NAVIGATING

THE GDPR
LANDSCAPE:
CRAFTING A
COMPLIANT
PRIVACY POLICY
An introductory overview on navigating the GDPR
landscape and creating a privacy policy that
adheres to the regulation's key principles and
user rights.
 WHAT IS GDPR?

The GDPR (General Data Protection

Regulation) is a law that protects personal
data and privacy in the European Union and
the United Kingdom.

By understanding the key principles and requirements of the

GDPR, organizations can ensure they are processing personal data
in a compliant and transparent manner, while respecting the rights
of individuals.
 GDPR PRINCIPLES

• Lawfulness, Fairness, and • Storage Limitation

Transparency Do not keep personal data for longer than is necessary
for the purposes for which the personal data is
Process data only with a valid lawful basis. Be clear and
processed.
honest about how you collect, use, and share data.

• Purpose Limitation • Integrity and Confidentiality

Protect personal data with appropriate technical and
Collect data only for specific, legitimate purposes. Do
organizational security measures to ensure integrity and
not use the data for purposes incompatible with the
confidentiality.
original purpose.

• Data Minimisation • Accountability

Keep simple records of what data you collect and why.
Collect and process only the minimum amount of
Be ready to explain your data processing practices if
personal data necessary to achieve the specified
asked.
purpose. Do not collect more data than you need.

• Accuracy
Keep personal data accurate and up-to-date. Take all
reasonable steps to ensure that inaccurate data is
erased or rectified without delay.
 COMPONENTS OF A PRIVACY POLICY

Data Collected Processing Purposes Lawful Basis

Details on the categories of Explanation of the specific, Identification of the lawful
personal data collected, such legitimate purposes for which basis for processing the
as name, email, location, the personal data is personal data, such as
payment details, and how the processed, such as account consent, contract, legal
data is obtained. creation, marketing, or service obligation, or legitimate
improvement. interest.

Data Sharing International User Rights

Details on any third parties or Transfers
Information on any transfers of Explanation of the user's
service providers with whom personal data outside the rights, such as access,
the personal data may be EU/UK, and the safeguards in rectification, erasure,
shared, such as payment place, such as Standard portability, and objection to
processors or analytics tools. Contractual Clauses (SCCs). the processing of their
personal data.
 ANY PROCESSING OF PERSONAL DATA NEEDS A
CLEAR PURPOSE, & A LAWDUL BASIS FOR THAT
PURPOSE
Personal data is any data that can identify a person, such as name, address, phone number, email address, bank acco
data, etc.

Consent Contract Legal Obligation

Data subject has given clear Processing is necessary for the Processing is necessary for you
consent for you to process performance of a contract with to comply with a legal obligation
their personal data for a the data subject or to take steps (not including contractual
specific purpose. at their request before entering obligations).
into a contract.

Vital Interests Public Task Legitimate Interests

Processing is necessary for your
Processing is necessary to Processing is necessary for you
legitimate interests or the
protect someone's life (this to perform a task in the public legitimate interests of a third
party, unless there is a good
applies very rarely, in extreme interest or for your official
reason to protect the individual's
situations). functions, and the task or personal data which overrides
 SPECIAL CATEGORY DATA
Under the GDPR, personal data that reveals sensitive
information about an individual, such as their race, religion, or
health status, is considered 'special category data' and requires
additional legal bases for processing. This type of data is
afforded extra protection due to its sensitive nature and the
potential for it to be misused or lead to discrimination.
 KEY USER RIGHTS

• Right to be Informed • Right to Restrict Processing

Users have the right to be informed about the Users can request that the processing of their
collection and use of their personal data, including personal data be limited or blocked in specific
the purposes, lawful basis, and retention periods. situations.

• Right of Access • Right to Data Portability

Users can request a copy of their personal data held Users can request their personal data in a structured,
by the organization, including details about the commonly used, and machine-readable format, and
processing activities. have it transferred to another controller.

• Right to Rectification • Right to Object

Users can request that any inaccurate or incomplete Users can object to the processing of their personal
personal data be corrected or updated. data, particularly in cases where the lawful basis is
legitimate interest or for direct marketing purposes.
• Right to Erasure
Users can request the deletion of their personal data,
also known as the 'right to be forgotten', in certain
circumstances.
 TIPS FOR COMPLIANCE

Use Plain Language

Be Transparent About Data Transfers

Ensure Clear Consent

Reflect Current
Practices
 GDPR TIMELINE

2018-2020 2021
GDPR enforcement The European Union
2016 actions began, with and the UK
The GDPR was significant fines established the UK
adopted by the imposed on GDPR, a separate
European Union organizations for but aligned data
non-compliance protection law for
the UK post-Brexit

2020
The European 2022
2018
Commission The European
The GDPR became
published new Commission
enforceable,
Standard Contractual approved new SCCs
replacing the
Clauses (SCCs) for for use in
previous Data
international data international data
Protection Directive
transfers transfers
 GDPR COMPLIANCE CHECKLIST

• Review Data Collection • Establish Data Subject Rights

Practices Develop processes to handle user requests for
access, rectification, erasure, portability, and
Evaluate the types of personal data collected,
objection.
the legal basis for collection, and ensure data
minimization.
• Implement Data Security
• Assess Data Processing Safeguards
Activities Deploy technical and organizational measures
to ensure the integrity and confidentiality of
Examine how personal data is used, stored, and
personal data.
secured throughout its lifecycle. Ensure purpose
limitation and storage limitation.

• Verify User Consent Procedures

Implement clear, granular consent mechanisms
for personal data processing, especially for
sensitive data.
GDPR RESOURCES