A GDPR Compliance Statement is a way for you to inform people about your organization’s actions to fulfil the high standards of the GDPR, i.e. securing users’ personal data. It is written in clear, simple language that avoids legal jargon and technical terminology.
In this blog, you will find a general overview of the GDPR compliance statement and a checklist for creating it for your business.
What is a GDPR compliance statement?
A GDPR Compliance statement is a public document outlining the measures your organization is taking or has already performed to comply with the law.
It is generally a one-page document publicly shared on an organization’s website to inform GDPR’s data subjects about the company’s commitment to data privacy and security regarding GDPR compliance. Generally, it includes:
- All the technical and organizational measures are deployed to meet the GDPR’s rigorous data security requirements.
- The data controller places the processing obligations on any data processors with whom the controller discloses customers’ personal information.
- The procedures are in place to assist individuals in exercising their data subject rights.
- The automated or manual systems are responsible for addressing data subject access requests.
By reading both documents’ definitions, they appear to be the same. But there is a difference that’s highlighted here.
Is a GDPR compliance statement required by law?
The straightforward is No!
As the most redundant and comprehensive, this data protection law mandates many processing requirements, but a GDPR Compliance Statement is not one of them.
On the other hand, creating such a document might be an industry best practice to demonstrate GDPR compliance.
Therefore, what you mention in your GDPR compliance statement is entirely up to you. It should honestly explain everything you’ve done to meet your data processing obligations, written in your brand voice for your customers or clients.
In contrast to privacy policies, a legal obligation, you may produce a GDPR Compliance Statement to benefit your business and reputation. Whether it is a B2B or B2C customer, they will be more willing to provide you with personal information if they see that you will keep it secure.
What are the benefits of having a GDPR compliance statement?
Now we all know that a GDPR Compliance Statement is not legally required. So a million-dollar question arises, i.e., why does my company need one, and what are the benefits?
Well, a compliance statement can be beneficial for a variety of reasons. Some of them are:
- It adds transparency and gains consumers’ trust for secure data processing and handling.
- It can demonstrate the data controller’s and the data processor’s compliance.
- It can serve as proof of document for GDPR compliance to the relevant EU or UK supervisory authority.
Let’s understand each scenario by taking an example.
1. It adds transparency and gains consumers’ trust for secure data processing and handling.
In terms of building consumer trust, a compliance statement is relatively straightforward. Because your consumers will not grasp the legal and technical terms, they will be fascinated by reading your policies. As a result, a GDPR compliance statement serves as a short notice stating in clear and straightforward terms that you are adhering to GDPR rules and regulations. The document will be user-friendly so that everyone concludes data privacy concerns seriously and that you are ae for allowing your users to exercise their data subject rights.
2. It can demonstrate the data controller and processor’s compliance.
As for proving compliance for data processors, we know that every business that shares personal data with another must be able to verify that it has investigated that company’s data security and privacy posture.
Any consumer or organization that wants to work with you will most likely investigate not only yours but also your affiliate’s data security standards. And what do you want them to find if they request any proof of evidence for your affiliates? You risk losing their business if they can’t locate anything relevant.
A GDPR compliance statement ensures that all of your affiliates, in terms of data processors and sub-processors, are acting by your instructions and that you have mandated the applicable GDPR data processing standards, such as not sharing data with anyone without prior approval, deleting data immediately after the purpose of processing is achieved, or deploying appropriate security controls to ensure the security of personal and sensitive data.
3. It can serve as a proof of document for GDPR compliance to the relevant EU or UK supervisory authority.
The data protection supervisory authorities are established in each European Union member state and the UK. While they are unlikely to ask you to create a public-facing GDPR Compliance Statement, they may want you to explain what you are doing to meet your legal requirements.
When dealing with non-compliant data processing activities, data protection authorities have several measures available, ranging from technical assistance and warnings to significant financial penalties. So, to proceed smoothly through this process, a GDPR compliance statement would undoubtedly illustrate that the organization took the path towards compliance and identified the gaps to avoid non-compliance consequences.
This behaviour will demonstrate that your company adheres to transparency by informing all data subjects about their data handling processes.
By having these benefits, GDPR Compliance Statement is an excellent approach to demonstrate to other businesses, consumers, and authorities that your organization is on the right track and making significant steps toward
Checklist to write a GDPR Compliance Statement (GDPR statement examples)
Since a GDPR Compliance Statement is recommended but not compulsory, the regulation does not require adopting any specific sections.
However, you should ensure it accurately reflects your organization’s governance policies and data privacy and compliance commitment.
