Writing a GDPR Compliance Statement (Checklist included)

General Data Protection Regulation (GDPR) demands the implementation of numerous procedures and processes. A significant portion of this effort will be reflected in your GDPR-compliant Privacy Policy. However, a lot is going on behind the scenes.

A GDPR Compliance Statement is a way for you to inform people about your organization’s actions to fulfil the high standards of the GDPR, i.e. securing users’ personal data. It is written in clear, simple language that avoids legal jargon and technical terminology. 

A GDPR Compliance Statement, unlike a Privacy Policy, is not legally bound. It’s best practice to explain your company’s principles and demonstrate compliance to your customers, ensuring their personal information and data processing processes are secure.

In this blog, you will find a general overview of the GDPR compliance statement and a checklist for creating it for your business.

What is a GDPR compliance statement?

A GDPR Compliance statement is a public document outlining the measures your organization is taking or has already performed to comply with the law.

GDPR Declaration

It is generally a one-page document publicly shared on an organization’s website to inform GDPR’s data subjects about the company’s commitment to data privacy and security regarding GDPR compliance. Generally, it includes:

1. All the technical and organizational measures are deployed to meet the GDPR’s rigorous data security requirements.
2. The data controller places the processing obligations on any data processors with whom the controller discloses customers’ personal information.
3. The procedures are in place to assist individuals in exercising their data subject rights.
4. The automated or manual systems are responsible for addressing data subject access requests.

Is a GDPR compliance statement the same as a Privacy Policy?

Remember, a Compliance Statement is not the same as a Privacy Policy!

By reading both documents’ definitions, they appear to be the same. But there is a difference that’s highlighted here.

Both documents are public in type and have a lower level of sensitivity because they are shared with the general public. However, a GDPR compliance statement is much shorter and more focused compared to the privacy policy. So, in layman’s words, a compliance statement is a shorter version or summary of the privacy policy.

GDPRstatementt

A GDPR statement, also known as a compliance statement, is a brief statement that informs individuals about the data that a company processes and the security measures it has implemented. Then it will refer to the data protection agreements and privacy policy for more details, such as what principles apply to the company, how they are applying GDPR principles to their data processing practices, what rights individuals have, and which data processor or sub-processor they engage and disclose personal information to, and so on.

Is a GDPR compliance statement required by law?

The straightforward is No!

As the most redundant and comprehensive, this data protection law mandates many processing requirements, but a GDPR Compliance Statement is not one of them.

On the other hand, creating such a document might be an industry best practice to demonstrate GDPR compliance.

Therefore, what you mention in your GDPR compliance statement is entirely up to you. It should honestly explain everything you’ve done to meet your data processing obligations, written in your brand voice for your customers or clients.

In contrast to privacy policies, a legal obligation, you may produce a GDPR Compliance Statement to benefit your business and reputation. Whether it is a B2B or B2C customer, they will be more willing to provide you with personal information if they see that you will keep it secure.

What are the benefits of having a GDPR compliance statement?

Now we all know that a GDPR Compliance Statement is not legally required. So a million-dollar question arises, i.e., why does my company need one, and what are the benefits?

Well, a compliance statement can be beneficial for a variety of reasons. Some of them are:

1. It adds transparency and gains consumers’ trust for secure data processing and handling.
2. It can demonstrate the data controller’s and the data processor’s compliance.
3. It can serve as proof of document for GDPR compliance to the relevant EU or UK supervisory authority.

Let’s understand each scenario by taking an example.

1. It adds transparency and gains consumers’ trust for secure data processing and handling.

In terms of building consumer trust, a compliance statement is relatively straightforward. Because your consumers will not grasp the legal and technical terms, they will be fascinated by reading your policies. As a result, a GDPR compliance statement serves as a short notice stating in clear and straightforward terms that you are adhering to GDPR rules and regulations. The document will be user-friendly so that everyone concludes data privacy concerns seriously and that you are ae for allowing your users to exercise their data subject rights.

2. It can demonstrate the data controller and processor’s compliance.

As for proving compliance for data processors, we know that every business that shares personal data with another must be able to verify that it has investigated that company’s data security and privacy posture.

Any consumer or organization that wants to work with you will most likely investigate not only yours but also your affiliate’s data security standards. And what do you want them to find if they request any proof of evidence for your affiliates? You risk losing their business if they can’t locate anything relevant.

A GDPR compliance statement ensures that all of your affiliates, in terms of data processors and sub-processors, are acting by your instructions and that you have mandated the applicable GDPR data processing standards, such as not sharing data with anyone without prior approval, deleting data immediately after the purpose of processing is achieved, or deploying appropriate security controls to ensure the security of personal and sensitive data.

3. It can serve as a proof of document for GDPR compliance to the relevant EU or UK supervisory authority.

The data protection supervisory authorities are established in each European Union member state and the UK. While they are unlikely to ask you to create a public-facing GDPR Compliance Statement, they may want you to explain what you are doing to meet your legal requirements.

When dealing with non-compliant data processing activities, data protection authorities have several measures available, ranging from technical assistance and warnings to significant financial penalties. So, to proceed smoothly through this process, a GDPR compliance statement would undoubtedly illustrate that the organization took the path towards compliance and identified the gaps to avoid non-compliance consequences.

This behaviour will demonstrate that your company adheres to transparency by informing all data subjects about their data handling processes.

By having these benefits, GDPR Compliance Statement is an excellent approach to demonstrate to other businesses, consumers, and authorities that your organization is on the right track and making significant steps toward

Checklist to write a GDPR Compliance Statement (GDPR statement examples)

Since a GDPR Compliance Statement is recommended but not compulsory, the regulation does not require adopting any specific sections.

However, you should ensure it accurately reflects your organization’s governance policies and data privacy and compliance commitment.

Remember that the GDPR statement for compliance isn’t meant to replace your Privacy Notice or Privacy Policy; thus, including specifics about your data processing procedures isn’t required.

You should include a few clauses to improve the document’s effectiveness. It should be noted that not all of them will apply to your organization, and you may desire to incorporate extra clauses:

1. A brief explanation of the GDPR

Start your GDPR Compliance Statement by providing some context, i.e. What exactly is the GDPR, and why are you working so hard to comply with it? Also, if your company is based in the UK, then elaborate on the compliance with UK GDPR and the impact of Brexit.

Here is an example of the GDPR statement:

A summary will be sufficient to notify your customers in an introductory manner.

2. How your company is preparing for GDPR

This is a chance to show your customers how serious you are about protecting users’ personal information and following the law. You may elaborate on all the policies and procedures you have to address security and privacy in your company. This can also be used to introduce the steps of GDPR compliance you may take and how you are implementing data privacy into operations.

Because a GDPR compliance statement is a one-page document, you must ensure that all detailed information is consolidated into a brief graphical representation or a table format that is easy to grasp.

Here is an example to describe all the data protection commitments a company has taken in a short yet clear format:

1. Data governance structure

• Created a dedicated data privacy department for handling the GDPR compliance strategy.
• She appointed an independent Data Protection Officer (DPO).
• We conducted a business impact analysis on critical products.
• We launched an internal Privacy and Security Awareness programme.
• We conducted an internal and external Data Protection Impact Analysis.

2. Policies and procedures

• We created a policy on Data Protection.
• We created a policy on Data Retention.
• We created a policy on Information Security.
• We created a policy on Cookie collection.
• We created a plan for data breach and incident response.
• Having a risk management methodology that considers personal data to identify and manage threats across the board.
• Ensuring personal data protection regulations must be incorporated into contracts and agreements with third-party service providers and vendors.

3. Embedding data privacy and security into operations

• Conducted a data mapping inventory and data classification in our systems.
• We created procedures and policies to limit the handling of personal data.
• Deployed automatic procedures to track personal data transfer within and outside our systems.
• We created a privacy dashboard for customers.

3. The scope of data processing practices

You may want to specify the scope of your company’s GDPR compliance by outlining the legally defined actions. This includes anything you do that involves the processing of personal data, such as:

1. Obtaining personal information from your customers
2. Obtaining personal information about your consumers
3. Personal data storage, both electronically and physically
4. Direct marketing and tailored advertisements
5. Analyzing and monitoring personal data sets

You can find an example in the picture below:

Depending on the nature of your business, the list may differ, but it should include all the activities for which you process personal data.

4. How do you process personal data

It would be best to describe the scope of personal data processing in which you are committed to protecting privacy and strictly adhering to all the relevant provisions of GDPR. You will further inform your customers that you are ensuring all personal data is treated by the principles set in the regulation, which state personal data shall be:

• Processed fairly, transparently and legal advice.
• Collected for specific, unambiguous, and legitimate interests and not further processed in a way incompatible with those purposes.
• Adequate, relevant, and limited to what is required for their processing purposes.
• Correct and, if necessary, keep up to date.
• They are kept in a manner that allows data subjects to be identified for no longer than is required for the purposes for which the personal data are processed.
• Process data in a way that ensures adequate personal data security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, by employing appropriate data security measures.

The picture below gives an example of writing this clause:

5. International transfers

Personal data transfers outside the EU or UK are subject to international data transfer rules. Wherever there is an international transfer of personal data, specific adequate measures must be in place, for example, transfer based on an adequacy decision, standard contractual clauses, binding corporate rules or derogations.

Suppose your company is established in the EU or UK and transfers international data with partners or third parties. In that case, you should assess all ties you have with non-EU/UK data processors (Specifically with the US) and organizations to which you may send personal data.

If your company transfers data in the EU or UK, you may address that you have adopted Article 29 requirement, i.e. having the relevant data processing agreements.

Let’s take an example from the picture below:

Whatever methods you employ, ensure your customers are aware of international data transfer policies.

6. Link to the privacy policy and data processing agreement

Since all the required data protection provisions of the General Data Protection Regulation (GDPR) are deeply addressed in the privacy policy and relevant data protection agreements, you may need to link these two documents in your GDPR compliance statement so that users can access these if they require further information related to any process.

Also, to learn about what data protection rights your company may grant to the data subjects and how often they can consent or opt-out of processing personal data is attached to the privacy policy, so linking this in your compliance statement would significantly impact your customers.

Here is an example of the above clause:

7. Contact information

You may need to give the contact information of your data privacy department or the concerned point of contact so that your customers can reach out if they have any queries or questions. The contact details could include a generic email address if your company’s privacy department has one of the official email addresses of the employee responsible for dealing with customer complaints related to privacy.

You may also give the contact details of your data protection officer, i.e. an official email address or a contact number if your company does not own a separate data privacy department.

Here is an example of the above clause:

Note: The following contact details in the above example are dummy data.

Conclusion

The GDPR compliance statement is an opportunity to inform the data subjects, i.e. an organization’s customers, clients, and the relevant EU or UK data protection authority, about your efforts to comply with the law.

Your GDPR Compliance Statement is not a legal requirement but does reaffirm your commitment to GDPR principles.

It does not have to be a lengthy or detailed document. It might be as easy as noting that you are aware that the GDPR applies to your company and that you aim to do adopts possible measures to meet your obligations and protect user rights.