As privacy laws get tougher, consumers are learning more about their data protection rights, and have higher expectations about how their personal data should be treated.
You might be spending time and resources producing policies connected with data protection, such as a Data Protection Policy and a Data Breach Notification Policy. You may have appointed a Data Protection Officer, or be keeping data processing records.
Privacy and data protection are becoming more and more important. One way you can showcase the efforts you're taking in this are is to create a GDPR Compliance Statement.
- 1. The Importance of a GDPR Compliance Statement
- 1.1. Is a GDPR Compliance Statement Required by Law?
- 1.2. Your Data Protection Reputation
- 2. What to Cover in Your GDPR Compliance Statement
- 2.1. What is the GDPR?
- 2.2. Your Company's Commitment to Privacy
- 2.3. Scope of Compliance
- 2.4. Company-Wide Personal Data Review
- 2.5. Updates to Policy Documents
- 2.6. International Data Transfers
- 2.7. Working With Other Companies
- 2.8. Technical Security Measures
- 2.9. Risk Assessments
- 2.10. Data Breach Notification Policy
- 2.11. Consent Review
- 2.12. Facilitating User Rights
- 2.13. New Appointments
- 3. Summary
The Importance of a GDPR Compliance Statement
If you're taking steps to comply with the EU General Data Protection Regulation (GDPR), you should be proud of this. Let's face it; the GDPR is demanding. A lot of work can be required to comply.
A GDPR Compliance Statement is your opportunity to shout about your good data protection practices. It can contain information about:
- The steps you have taken to review what personal data you're holding in your company's systems
- What your company is doing to ensure it collects consent in accordance with the GDPR's high standards
- The measures you have taken to improve your company's transparency
Ultimately, it's totally up to you what you include in your GDPR Compliance Statement. It should be an honest account of whatever you've done to meet your obligations, written for your customers or clients in your brand voice.
Is a GDPR Compliance Statement Required by Law?
The GDPR requires a lot of things, but a GDPR Compliance Statement isn't one of them. However, creating such a document can be a highly beneficial exercise.
As we've mentioned, a GDPR Compliance Statement can help you make a good impression on your customers. Your customers will be more confident in providing you with personal data if they can see that you'll keep it safe.
But of equal if not greater importance is your reputation among other businesses.
Your Data Protection Reputation
The GDPR requires that companies do not share personal data with another business unless that other business is fully GDPR-compliant. This is especially important where a data controller (who usually has a direct relationship with consumers) passes personal data onto a data processor (who processes data on a data controller's behalf).
At Article 28 (1), the GDPR requires that data controllers only work with data processors that provide "sufficient guarantees [...] that processing will meet the requirements of this Regulation."
And according to Article 28 (3)(h), a data processor must provide their data controllers with "all information necessary to demonstrate compliance" with the GDPR.
Plus, where data processors share personal data with other "sub"-processors, Article 28 (4) states that "where that other processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable" for this.
In other words: other companies may not want to work with you if you can't demonstrate what you're doing to comply with the GDPR. You could wait for them to ask, but why take that risk? By that point, you may have already lost their business.
A GDPR Compliance Statement is your opportunity to take the initiative and provide this essential information up front.
What to Cover in Your GDPR Compliance Statement
Broadly speaking, when explaining your progress towards GDPR compliance, you'll want to address:
- What you're planning to do
- What you're doing
- What you've done
This document will be totally unique to your company. But here are some sections from real GDPR Compliance Statements. You can consider which of these sections are relevant for you.
What is the GDPR?
Introduce your GDPR Compliance Statement by providing a little context. What is the GDPR, and why are you striving to comply with it?
Here's an example from AllClients:
A simple summary to inform your customers in a basic way is sufficient here.
Your Company's Commitment to Privacy
Here's your opportunity to tell people how committed you are to protecting your users' personal data and obeying the law. This can also serve as another way to introduce your compliance efforts.
Here's how eBay sets out its commitment to data protection law in a short yet clear statement:
Scope of Compliance
You may wish to define the extent of your company's compliance with the GDPR by listing those activities you engage in that are covered by the law. This will include anything you do that requires the processing of personal data, for example:
- Collecting personal data from your customers
- Collecting personal data about your customers
- Storing personal data electronically and physically
- Sending direct marketing and running personalized ads
- Analyzing sets of personal data
This could be a very long list, depending on the nature of your business.
Here's an example of a Scope section from 4-Thought Professional Services:
Company-Wide Personal Data Review
Very often, a company will begin its process of GDPR compliance by conducting a review or audit of what personal data it holds, what personal data it is collecting, and with whom it is sharing personal data.
If you haven't yet carried out such a review, it is strongly recommended that you do so. You can use your GDPR Compliance statement to report this to your customers.
Here's where it's mentioned in Big Bear's GDPR Compliance Statement:
Updates to Policy Documents
A big part of GDPR compliance is updating your policies and documentation. This serves two functions:
- You can make sure they include all the information that's required under the new law
- You can ensure that they are written in sufficiently clear and accessible language (which is itself a legal requirement)
This will be another step you have taken, or will take, towards GDPR compliance, and so it deserves a place in your statement.
