• Secureframe Blogarrow
  • Tips for Writing a GDPR Privacy Policy and Privacy Notice [+ Examples]
Tips for Writing a GDPR Privacy Policy and Privacy Notice [+ Examples]

Tips for Writing a GDPR Privacy Policy and Privacy Notice [+ Examples]

  • August 18, 2022

The European Union’s General Data Protection Regulation (GDPR) is all about transparency — making sure EU citizens know who is collecting their personal data and why. That’s why a privacy policy and privacy notice are such key steps in becoming compliant with GDPR.

Your privacy notice explains to your users and customers how your company collects their private personal data, how you process it, who you share it with, and for what purposes. It helps your customers make informed decisions about whether to consent to data collection.

Your privacy policy is just as important — it outlines for your employees what their roles and responsibilities are when it comes to handling personal data.

In this article, we explain what goes into a privacy notice that meets GDPR requirements and how to create an effective privacy policy that helps your team stay compliant. We also share examples of privacy notices to help you write your own. 

GDPR privacy notice vs privacy policy: What’s the difference?

“Privacy notice” and “privacy policy” are often used interchangeably, even by authorities like the Federal Trade Commission. But they aren’t exactly the same thing.

A privacy notice is an external document, notifying users what data is collected and how you process their personal data. A privacy policy is an internal document, outlining how personal data is handled and protected to be compliant with applicable laws.

What do laws like GDPR and CCPA have to say about privacy notices and policies?

Since both data privacy laws are primarily concerned with giving consumers greater insights into and control over who is collecting their data and why, they both require some kind of privacy notice or statement that explains an organization’s privacy practices in plain language. A common practice is to have this notice publicly available on your website. It must also give users the option to opt out of processing of personal data.

While both data protection laws require organizations to put safeguards in place to protect personal data, neither one specifically requires a formal internal privacy policy that dictates how your team handles personal data.

That said, it’s always a good idea to have a privacy policy in place to clarify for your employees exactly what their roles and responsibilities are around personal data and data privacy. An internal GDPR privacy policy establishes a written record for things like the lawful basis of processing, who your data protection officer (DPO) is and what their responsibilities are, your data processing activities, processes for data retention and transfers of personal data, and more.

What’s typically included in a GDPR-compliant privacy notice?

A typical privacy notice includes a few common elements. It usually covers: 

  • Exactly what categories of personal data you’re collecting 
  • Why you’re collecting personal user data (your legal basis or lawful basis under GDPR)
  • How you’re collecting personal data, including whether you’re the data controller or data processor (or both)
  • How you will use the personal data you collect (i.e., for marketing purposes), how long it will be kept, and how you’ll dispose of it
  • How users can opt-out and/or request erasure of their personal data, including a phone number or address they can use to contact you

GDPR requirements state that you must explain how you process data in “a concise, transparent, intelligible, and easily accessible form.” A common practice is to have a privacy notice to be publicly available on your website. You can link your privacy notice in a highly visible place and use clear, direct language. This is typically in the footer of your website, plus anywhere you collect personal information like names and contact information. 

What’s typically included in a GDPR-compliant privacy policy?

While your privacy notice explains your approach to data privacy to your customers, a privacy policy is for the benefit of your employees and organization as a whole.

Also referred to as a Data Protection Policy, this internal privacy policy explains how the organization processes and protects personal data in a way that upholds GDPR requirements. It also explains why you collect this information — for example, to process customer orders, create user accounts or profiles, send marketing campaigns, or conduct surveys. 

There are no legal requirements for how you have to structure your internal privacy policy or what it needs to include. However, an effective privacy policy usually covers:

  • What type of data you collect from users, whether it’s contact information, payment information, demographic data, etc. 
  • Why you collect personal data 
  • Where you store personal data, for how long, and how you dispose of it
  • Whether you share personal data with any third parties, such as service providers, advertising partners, or business affiliates
  • How you ensure the data you collect is accurate and sufficiently protected
  • How your team should respond in the event of a data breach
  • What kinds of rights data subjects have over their personal data and how your team is expected to respond to consumer requests
  • How often the privacy policy should be reviewed and updated, and by whom
  • Who within the organization is responsible for overseeing data protection 

It’s best practice to update your privacy policy at least annually and make sure it’s easily accessible to employees. Consider including it in your internal knowledge base and ensure employees are notified whenever changes are made. 

GDPR Privacy Notice Examples

Whenever you’re creating a new policy for your business, it can be especially helpful to see examples of how other organizations have done it. Below we share a few examples of privacy notices you can use as inspiration for writing your own. 

The Walt Disney Company

The Walt Disney Company is famous for its level of personalization — whether you’re viewing one of its websites, browsing its streaming platform, or visiting its theme parks. Disney’s ability to create such detailed user experiences is based in large part on their ability to collect relevant data and tailor your experience based on your preferences and past behaviors. 

This is all explained in plain language in Disney’s comprehensive privacy notice, which includes sections on the types of personal data they collect and who they share it with. The privacy notice also includes a specific section explaining privacy protections for children and parents’ rights. 

Disney also goes the extra mile to make its privacy notice accessible to a general audience by linking legal terms like “data controller” and “personal information” and providing a simple definition.

Google

Whether you just use Google search once in a while or have a whole suite of Google apps and devices in your home, Google’s privacy notice is designed to help all levels of users understand how their personal data is collected and processed. 

Privacy policies can be daunting for uninitiated readers, and it’s clear that Google put some careful thought into helping users navigate and understand its privacy notice. It includes a table of contents so that readers can easily jump between sections, and links to other key policies including Google’s Terms of Service. 

Google also includes helpful video snippets throughout their privacy notice that quickly explain key concepts like what the privacy notice is, why Google collects user data, and what rights users have over their personal data. 

Meta 

Meta’s Privacy Center is similar to Google’s, with a Table of Contents for easy navigation and explanatory videos sprinkled throughout the page. Like Disney, it also includes pop-up links that answer key questions and explain core data privacy concepts in layman’s terms. 

This layout makes it easier for users to understand Meta’s overall approach to data privacy and quickly find answers to specific questions, while “Learn more” links let interested readers dive deeper into the specifics of Meta’s privacy practices.  

One thing Meta does particularly well is they include specific “Take control” callouts that make it easy for users to exercise their data privacy rights. 

Get help verifying and maintaining GDPR compliance

Knowing that your policies and procedures are compliant with GDPR requirements can be tricky, especially when you’re trying to build them from scratch. 

With Secureframe, you’ll get access to a library of policy templates that have been vetted by former auditors and compliance experts. You’ll get GDPR training for employees, save time with automated evidence collection, and stay up to date with the latest GDPR requirements. Our team of experts will also notify you of any changes in regulation so you can stay compliant. 

To learn more, schedule a demo of our security and compliance automation platform.