A GDPR Compliance Statement is a way for you to inform people about the actions your organisation has made to fulfil the high standards of the GDPR i.e. securing users’ personal data. It is written in a clear and simple language that avoids legal jargon and technical terminology.
In this blog, you will find a general overview of the GDPR compliance statement and a checklist for creating it for your business.
What is a GDPR compliance statement?
A GDPR Compliance statement is a public document that outlines the measures your organisation is taking or has already performed, to become compliant with the law.
It is generally a one-page document that is publicly shared on an organisation’s website to inform GDPR’s data subjects about the company’s commitment to data privacy and security regarding GDPR compliance. Generally, it includes:
- All the technical and organisational measures are deployed to meet the GDPR’s rigorous data security requirements.
- The data controller places the processing obligations on any data processors with whom the controller discloses customers’ personal information.
- The procedures are in place, to assist individuals in exercising their data subject rights.
- The automated or manual systems that are responsible for addressing data subject access requests.
By reading both documents’ definitions, they appear to be the same. But there is a difference that’s highlighted here.
Is a GDPR compliance statement required by law?
The straightforward is No!
As the most redundant and comprehensive, this data protection law mandates many processing requirements, but a GDPR Compliance Statement is not one of them.
On the other hand, creating such a document might be an industry best practice to demonstrate GDPR compliance.
Therefore, what you mention in your GDPR compliance statement is entirely up to you. It should honestly explain everything you’ve done to meet your data processing obligations, written in your brand voice for your customers or clients.
In contrast to privacy policies, which are a legal obligation, you may produce a GDPR Compliance Statement to benefit your business and reputation. Whether it is a B2B or B2C customer, they will be more willing to provide you with personal information if they see that you will keep it secure.
What are the benefits of having a GDPR compliance statement?
Now we all know that a GDPR Compliance Statement is not legally required. So a million dollar question arises i.e. why my company needs to have one and what are the benefits.
Well, a compliance statement can be beneficial for a variety of reasons. Some of them are:
- It adds transparency and gains consumers’ trust for secure data processing and handling.
- It can demonstrate the data controller’s and the data processor’s compliance.
- It can serve as proof of document for GDPR compliance to the relevant EU or UK supervisory authority.
Let’s understand each scenario by taking an example.
1. It adds a level of transparency and gains consumers’ trust for secure data processing and handling.
In terms of building consumer trust, a compliance statement is relatively straightforward. Because your consumers will not grasp the legal and technical terms, they will be fascinated by reading your policies. As a result, a GDPR compliance statement serves as a short notice stating in clear and straightforward terms that you are adhering to GDPR rules and regulations. The document will be user-friendly so that everyone comes to the conclusion that you take data privacy concerns seriously and that you are accountable for allowing your users to exercise their data subject rights.
2. It can demonstrate the data controller’s and the data processor’s compliance.
As for proving compliance for data processors, we know that every business that shares personal data with another must be able to verify that it has investigated that company’s data security and privacy posture.
Any consumer or organisation that wants to work with you will most likely investigate not only yours but also your affiliate’s data security standards. And what do you want them to find if they request any proof of evidence for your affiliates? you risk losing their business if they can’t locate anything relevant.
A GDPR compliance statement ensures that all of your affiliates, in terms of data processors and sub-processors, are acting by your instructions and that you have mandated the applicable GDPR data processing standards, such as not sharing data with anyone without prior approval, deleting data immediately after the purpose of processing is achieved, or deploying appropriate security controls to ensure the security of personal and sensitive data.
3. It can serve as a proof of document for GDPR compliance to the relevant EU or UK supervisory authority.
The data protection supervisory authorities are established in each European Union member state and the UK. While they are unlikely to ask you to create a public-facing GDPR Compliance Statement, they may want you to explain what you are doing to meet your legal requirements.
When dealing with non-compliant data processing activities, data protection authorities have several measures available, ranging from technical assistance and warnings to significant financial penalties. So, to proceed smoothly through this process, a GDPR compliance statement would undoubtedly illustrate that the organisation took the path towards compliance and identified the gaps to avoid non-compliance consequences.
This behaviour will also demonstrate that your company adheres to transparency by informing all data subjects about their data handling processes.
By having these benefits, GDPR Compliance Statement is an excellent approach to demonstrate to other businesses, consumers, and authorities that your organisation is on the right track and making significant steps toward
Checklist to write a GDPR Compliance Statement
Since a GDPR Compliance Statement is recommended but not compulsory, the regulation does not require adopting any specific sections.
However, you should ensure that it accurately reflects your organisation’s governance policies and your commitment to data privacy and compliance.
