Privacy Statements Under the GDPR
26 Pages Posted: 22 May 2019 Last revised: 5 Jul 2019
Date Written: February 7, 2019
Abstract
The European General Data Protection Regulation (GDPR) imposes many onerous compliance obligations that affect companies worldwide. Those subject to the GDPR must evaluate the risk of all their data processing obligations and prepare formal data protection impact assessments (DPIAs) on those that are higher risk. They must ensure that contracts with vendors and service providers contain specific data protection terms set out by the Regulation. They must implement systems and processes capable of responding to requests from individuals exercising their rights under the GDPR, including rights to access, correct, port, delete, or restrict the processing of personal data. They must implement product development processes and policies to meet the law’s new “data protection by design” requirements. And there are many others.
The need to include specific types of information in a privacy statement is a GDPR compliance obligation that does not get as much attention as some other GDPR requirements. Perhaps that is because privacy statements have been much maligned in recent years. They are too long and full of legalese. Nobody reads them. They are part of a notice and consent approach to privacy that puts an unrealistic burden on consumers to make informed choices. But despite these well-known criticisms, the GDPR doubles down on privacy statements. In fact, gauging by the roughly fourfold increase in privacy statement requirements compared to the previous law, the GDPR quadruples down.
As a result, ensuring that a privacy statement is GDPR-compliant is one of the more important obligations that companies must navigate. And meeting the privacy statement requirements effectively is not as simple as it might first appear. This Article discusses how companies should approach and craft their privacy statements to meet these new GDPR requirements, thereby reducing their risk.
Keywords: privacy, data protection, GDPR, notice, privacy statement, privacy policy, transparency
JEL Classification: K29, K39
Suggested Citation: Suggested Citation
