GDPR Compliance Statement
While a GDPR Compliance Statement isn't required, having one demonstrates your ongoing commitment to user privacy and the principles that make up the GDPR.
What is a GDPR Compliance Statement, and how do you put one together? We'll show you how to share your commitment to privacy, transparency, and accountability below.
- 1. What's a GDPR Compliance Statement?
- 1.1. Do You Need a Compliance Statement?
- 2. What to Include in a GDPR Compliance Statement
- 2.1. Who You Are/Contact Information
- 2.2. Written Commitment to GDPR Compliance
- 2.3. Data Protection Officer Details
- 2.4. GDPR Compliance Plan
- 2.5. Safeguarding and Security Measures
- 2.6. Data Subject Rights
- 2.8. Third Party Processing
- 2.9. International Data Transfers
- 3. Conclusion
What's a GDPR Compliance Statement?
A GDPR Compliance Statement is a brief document that publicly declares your organization's commitment to meeting and upholding the principles of the GDPR.
The statement matches other supporting documents like your GDPR Data Protection Policy by providing an overview of user rights and how to exercise them. It also highlights data processor and controller obligations under the GDPR.
Do You Need a Compliance Statement?
However, it is a helpful document because it adds a greater level of transparency for your data subjects when it comes to how prepared you are for the GDPR and the protection of their privacy rights.
What to Include in a GDPR Compliance Statement
Because a GDPR Compliance Statement is good practice but not mandatory, the legislation itself doesn't mandate the use of any particular clauses.
However, you should aim to make sure it reflects your organization's data practices and your unique commitment to privacy and compliance.
Here are a few of the clauses you should add in order to make the document more effective. Note that not all of them will be relevant to your company, and you may find you wish to include additional clauses:
- Who you are/Contact information
- Written commitment to GDPR compliance
- Data Protection Officer details
- GDPR compliance plan
- Safeguarding measures
- Data subject rights
- Third-party processing
- International data transfers
Let's take a more detailed look at each of these clauses and what information they should convey.
Who You Are/Contact Information
Are you a data processor, data controller, or both? Your obligations differ according to your legal designation, so sharing what your designation is sets up your GDPR Compliance Statement for success.
Six Degrees does this well in its Compliance Statement. It outlines the cases in which it qualifies as a processor and when it becomes a controller:
In addition to noting what role your organization fulfills, give readers and data subjects a name or contact details to let them know who to get in touch with if they have any questions.
Here's how Big Bear Confectionery does this in a simple statement:
Written Commitment to GDPR Compliance
A written commitment to GDPR compliance simply notes that your organization promises to embrace and uphold the principles of the GDPR. You can stick with this statement or provide explicit examples of privacy issues you aim to uphold.
For example, Peninsula explains its commitment to transparency with a clause in its GDPR Compliance Statement:
If your organization already operates with privacy in mind and you avoid collecting and processing data you don't need, you can say so in the commitment section.
Zoho provides a good example of its commitment to privacy generally, and the GDPR by extension:
It says that its commitment to privacy didn't start with the GDPR and it's happy to embrace GDPR regulations.
Big Bear Confectionery provides an extensive commitment clause. It goes into more detail about its past and present commitment to privacy. The clause also serves as an introduction to the rest of the company's GDPR Compliance Statement.
Data Protection Officer Details
Not every company under GDPR jurisdiction needs a Data Protection Officer, but if you do appoint one, then the Compliance Statement is a good place to share that you have one and how to contact this individual.
The UK government is required to appoint a Data Protection Officer because it's a public body. This is noted in its GDPR Compliance Statement.
The final sentence of the introductory statement notes the appointment of a Data Protection Officer.
A short sentence works well, but adding contact details is also a smart idea. The government added the DPO's contact details at the end of the statement:
GDPR Compliance Plan
A key clause in your GDPR Compliance Statement is your GDPR compliance plan. You can describe steps you've taken as well as steps you plan to take to get and stay compliant.
Here's how Thomas Flavell and Sons adds this information in a clause about how they're preparing for the GDPR:
And here's another example from the UK Government that shows some of the actions that have been taken to date towards compliance:
This type of clause shows that you're being proactive and striving for compliance.
Safeguarding and Security Measures
Whether the data safeguarding measures you implement are standard practice or new thanks to GDPR rules, taking time to highlight them in your GDPR Compliance Statement demonstrates your commitment to protecting your users' personal data.
You can go about this two ways.
The first is to list some of the specific security measures you use.
Total Web Solutions provides a bullet list within its Compliance Statement, which it published as a PDF.
Alternatively, you can note your commitment to security and safeguarding measures by briefly mentioning it the commitment.
The UK Government takes this approach and simply states that it holds an accreditation rather than listing out any of its specific security protocols:
Listing security measures will help with transparency, but some businesses decide to keep their specific protocols more private as an added level of security.
Data Subject Rights
According to the GDPR, data subjects have eight rights that data processors must uphold. These rights include:
- The Right to Be Informed
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restrict Processing
- The Right to Data Portability
- The Right to Object
- The Right to Avoid Automated Decision-Making
There are several ways to address data subject rights in your statement. You can list them out and formally acknowledge each one individually, like Thomas Flavell and Sons does here:
Or, you can address them in more of a summarized way. You can let users know how to exert each right, or point them out as they apply to other policies and procedures mentioned in the document.
Here's how Peninsula provides information about the right to be forgotten:
Virtual College provides links at the end of its statement. It combines the link with other essential components like a link to its Data Processing Agreement and contact details:
Third Party Processing
According to the GDPR, a third-party data processor is "a natural or legal person or organization which processes personal data on behalf of a controller."
Do you use any third-party processors at any point in your data's lifecycle? As a data controller, you are responsible for ensuring the processor's compliance with the GDPR.
You also need to:
- Identify that you contract with third-party processors
- Understand what data they interact with
- Understand their security practices
You don't need to name the third party processors you work with, but you do need to acknowledge that you do use them.
Some organizations choose to lump this in with other sections like International Data Transfers because the two may be interconnected and the principles are nearly identical.
Varlink chose to do this:
Here's how the UK Government discloses its efforts when it comes to third-party suppliers:
This statement makes it clear that UK Gov is only going to work with third parties that are prove to be GDPR-compliant.
International Data Transfers
Do you process data outside of the EU? If so, consider adding a statement about this.
Bullhorn's international data transfer data clause lists the laws and frameworks it complies with if and when it transfers any personal data outside of the EU (usually to the United States)
Your GDPR Compliance Statement isn't mandatory, but it does reconfirm your commitment to upholding GDPR principles.
It doesn't need to be a long, complicated document. It can be as simple as stating that you recognize that the GDPR applies to your business and you intend to do your part to meet your obligations and uphold user rights.
A GDPR Compliance Statement should at minimum include the following four primary parts:
- A written commitment to GDPR compliance
- An acknowledgement of data subject rights
- Your GDPR preparation plan
- Your contact information