GDPR Compliance Statement

Last updated on 29 August 2019 by Nicole Olsen
GDPR Compliance Statement

A GDPR Compliance Statement complements your GDPR-compliant Privacy Policy. It's a shorter, standalone document that describes how you engage with the GDPR.

While a GDPR Compliance Statement isn't required, having one demonstrates your ongoing commitment to user privacy and the principles that make up the GDPR.

What is a GDPR Compliance Statement, and how do you put one together? We'll show you how to share your commitment to privacy, transparency, and accountability below.


What's a GDPR Compliance Statement?

A GDPR Compliance Statement is a brief document that publicly declares your organization's commitment to meeting and upholding the principles of the GDPR.

The statement matches other supporting documents like your GDPR Data Protection Policy by providing an overview of user rights and how to exercise them. It also highlights data processor and controller obligations under the GDPR.

You can think of your GDPR Compliance Statement as a summary of the ways you prepared for and continue to comply with European regulations, and as a short summary version of some of the information found in your full-length Privacy Policy.

Do You Need a Compliance Statement?

Unlike a Privacy Policy, a GDPR Compliance Statement is not mandatory.

However, it is a helpful document because it adds a greater level of transparency for your data subjects when it comes to how prepared you are for the GDPR and the protection of their privacy rights.

What to Include in a GDPR Compliance Statement

What to Include in a GDPR Compliance Statement

Because a GDPR Compliance Statement is good practice but not mandatory, the legislation itself doesn't mandate the use of any particular clauses.

However, you should aim to make sure it reflects your organization's data practices and your unique commitment to privacy and compliance.

Remember that the GDPR Compliance Statement isn't designed to replace your Privacy Statement or Privacy Policy, so including the finer details of your data processing practices isn't necessary.

Here are a few of the clauses you should add in order to make the document more effective. Note that not all of them will be relevant to your company, and you may find you wish to include additional clauses:

  • Who you are/Contact information
  • Written commitment to GDPR compliance
  • Data Protection Officer details
  • GDPR compliance plan
  • Safeguarding measures
  • Data subject rights
  • Link to a Privacy Policy
  • Third-party processing
  • International data transfers

Let's take a more detailed look at each of these clauses and what information they should convey.

Who You Are/Contact Information

Are you a data processor, data controller, or both? Your obligations differ according to your legal designation, so sharing what your designation is sets up your GDPR Compliance Statement for success.

Six Degrees does this well in its Compliance Statement. It outlines the cases in which it qualifies as a processor and when it becomes a controller:

Six Degrees GDPR Compliance Statement - Data Controller and Data Processor identification clause

In addition to noting what role your organization fulfills, give readers and data subjects a name or contact details to let them know who to get in touch with if they have any questions.

Here's how Big Bear Confectionery does this in a simple statement:

Big Bear Confectionery GDPR Compliance Statement - Contact information

Written Commitment to GDPR Compliance

A written commitment to GDPR compliance simply notes that your organization promises to embrace and uphold the principles of the GDPR. You can stick with this statement or provide explicit examples of privacy issues you aim to uphold.

For example, Peninsula explains its commitment to transparency with a clause in its GDPR Compliance Statement:

Peninsula GDPR Compliance Statement - Commitment clause

If your organization already operates with privacy in mind and you avoid collecting and processing data you don't need, you can say so in the commitment section.

Zoho provides a good example of its commitment to privacy generally, and the GDPR by extension:

Zoho GDPR Compliance Statement - Introduction banner

It says that its commitment to privacy didn't start with the GDPR and it's happy to embrace GDPR regulations.

Big Bear Confectionery provides an extensive commitment clause. It goes into more detail about its past and present commitment to privacy. The clause also serves as an introduction to the rest of the company's GDPR Compliance Statement.

Big Bear Confectionery GDPR Compliance Statement - Commitment clause

Data Protection Officer Details

Not every company under GDPR jurisdiction needs a Data Protection Officer, but if you do appoint one, then the Compliance Statement is a good place to share that you have one and how to contact this individual.

The UK government is required to appoint a Data Protection Officer because it's a public body. This is noted in its GDPR Compliance Statement.

GOV UK GDPR Compliance Statement - Appointed a DPO section

The final sentence of the introductory statement notes the appointment of a Data Protection Officer.

A short sentence works well, but adding contact details is also a smart idea. The government added the DPO's contact details at the end of the statement:

GOV UK GDPR Compliance Statement - Contact clause

GDPR Compliance Plan

A key clause in your GDPR Compliance Statement is your GDPR compliance plan. You can describe steps you've taken as well as steps you plan to take to get and stay compliant.

