GDPR privacy policy checklist GDPR | Lauren Pettitt | 06 April 2018

What areas should organisations cover in their privacy policies?



Use the following checklist to help you:

1. Identify the data controller (i.e. the organisation) and provide the name and contact details of the Data Protection Officer (or other nominated person given that responsibility)

2. How do you collect personal data (e.g. on-line, face to face, over the phone, in writing, etc)?

3. Do you source any personal data from publicly available sources and/or from third party data vendors? What do you know about how that data was collected and how the individual data subjects were informed about what would happen to their personal data?

4. Explain what personal data you are collecting? (i.e. the type of data routinely collected – for example this could include postal address, email, credit card details, date of birth, etc.)

5. Purpose? Outline what you intend using the data for. For example, is it to provide a service to individuals, to send marketing communications to them (where they have agreed for you to do so) and/or for administrative purposes, etc.

6. Detail each of the individuals’ rights, where relevant (i.e. to withdraw consent, to object to processing, to request rectification/erasure, data portability, submit a Subject Access Request). Ensure you have clear and easy ways for individuals to exercise these rights.

7. Explain the people have the right to lodge a complaint with a supervisory authority. In the UK this would be the ICO, so consider providing their contact details (e.g. link to their website).

8. What legal basis are you relying on to process the personal data? (e.g. consent, contract, legal obligation, public interest, vital interests or legitimate interests)

9. If you are relying on legitimate interests explain what they are

10. Provide assurances that appropriate safeguards are in place to ensure personal data is kept secure

11. Consider whether any data is stored or handled outside of the EEA (European Economic Area). If it is state where and what safeguards are in place to keep it secure. For example, if you share personal data with suppliers outside of the EEA, state that in your privacy policy and explain that there are always appropriate contracts in place.

12. Consider whether you are collecting special categories of personal data and/or children’s data. If so explain what extra measures you have in place to offer assurances that it is securely protected.

13. Is the personal data shared with other organisations? If it is shared provide details of the recipients of the data.

14. Ensure the privacy policy explains any profiling of personal data you may undertake.

15. Make reference to your organisation’s data retention policy? (see GDPR Data Retention Quick Guide)

16. If the provision of data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, ensure this is clearly stated together with any consequences of refusing to supply the data.

17. Leaving your website. Explain that any external links are not your responsibility and that once a user clicks on a link to an external site it will be subject to that organisation’s privacy policies, not yours.

18. How recent is your Privacy Policy? In line with theme of transparency it is good practice to mention that your privacy policy will be will regularly updated, if that is true, and to detail when your policy was last updated (i.e. month/year).


Source: Data Protection Network