Here's where Jones Buttons mentions updating its policies in its GDPR Compliance Statement:
International Data Transfers
Transferring personal data outside of the EU is subject to strict rules. Wherever an international transfer of personal data occurs, it must be subject to certain specific safeguards.
If you're an EU-based company, it's a good idea that you review all relationships you have with non-EU data processors and organizations to whom you might transfer personal data. Then you can reassure your customers that you have done this.
Here's how Spiro does this:
If you're a non-EU company, you need to consider your basis for transferring personal data outside of the EU. There are a number of approaches you might take to ensure compliance.
For example, you may be based in a country that the European Commission has deemed "adequate" for transferring personal data. If so, this is definitely worth promoting.
Canada Life is based in an approved country (Canada, obviously):
Companies based in the United States can certify with the Privacy Shield framework to allow for international transfers. If you're part of this scheme, it's important to mention this in your statement.
Here's how Lifesize does this:
There are other ways to arrange international data transfers, such as by using standard contractual clauses. Whatever methods you use, make sure your customers know about them.
Working With Other Companies
We've looked at how important a GDPR Compliance Statement can be in the context of companies working together to process personal data. This issue should form an important part of your compliance statement.
You'll want to reassure your customers that you have conducted the relevant checks, and that you only enter into data processing relationships where there is a Data Processing Agreement in place.
If you're a data controller, you call the shots on what happens to the personal data you collect from your customers. So it's important you choose wisely when deciding which data processors you want to work with.
Part of Nest's GDPR compliance process was to review their relationships with third parties.
Here's how Nest explains this in its GDPR Compliance Statement:
If you're a data processor, you may have produced a standard Data Processing Agreement to offer to your clients. Many data controllers will be reassured by this, so it's important to mention it as the example above does.
You need to show that you've done the necessary work to comply with the GDPR's data-sharing obligations, whether you're sending or receiving personal data.
Technical Security Measures
The GDPR's concepts of "privacy by design" and "privacy by default" require you to build data security measures into your systems. There are countless ways you can do this, and a lot will depend on the individual context of your business.
You may already be doing a lot of what the GDPR requires in this area. Don't neglect to mention this existing good practice in your GDPR Compliance Statement.
Frost & Sullivan provide a long list of security measures they have implemented:
This is an impressive list, but there are other measures you can take that are more basic but still effective.
For example, Sei Mani mentions that they are certified to ISO standards:
Note that ISO certification alone is not sufficient for GDPR compliance.
Another example of a measure you might take is using secure socket layer (SSL) encryption. Cyprus Best Companies mentions that it uses this technology (among other measures) in its GDPR Compliance Statement:
The GDPR sets out a specific process by which to assess the risk involved in data processing projects. This is called a Data Protection Protection Impact Assessment (DPIA).
Because assessing risk and privacy impact is such a crucial part of GDPR compliance, you should let people know that you intend to carry out a DPIA wherever appropriate. This is particularly important if you're likely to engage in the sort of project for which a DPIA will be necessary.
Here's how Helpjuice explains its commitment to conducting DPIAs where required:
Data Breach Notification Policy
Data breach reporting has gone through the roof since the GDPR came into force, with around 60,000 breaches reported in the first eight months.
This is, in part, because companies are more aware of their reporting obligations. Data Protection Authorities are much more likely to be lenient with companies who are upfront about cybersecurity issues.
If you've introduced a new Data Breach Notification Policy, or if you already have one that complies with the law, be sure to mention this in your GDPR Compliance Statement.
Here's an example from Pulsar:
The new, higher standard of consent was one of the GDPR's headline provisions. This requires many companies to:
- Find new, compliant ways of requesting consent
- Stop processing personal data where consent has been obtained in a non-compliant way
This is something that affects many companies, and there are serious consequences for getting it wrong. Therefore, it's worth mentioning any changes you're making to bring your consent-requesting practices up to date.
Here's an example from SNOMED International:
Here's how Assenty explains the implications that its new approach to consent will have on its users:
Facilitating User Rights
The GDPR allows people in the EU to access, modify and delete their personal data on request with new enhanced user rights. Data controllers must be able to show how they are facilitating these rights.
You don't need to have a fancy system set up for this. You can simply supply an email contact by which users can make such requests. But if you have gone the extra mile, you'll definitely want to let people know about this.
Getinge uses its GDPR Compliance Statement to tell users about its data subject rights request form:
Data processors can make life easier for their data controllers by integrating systems for facilitating data rights. Here's how HTK's GDPR Compliance Statement explains HTK's new system to help clients manage subject access requests (SARs):
If you've appointed a Data Protection Officer, or you already had one before your GDPR preparations began, use your GDPR Compliance Statement to introduce them to the world.
Here's how Exclaimer does this:
And here's another example from Helen Arkell Dyslexia Charity:
Make sure everybody knows that they can trust your company with their personal data. Your GDPR Compliance Statement is your chance to tell your customers, clients, and Data Protection Authority what you're doing to comply with the law.
Some important sections include:
- A brief explanation of the GDPR
- Your privacy commitment and values
- The scope of your GDPR compliance
- Company-wide personal data review
- International data transfers
- Updates to policy documents
- Working with other companies
- Technical security measures
- Risk assessments
- Data breach notification policy
- Consent review
- Facilitating user rights
- New appointments