You should include a few clauses to improve the document’s effectiveness. It should be noted that not all of them will be applicable to your organisation, and you may desire to incorporate extra clauses:
1. A brief explanation of the GDPR
Start your GDPR Compliance Statement by providing some context i.e. What exactly is the GDPR and why are you working so hard to comply with it. Also, if your company is based in the UK, then elaborate on the compliance with UK GDPR and the impact of Brexit.
Here is an example of the above statement:
A brief summary will be sufficient to notify your customers in a basic manner.
2. How your company is preparing for GDPR
This is a chance to show your customers how serious you are about protecting users’ personal information and following the law. You may elaborate on all the policies and procedures you have to address the security and privacy in your company. This can also be used to introduce the steps of GDPR compliance you may take and how you are implementing data privacy into operations.
Because a GDPR compliance statement is a one-page document, you must ensure that all detailed information is consolidated into a brief graphical representation or a table format that is easy to grasp.
Here is the example to describe all the data protection commitments a company has taken, in a short yet clear format:
1. Data governance structure
- Created a dedicated data privacy department for handling the GDPR compliance strategy.
- Appointed an independent Data Protection Officer (DPO).
- Conducted a business impact analysis on critical products.
- Launched an internal Privacy and Security Awareness programme.
- Conducted an internal and external Data Protection Impact Analysis.
2. Policies and procedures
- Created a policy on Data Protection.
- Created a policy on Data Retention.
- Created a policy on Information Security.
- Created a policy on Cookies collection.
- Created a plan for data breach and incident response.
- Having a risk management methodology that takes into consideration personal data to identify and manage threats across the board.
- Ensuring personal data protection regulations must be incorporated into contracts and agreements with third-party service providers and vendors.
3. Embedding data privacy and security into operations
- Conducted a data mapping inventory and data classification in our systems.
- Created procedures and policies to limit the handling of personal data.
- Deployed automatic procedures to track personal data transfer within and outside our systems.
- Created a privacy dashboard for customers.
3. The scope of data processing practices
You may want to specify the scope of your company’s GDPR compliance by outlining the actions that are legally defined. This includes anything you do that involves the processing of personal data, such as:
- Obtaining personal information from your customers
- Obtaining personal information about your consumers
- Personal data storage, both electronically and physically
- Direct marketing and tailored advertisements
- Analyzing and monitoring personal data sets
You can find an example in the picture below:
Depending on the nature of your business, the list may differ but it should include all the activities for which you process personal data.
4. How you process personal data
You will need to describe the scope of personal data processing in which you are committed to protecting privacy and strictly adhering to all the relevant provisions of GDPR. You will further inform your customers that you are ensuring all personal data is treated by the principles set in the regulation, which state personal data shall be:
- Processed fairly, transparently and legal advice.
- Collected for specific, unambiguous, and legitimate interests and not further processed in a way incompatible with those purposes.
- Adequate, relevant, and limited to what is required for the purposes they are processed.
- Correct and, if necessary, kept up to date.
- Kept in a manner that allows data subjects to be identified for no longer than is required for the purposes for which the personal data are processed.
- Process data in a way that ensures adequate personal data security, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage, by employing appropriate data security measures.
The picture below gives an example of writing this clause:
5. International transfers
Personal data transfers outside the EU or UK are subject to international data transfer rules. Wherever there is an international transfer of personal data, specific adequate measures must be in place for example, transfer based on an adequacy decision, standard contractual clauses, binding corporate rules or derogations.
If your company is established in the EU or UK and making international data transfers with partners or third parties, you should assess all ties you have with non-EU/UK data processors (Specifically with the US) and organisations to which you may send personal data.
If your company is transferring data in the EU or UK you may address that you have adopted Article 29 requirement i.e having the relevant data processing agreements.
Let’s take an example for the picture below:
Whatever methods you employ, make certain that your customers are aware of international data transfers policies.
Here is an example of the above clause:
7. Contact information
You may need to give the contact information of your data privacy department or the concerned point of contact so that your customers can reach out if they have any queries or questions. The contact details could consist of a generic email address if your company’s privacy department have one or the official email address of the employee who is responsible to deal with customer complaints related to privacy.
You may also give contact details of your data protection officer i.e. an official email address or a contact number if your company does not own a separate data privacy department.
Here is an example of the above clause:
Note: The following contact details provided in the above example is dummy data.
The GDPR compliance statement is an opportunity to inform the data subjects i.e an organisation’s customers, clients, and the relevant EU or UK data protection authority about your efforts to comply with the law.
Your GDPR Compliance Statement is not a legal requirement but does reaffirm your commitment to GDPR principles.
It does not have to be a lengthy or detailed document. It might be as easy as noting that you are aware that the GDPR applies to your company and that you aim to do adopts possible measures to meet your obligations and protect user rights.