Privacy Policies Built for GDPR Compliance

Updating Your Privacy Policy for GPDR Compliance

Privacy policies are critical to GDPR compliance efforts, as this statement or notice explains how an organization handles personal data. We know that in order to comply with GDPR, a privacy policy should be concise and written in clear, plain language. However, in the weeks since GDPR became enforceable, many privacy policies are not meeting these requirements. This may be due to organizations rushing to create what they believe to be GDPR-compliant privacy policies but has resulted in quite the opposite. We’re seeing privacy policies that have a higher reading level, longer word count, and longer reading time, making them much more difficult to understand than before GDPR when into effect. So, what specific elements should a GDPR-compliant privacy policy include to avoid these pitfalls?

What Should GDPR-Compliant Privacy Policy Include?

According to Article 13 under Section 2 of GDPR, “Information and Access to Personal Data,” states the required information that should be provided when personal data is collected from a data subject. Following Article 13’s guidance and others, we’ve compiled a checklist that will give your organization over 20 items to consider when creating or updating your privacy policy in order to help guide you toward a GDPR-compliant privacy policy.

To ensure fair and transparent processing, the law states that privacy policies must demonstrate the following:

  • Identify the data controller
  • Identify the data protection officer
  • Define the purposes of processing
  • Define the legal basis for processing
  • When “legitimate interests” are your legal basis for processing, describe the legitimate interests for processing
  • Describe the recipients or categories of recipients of personal data
  • If applicable, identify any intent of international transfers of personal data
  • If applicable, identify safeguards for international transfers of personal data
  • Define the data retention period
  • Describe data subjects’ right of access to personal data

Want the full checklist?


Download Now

The Cost of GDPR Non-Compliance: Fines and Penalties

The EU’s General Data Protection Regulation (GDPR) is a top regulatory focus, and for good reason. Organizations across the globe are mapping their data, updating their privacy policies, updating contracts, reviewing their data collection processes, and trying to figure out whether they are data controller or processor – all to avoid the severe consequences of GDPR non-compliance. Not only are the requirements and scope for this data protection law extremely broad, but the fines and penalties that organizations could face for GDPR non-compliance are unlike any fines and penalties imposed by a regulatory body before.

GDPR Fines and Penalties

Organizations that have grown used to being slapped with minor fines for data breaches or misusing consumers’ data will no longer be able to put the security and privacy of their consumers’ data on the back burner. To gain GDPR compliance, organizations who market, collect, use, or store consumers’ personal data must make the security and privacy of consumers’ data a top priority, or be faced with the severe consequences of GDPR non-compliance. GDPR is equivalent to a US Federal Law, and GDPR non-compliance can lead to fines of up to €20 million or 4% of annual global turnover – whichever is greater.

Fines and Penalties

  • €20 million or 4% of annual global turnover – whichever is greater.


For example, Hilton – one of the largest hotel and resort chains in the world – was fined a mere $700,000 for a data breach that caused the information of 350,000 cardholders to be exposed. That’s a fine of just $2 per person affected by the breach. Considering that Hilton’s annual global turnover for the previous year was $10.5 billion, the company could have been fined a maximum of $420 million for the breach under the GPDR’s harshest fine. That’s a fine of $1,200 per person affected. For data controllers like Hilton, as well as data processors, understanding the consequences of GDPR non-compliance is crucial. A $700,000 fine for Hilton presumably didn’t impact the organization much, but a $420 million fine would have had much more severe implications.

Want to learn what fines and penalties will be enforced for GDPR non-compliance? Need to know what to do if your organization violates multiple GDPR provisions? Ready to learn what your organization can do to reduce the maximum fines?

Get the full report.


Download Now

10 Key GDPR Terms You Need to Know

The most common questions we receive regarding GDPR compliance are all related to terms and definitions. Controllers, processors, processing, sub-processor, joint controller, controller-processor – there’s so many complicated, similar GDPR terms. If you’ve been confused by what terms mean and which definitions are vital to the compliance process, you are not alone. What’s your organization’s role? Who enforces GDPR? What kind of data is covered under the law? What kind of person is covered under the law? Understanding key GDPR terms will help you be able to answer these important questions and help you begin your GDPR compliance journey.

Key GDPR Terms Defined

Perhaps two of the most ambiguous terms associated with GDPR are data subject and personal data. Let’s take a look at what each of these terms mean.

Data Subject: Some may assume that “data subjects” means EU citizens, but the explicit language of the law applies to processing the personal data of “data subjects in the Union” which could cover tourists, non-citizen residents, international students, and much more. Because GDPR uses informal descriptions for the term “data subject,” the public has been left with varying interpretations and significant challenges. We generally see five definitions proposed for data subjects:

  1. A person located in the EU,
  2. A resident of the EU,
  3. A citizen of the EU,
  4. An EU resident/citizen physically located anywhere in the world, or
  5. A person whose personal data is processed within the EU, regardless of that person’s location.

