04 Mar Creating a GDPR-Compliant Privacy Policy for Your Small Business

Last week, we raised a question that has been tickling the back of small business owners’ minds for months: you have heard about GDPR, but what should you be doing to ensure that your business is compliant? Of course, the General Data Protection Regulation (GDPR) is pretty complex, but there are some simple shifts that small businesses can make to stay in compliance.

If you missed last week’s article, you can read it here for an overview of GDPR and how it applies to small, creative businesses. One of the suggestions we made in that article was to create and publish a GDPR-compliant privacy policy for your business. A clearly-articulated and complete privacy policy will provide the transparency required under GDPR and build trust with your customers.

Who needs a GDPR-compliant privacy policy? 

If you are what GDPR considers a “data controller,” you need a written privacy policy that communicates your business’ approach to collecting, storing, and using customer data. A data controller is any business that collects personal information about its potential customers. Data, of course, is a broad term, but it can include things like names, email addresses, IP addresses, age, gender, and much more. Even the cookies stored by your business’ web host may be enough to raise your business to the level of a data controller. For our purposes, if your business sends an e-newsletter, collects customers’ payment information, or has a website, you are probably considered a data controller under GDPR.

When and where do you need to provide a privacy policy?

GDPR guidelines require that data controllers provide their written privacy policy when you collect personal data from data subjects. For most small businesses, it is easiest to post your privacy policy on your website, and then direct customers to that policy whenever data is being exchanged. Make sure that the privacy policy is easy to access, does not require the potential customer to provide any personal information to access (for example, do not keep your privacy policy behind a login requirement), and can be downloaded and printed for the customer’s convenience.

What is included in a comprehensive privacy policy?

One of the key principles of GDPR is that businesses must inform consumers about why they are processing personal data and how long it will be stored. At its core, this principle is about transparency. It’s not that GDPR mandates how long data may be stored or even how it may be used. Rather, it simply requires that consumers be informed and asked to consent before their data is utilized by businesses.

A comprehensive privacy policy doesn’t need to be long or packed with legalese. In fact, it’s better if it is kept short, simple, and easy-to-understand. However, it should at least include the following information:

1. Who is collecting the data?
2. What data is being collected?
3. What is the reason the data is being collected?
4. Will the data be shared with any third parties?
5. How will the information be used?
6. How long will the data be stored?
7. How can a data subject withdraw consent for his or her data to be stored?
8. How can the data subject raise a complaint or ask questions about data storage?

To be clear, a privacy policy is an external document provided to the public. This document does not need to include instructions to your employees about how data should be handled or what to do in the case of a complaint. That information is better reserved for an internal data protection policy.

Ask for Help! We are Here for You!

Still unsure about GDPR and what it requires of your small business? We wrote a more comprehensive article about GDPR and small business that you can access here. You can also sign up for a more in-depth conversation about how GDPR impacts your specific business by scheduling an appointment here. Our experienced and knowledgable business attorney is dedicated to making your business a success. Feel free to reach out!