Whether you actually started your business yesterday, or it just seems that way, you probably need to meet GDPR privacy standards. The General Data Privacy Regulation (GDPR), which went into effect in May 2018, is one of the strictest consumer privacy standards in the world. If you collect, store or process data from the European Union, you need to stay compliant with the GDPR.

We’ve published several other articles about the GDPR for your edification—now it’s time to turn our attention to the GDPR and privacy policies.

Does the GDPR Require a Privacy Policy?

Generally, yes. If you do business in the European Union (EU) or collect data from EU residents, you need to have a GDPR-compliant privacy policy.

While there is plenty of nuance as to whether GDPR authorities will target small, out-of-bounds businesses with no real ties to the EU, it’s always best to set a standard at the beginning of your operations. The sooner you get into GDPR compliance, the sooner your business can expand to new locations.

How Do You Include the GDPR in a Privacy Policy?

While the GDPR is complex, there are certain elements you should include:

  • Who is collecting the data: Article 13 requires you to provide “the identity and the contact details of the controller and, where applicable, of the controller’s representative.” In general, this refers to your company and the specific person responsible for answering any GDPR inquiries.
  • Why you’re allowed to collect the data: Article 13 provides for six different legal bases upon which you can collect consumer data. Two of the most common reasons are “consent” and “legitimate interest.” 
  • Why you’re collecting the data: Next, you’ll need to show why you’re collecting the data. One of the most common reasons is sales and marketing: for instance, you might collect email addresses for marketing lists.
  • What kinds of data you’re collecting: Users must be informed what kind of data you’ll collect, whether that’s tracking cookies, email addresses or another form of sensitive data.
  • How long you’re storing the data: You should also be transparent about how long you will store the data—for instance, if you regularly purge your email list of people who unsubscribe. It’s wise to set an outer limit as to how long any data will be stored.
  • Whether you’re internationally transferring the data: If you plan to transfer the data internationally—even if that means within your own organization or regular third-party vendor relationship—you must list this in your privacy policy.
  • If you use the data in automated decision-making: Companies who use user data as part of automated decision making (for instance, credit scoring) must alert the user as to how their data will be utilized.
  • With whom you share the data: If you plan to sell or otherwise share the data, that needs to be clear in your privacy policy.
  • The data subject or supplier’s rights: The GDPR requires you to inform the user (the data subject, or supplier)’s rights: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability and the right to object. 
  • Ways of informing the user when the policy has changed: This is one of the most simple requirements: you just have to list how you’ll tell your users or data suppliers when your privacy policies have changed. This could be as simple as a website notification.

Sample GDPR Privacy Policy Templates

There are plenty of sample GDPR privacy policy templates available. Here are a couple to get you started:

SixFifty has the Solution

Of course, the best GDPR privacy policy is one that’s customized to your company’s specific structure and needs. Many businesses put off GDPR compliance for too long. Whether they’re just starting out or they don’t think they’ll collect EU member data, they find themselves scrambling to comply with international standards.

Fortunately, SixFifty can help! Our proprietary legal technology is designed to make regulation compliance easier than ever. Simply answer a few questions about your company, and our software will automatically generate a comprehensive GDPR privacy policy for your entire organization. We’ve paired up with top lawyers and programmers to make legal assistance accessible to everyone. 

No matter how large or small your business, SixFifty’s solutions can help. 

If you’re ready to get started or have further questions, schedule a demo with SixFifty today.


Meili Bell

Written by Meili Bell

Meili Bell is the Content Manager at SixFifty. She spends her workdays writing, editing, project managing and reading about the intersection of law and technology. Meili comes to SixFifty from Gifted Music School, a nonprofit music school for the most dedicated young musicians in the region, where she was program director of the school’s flagship program for the last ten...

Full Bio and other articles by