Organizations should closely monitor regulatory and legal developments related to the definition of “data subject.”

Personal Data: Per Article 4(1), personal data is any identifiable information related to a data subject. For example: name, geographic location data, email address, IP address, photographs, video or voice recordings, biometric data, or an online identifier of the specific physical, physiological, genetic, mental, economic, cultural, or social identify of a data subject.

Download the full list of key GDPR terms.

Download Now

Which GDPR Requirements Do You Need to Meet?

GDPR Requirements for Data Controllers and Processors

The first step towards GDPR compliance is determining your organization’s data role – are you a data controller or a data processor? Determining your role under GDPR can be challenging because of textual and practical ambiguity, but identifying your role is the starting point for determining which GDPR requirements your organization must follow.

What are the responsibilities of data controllers? A data controller determines the purpose and means for processing personal data. How much authority and decision-making over personal data does your organization have? The greater the authority, the more likely it is that an organization takes on the responsibilities of a data controller.

The Information Commissioner’s Office (ICO) guidance related to determining purposes of processing personal data says that if you are the decision-maker on any of the following items, then you are subject to the responsibilities of data controllers:

  • Who decides to collect the personal data in the first place and the legal basis for doing so?
  • Who decides which items of personal data to collect?
  • Who decides what methods to use to collect personal data?
  • Who decides the purpose(s) that the data are to be used for?
  • Who decides which individuals to collect data about?
  • Who decides whether to disclose the data, and if so, who to?
  • Who decides whether subject access and other individuals’ rights apply (i.e. the application of exemptions)?
  • Who decides how long to retain the data or whether to make non-routine amendments to the data?

According to the guidance on principles regarding the means of processing personal data, data controllers may determine:

  • What IT systems or other methods to use to collect personal data
  • How to store personal data
  • The detail of security surrounding the personal data
  • The means used to transfer personal data from one organization to another
  • The means used to retrieve personal data about certain individuals
  • The method for ensuring a retention schedule is adhered to
  • The means used to delete or dispose of personal data

What are the responsibilities of data processors? The law defines a data processor as the natural or legal person that processes personal data on behalf of a data controller. Processing is essentially anything done to personal data, including storing, archiving, or reviewing. Data processors cannot process data without the authority of the data controller and must provide sufficient compliance guarantees to data controllers.

Once you understand what your organization’s role is under GDPR, the next step is understanding which GDPR requirements apply to you. GDPR requirements depend on roles; requirements are different for controllers versus processors versus a controller-processor. In this white paper, you’ll learn which requirements apply to data controllers, which apply to data processors, and which apply to both. Let’s find out which GDPR requirements apply to your organization.


Learn More About the Requirements.


Download Now

GDPR Readiness: Whose Data is Covered by GDPR?

Data FAQs for GDPR

Ready to learn what constitutes a data subject and personal data under GDPR? Mark Hinely joins us in this webinar to discuss!

Who is a Data Subject?

The definition of a data subject under GDPR is one of the most confusing aspects of the law. There’s no formal definition, inconsistent terms within the law, no formal guidance from Article 29 Working Party, and the supervisory authority guidance is dated. So how do organizations determine who data subjects are? The different interpretations of the law say:

  • A data subject is anyone physically within the borders of the EU whose data is being processed while that individual is physically within the Union.
  • A data subject is anyone who formally resides within the EU, regardless of citizenship, while that individual is physically within the Union.
  • A data subject who has formal citizenship in the EU while that individual is physically within the Union.
  • A data subject is anyone who has residency/citizenship in the EU whose data is being processed, regardless of where the resident/citizen is physically located at the time of processing.
  • A data subject is anyone whose personal data is located in the EU, regardless of the residence, citizenship, or physical location of the data subject.

Those interpretations create some confusion, right? There’s some overlap, some questioning. The law is not clear. Reasonable, educated people disagree on the interpretation of what a data subject is under GDPR. We’re here to show you what those different interpretations are and show you what the issues are.

What is Personal Data?

Under GDPR, personal data is any information relating to an identified or identifiable person (data subject), who can be recognized by identifiers like a name, an ID number, location data, or physical, physiological, genetic, mental, economic, cultural, or social identity. Personal data depends on what type of data element it is, the context, and reasonable likelihood of identification. There are logical and legal considerations that apply to the definition of personal data under GDPR.

Listen to the full webinar to educate yourself on who a data subject is under GDPR and if the data you control or process is personal data. For more information on GDPR readiness, contact us today.

More GDPR Resources

GDPR Readiness: What, Why and Who

GDPR Readiness: Are you a Data Controller or Data Processor?