Here's how Thomas Flavell and Sons adds this information in a clause about how they're preparing for the GDPR:

Thomas Flavell and Sons GDPR Compliance Statement - How we are preparing for the GDPR clause excerpt

And here's another example from the UK Government that shows some of the actions that have been taken to date towards compliance:

UK GOV GDPR Compliance Statement - GDPR actions to date clause excerpt

This type of clause shows that you're being proactive and striving for compliance.

Safeguarding and Security Measures

Whether the data safeguarding measures you implement are standard practice or new thanks to GDPR rules, taking time to highlight them in your GDPR Compliance Statement demonstrates your commitment to protecting your users' personal data.

You can go about this two ways.

The first is to list some of the specific security measures you use.

Total Web Solutions provides a bullet list within its Compliance Statement, which it published as a PDF.

Total Web Solutions GDPR Compliance Statement - Information Security and Technical and Organisational Measures clause

Alternatively, you can note your commitment to security and safeguarding measures by briefly mentioning it the commitment.

The UK Government takes this approach and simply states that it holds an accreditation rather than listing out any of its specific security protocols:

GOV UK GDPR Compliance Statement - security clause

Listing security measures will help with transparency, but some businesses decide to keep their specific protocols more private as an added level of security.

Data Subject Rights

According to the GDPR, data subjects have eight rights that data processors must uphold. These rights include:

  1. The Right to Be Informed
  2. The Right of Access
  3. The Right to Rectification
  4. The Right to Erasure
  5. The Right to Restrict Processing
  6. The Right to Data Portability
  7. The Right to Object
  8. The Right to Avoid Automated Decision-Making

There are several ways to address data subject rights in your statement. You can list them out and formally acknowledge each one individually, like Thomas Flavell and Sons does here:

Thomas Flavell and Sons GDPR Compliance Statement - Data Subject Rights clause

Or, you can address them in more of a summarized way. You can let users know how to exert each right, or point them out as they apply to other policies and procedures mentioned in the document.

Here's how Peninsula provides information about the right to be forgotten:

Peninsula GDPR Compliance Statement - Right to be forgotten clause

Your GDPR Compliance Statement provides an overview of your GDPR Privacy Policy, but it does not replace it. It misses out on all kinds of essential Privacy Policy statements like what data you collect, how you process it, how you store it, and more.

Linking to your GDPR Privacy Policy is a good idea because it makes the Privacy Policy more accessible and reminds readers that your Compliance Statement does not speak for the Privacy Policy in its entirety. It lets your users know that there is more information they may want to know.

Virtual College provides links at the end of its statement. It combines the link with other essential components like a link to its Data Processing Agreement and contact details:

Virtual College GDPR Compliance Statement - Privacy Policy link in clause

If you updated your Privacy Policy to meet GDPR standards, you can note it here and add a link.

Varlink added a statement to its "Preparation for the GDPR" section to show that it now hosts an updated Privacy Policy:

Varlink GDPR Compliance Statement - Preparation for the GDPR: Privacy Policy section

Third Party Processing

According to the GDPR, a third-party data processor is "a natural or legal person or organization which processes personal data on behalf of a controller."

Do you use any third-party processors at any point in your data's lifecycle? As a data controller, you are responsible for ensuring the processor's compliance with the GDPR.

You also need to:

  • Identify that you contract with third-party processors
  • Understand what data they interact with
  • Understand their security practices

You don't need to name the third party processors you work with, but you do need to acknowledge that you do use them.

Some organizations choose to lump this in with other sections like International Data Transfers because the two may be interconnected and the principles are nearly identical.

Varlink chose to do this:

Varlink GDPR Compliance Statement - Preparation for the GDPR: International Data Transfers and Third-Party Disclosures section

Here's how the UK Government discloses its efforts when it comes to third-party suppliers:

UK GOV GDPR Compliance Plan - Third-Party Processors section

This statement makes it clear that UK Gov is only going to work with third parties that are prove to be GDPR-compliant.

International Data Transfers

Do you process data outside of the EU? If so, consider adding a statement about this.

Bullhorn's international data transfer data clause lists the laws and frameworks it complies with if and when it transfers any personal data outside of the EU (usually to the United States)

Bullhorn GDPR Compliance Statement - International Data Transfers clause

Conclusion

Your GDPR Compliance Statement isn't mandatory, but it does reconfirm your commitment to upholding GDPR principles.

It doesn't need to be a long, complicated document. It can be as simple as stating that you recognize that the GDPR applies to your business and you intend to do your part to meet your obligations and uphold user rights.

A GDPR Compliance Statement should at minimum include the following four primary parts:

  • A written commitment to GDPR compliance
  • An acknowledgement of data subject rights
  • Your GDPR preparation plan
  • Your contact information

When done, link it to your Privacy Policy and add it to your website footer to show your commitment to compliance.

Article categories
Nicole Olsen

Legal writer.