You should include a few clauses to improve the document’s effectiveness. It should be noted that not all of them will apply to your organization, and you may desire to incorporate extra clauses:
1. A brief explanation of the GDPR
Start your GDPR Compliance Statement by providing some context, i.e. What exactly is the GDPR, and why are you working so hard to comply with it? Also, if your company is based in the UK, then elaborate on the compliance with UK GDPR and the impact of Brexit.
Here is an example of the GDPR statement:
A summary will be sufficient to notify your customers in an introductory manner.
2. How your company is preparing for GDPR
This is a chance to show your customers how serious you are about protecting users’ personal information and following the law. You may elaborate on all the policies and procedures you have to address security and privacy in your company. This can also be used to introduce the steps of GDPR compliance you may take and how you are implementing data privacy into operations.
Because a GDPR compliance statement is a one-page document, you must ensure that all detailed information is consolidated into a brief graphical representation or a table format that is easy to grasp.
Here is an example to describe all the data protection commitments a company has taken in a short yet clear format:
1. Data governance structure
- Created a dedicated data privacy department for handling the GDPR compliance strategy.
- She appointed an independent Data Protection Officer (DPO).
- We conducted a business impact analysis on critical products.
- We launched an internal Privacy and Security Awareness programme.
- We conducted an internal and external Data Protection Impact Analysis.
2. Policies and procedures
- We created a policy on Data Protection.
- We created a policy on Data Retention.
- We created a policy on Information Security.
- We created a policy on Cookie collection.
- We created a plan for data breach and incident response.
- Having a risk management methodology that considers personal data to identify and manage threats across the board.
- Ensuring personal data protection regulations must be incorporated into contracts and agreements with third-party service providers and vendors.
3. Embedding data privacy and security into operations
- Conducted a data mapping inventory and data classification in our systems.
- We created procedures and policies to limit the handling of personal data.
- Deployed automatic procedures to track personal data transfer within and outside our systems.
- We created a privacy dashboard for customers.
3. The scope of data processing practices
You may want to specify the scope of your company’s GDPR compliance by outlining the legally defined actions. This includes anything you do that involves the processing of personal data, such as:
- Obtaining personal information from your customers
- Obtaining personal information about your consumers
- Personal data storage, both electronically and physically
- Direct marketing and tailored advertisements
- Analyzing and monitoring personal data sets
You can find an example in the picture below:
Depending on the nature of your business, the list may differ, but it should include all the activities for which you process personal data.
4. How do you process personal data
It would be best to describe the scope of personal data processing in which you are committed to protecting privacy and strictly adhering to all the relevant provisions of GDPR. You will further inform your customers that you are ensuring all personal data is treated by the principles set in the regulation, which state personal data shall be:
- Processed fairly, transparently and legal advice.
- Collected for specific, unambiguous, and legitimate interests and not further processed in a way incompatible with those purposes.
- Adequate, relevant, and limited to what is required for their processing purposes.
- Correct and, if necessary, keep up to date.
- They are kept in a manner that allows data subjects to be identified for no longer than is required for the purposes for which the personal data are processed.
- Process data in a way that ensures adequate personal data security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, by employing appropriate data security measures.
The picture below gives an example of writing this clause:
5. International transfers
Personal data transfers outside the EU or UK are subject to international data transfer rules. Wherever there is an international transfer of personal data, specific adequate measures must be in place, for example, transfer based on an adequacy decision, standard contractual clauses, binding corporate rules or derogations.
Suppose your company is established in the EU or UK and transfers international data with partners or third parties. In that case, you should assess all ties you have with non-EU/UK data processors (Specifically with the US) and organizations to which you may send personal data.
If your company transfers data in the EU or UK, you may address that you have adopted Article 29 requirement, i.e. having the relevant data processing agreements.
Let’s take an example from the picture below:
Whatever methods you employ, ensure your customers are aware of international data transfer policies.
Here is an example of the above clause:
7. Contact information
You may need to give the contact information of your data privacy department or the concerned point of contact so that your customers can reach out if they have any queries or questions. The contact details could include a generic email address if your company’s privacy department has one of the official email addresses of the employee responsible for dealing with customer complaints related to privacy.
You may also give the contact details of your data protection officer, i.e. an official email address or a contact number if your company does not own a separate data privacy department.
Here is an example of the above clause:
Note: The following contact details in the above example are dummy data.
The GDPR compliance statement is an opportunity to inform the data subjects, i.e. an organization’s customers, clients, and the relevant EU or UK data protection authority, about your efforts to comply with the law.
Your GDPR Compliance Statement is not a legal requirement but does reaffirm your commitment to GDPR principles.
It does not have to be a lengthy or detailed document. It might be as easy as noting that you are aware that the GDPR applies to your company and that you aim to do adopts possible measures to meet your obligations and protect user rights.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.