6 Tips for Developing a GDPR-Compliant Privacy Policy
We’re down to the wire now; the GDPR compliance deadline is next Friday, May 25. As organizations scramble to get ready for the most far-reaching data privacy law ever put on the books, consumers’ email inboxes are being inundated with notices of GDPR-compliant privacy policy updates.
In addition to fundamentally transforming their data governance, most companies will need to update their website’s privacy policy to meet GDPR standards. Following are six tips for writing a GDPR-compliant privacy policy.
Use Clear, Plain Language
Attempting to overwhelm or confuse your site visitors by inundating them with pages of legalese is a big no-no. Article 12 of the GDPR mandates that a GDPR-compliant privacy policy be written “using clear and plain language, in particular for any information addressed specifically to a child.”
Inform Users of Their 8 Individual Rights Under the GDPR
Your GDPR-compliant privacy policy should inform users of their new individual data collection rights under the law:
- The right to be informed, before any data is collected from them, about how their data is being collected, processed, and stored, and for what purposes.
- The right to access their data after it has been collected and understand how it has been collected, processed, and stored, what data exists on them, and for what purposes.
- The right to correct inaccurate or incomplete data (also known as the “right to rectification”).
- The right to be forgotten/have their data erased, not just by your company but by any other firm you sold or transferred their data to.
- The right to restrict the processing of their data.
- The right to data portability, or the right to move, copy, or transfer personal data from one data controller to another safely, securely, and in a commonly used and machine-readable format.
- The right to object to processing without explicit consent, including the right to ban the inclusion of their data in direct marketing databases.
- The right to opt out of automated decision-making and demand that important decisions be made by humans, not algorithms.
Explain How You Will Collect & Use Users’ Personal Data
A GDPR-compliant privacy policy must clearly specify:
- Exactly what personal data is being collected and who will receive it.
- Whether users’ personal data is going to be transferred to a different country or an international organization.
- Your organization’s data retention policy. The GDPR bars companies from retaining user data beyond a “reasonable” period of time.
- Whether any automated processing will take place (remember, users can opt out of this).
- Whether the sharing of personal data is mandatory. For example, if users must provide personal data to create user names and gain access to certain parts of a website, the privacy policy must clearly explain what will happen if a user refuses.
Explain Your Legal Basis for Processing Users’ Personal Data
A GDPR-compliant privacy policy must clearly state your company’s purpose and legal basis for processing users’ personal data. The GDPR outlines six circumstances under which personal data can be lawfully processed:
- The user has provided consent for processing for one or more specific purposes.
- The processing is necessary as part of a contract with the user.
- The processing is necessary for compliance with a legal obligation to which the controller is subject.
- The processing is necessary to protect the vital interests of the data subject or another natural person.
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the consumer, in particular if the consumer is a child.
Include Contact Information
Every GDPR-compliant privacy policy must include the name and contact details of your company’s data controller and any representative, as well as your data protection officer (DPO), if your company must appoint a DPO.
Seek the Help of a GDPR Compliance Expert
GDPR compliance is complex and can be very confusing, and the penalties for non-compliance are staggering. To ensure your company doesn’t run afoul of the GDPR, it’s best to seek help from a reputable IT compliance expert such as Lazarus Alliance.
Is your organization ready for the GDPR compliance deadline on May 25? As part of our commitment to helping everyone prepare, Lazarus Alliance is offering a free GDPR readiness tool. Click here to take your GDPR readiness assessment and download your free report today!
The cybersecurity experts at Lazarus Alliance have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.
Lazarus Alliance is proactive cybersecurity®. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help your organization adhere to cybersecurity regulations, maintain compliance, and secure your systems.
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts