E.U., and global compliance.

Who Is Required To Have A GDPR Privacy Policy?

First, it’s important to point out: This does not constitute legal advice, and a qualified legal professional should be consulted if necessary.

With that in mind: Any business with an online presence that is based in the U.K. or the E.U., or any business that has a significant customer base in the U.K. or E.U. should have a GDPR compliant privacy policy on their website and available to view in their apps.

You’ll want links to this privacy policy within your menuing system, as well as any footer navigation that your website might have. If access to the policy is deemed to be obscured or hidden (either because the link is hard to find or because other features pop up to block it), that can result in a violation and a fine.

You can - and probably should - link to the privacy policy whenever people are using or opting into a service that will collect their personal information: Contests, mailing lists, first visit to the website, contact forms, and the like.

What Belongs In A GDPR Privacy Policy?

You can find all manner of templates and privacy policy builders online, such as on the ICO website. But it’s the tailoring of such a policy for your business that can prove to be a challenge.

First you need to state your company’s legal name(s) and the country they’re headquartered within. Then you need to state the legal basis by which you’re collecting personal information according to Article 6 of the GDPR. That basis might be consent, or a contract between individuals, or for the client’s benefit and protection, or a number of other conditions listed in the statute.

Broadly speaking, the contents of a GDPR privacy policy must include, at minimum:

• A summary of the technical and personal data that is being collected.
• A detailed list of the technical and personal data that gets passed on to third parties.
• Details about the storage of personal data, including location, back ups, and duration.
• Any third party cookies, browser fingerprinting, online advertising, and the like.
• The use of Google Analytics or other analytics tools, and which parties have access.
• Some means to review the data collected and get personal data erased.
• Contact methods that allow users to inquire about their personal information.

These are important details because they help with compliance to Article 15, 16, and 17 of the GDPR. But remember that each country might have additional elements that need to be included in a privacy policy, so consult the appropriate regulator as needed.

Including Contact Information

There are two types of contact information that must be included in a GDPR compliant privacy policy.

The first is company contact information that will allow people to reach someone who can help them with their privacy and GDPR related concerns. This should include the name of the individual to address the query to, the address of the company branch where they can be reached, a telephone number, and an E-mail address.

The second is Data Protection Officer (DPO) contact information. If your company is big enough or involved in specific types (or volumes) of data processing, you might need a dedicated DPO. The E.U. guidelines for DPO selection are here. If your company has a DPO, their contact information must also be listed within the privacy policy.

Getting Help With GDPR Compliance

GDPR compliance goes far beyond a simple (or not-so-simple) privacy policy, of course. There are data collection, storage, backup, and handling issues that must be addressed. With the fines for non-compliance on the rise, it might be a good idea to get a qualified professional to look at your company’s GDPR compliance situation.

VitrX can help. Our IT consultancy division has done GDPR reviews as part of regular support cycles, and as a component of company acquisition. If you would like to know how we advise you and help craft your internal GDPR policies, feel free to contact us. We’ll be happy to arrange an overview of your full GDPR obligations, and help put together an action plan.