A step-by-step guide to writing a GDPR privacy notice
A GDPR privacy notice (often called a privacy policy) is how you meet transparency obligations under Articles 13 and 14. It must reflect actual processing—not boilerplate copied from another site.
Related guides:
Key takeaways
- Article 13 applies when you collect data from the individual; Article 14 when you obtain it from another source.
- Notices must be concise, transparent, intelligible, and easily accessible—often using a layered approach.
- You must disclose lawful bases, retention, rights, transfers, and automated decision-making where relevant.
- Update notices when processing changes materially; version and date your documents.
This guide covers:
- When Articles 13 and 14 apply
- Mandatory disclosure checklist
- Eight-step drafting workflow
- UX patterns for layered privacy information
GIF via GIPHY
When a privacy notice is required
| Situation | Article | Timing |
|---|---|---|
| Web forms, apps, checkout | 13 | At collection (or linked at point of collection) |
| Purchased lists, public sources, third-party enrichment | 14 | Within one month; sooner if contacting the individual |
| Existing customers—new purpose | 13/14 | Before processing for the new purpose |
If data was not obtained from the individual, Article 14 also requires naming the source and categories of personal data.
Required elements checklist
Include the following where applicable (Articles 13–14):
| Element | Example disclosure |
|---|---|
| Controller identity & contact | Company name, email, DPO contact |
| Purposes of processing | Account management, analytics, support |
| Lawful bases | Contract, consent, legitimate interests (+ LIA summary if needed) |
| Legitimate interests | Fraud prevention—describe interest |
| Recipients / categories | Hosting provider, payment processor, CRM |
| International transfers | SCCs, adequacy, or other mechanism |
| Retention periods | “24 months after account closure” or criteria to determine |
| Data subject rights | Access, erasure, objection, complaint to supervisory authority |
| Automated decision-making | Profiling for credit scoring—logic and consequences |
| Source of data (Art. 14) | Third-party data broker, public register |
| Whether provision is contractual | Consequences of not providing data |
| Statutory/contractual requirements | KYC obligations |
Step-by-step writing process
- Inventory processing — export RoPA activities; group by audience (customers, employees, website visitors).
- Map lawful bases — align each purpose to Article 6 (and Article 9 if needed).
- Draft plain-language summaries — short “just-in-time” notices for forms; full policy for depth.
- Describe recipients and transfers — name categories; link sub-processor list if large.
- Specify retention — per purpose; avoid vague “as long as necessary” without criteria.
- Explain rights and how to exercise them — DSAR email/portal; expected timelines.
- Legal review — counsel validates special cases (children, high-risk profiling).
- Publish, train, and monitor — product/marketing must not contradict the notice.
See how to make your website GDPR compliant.
Layered notices and UX
Regulators encourage layered transparency:
- First layer: identity, core purposes, lawful bases, rights link—at collection point.
- Second layer: full policy with tables for cookies, analytics, and vendors.
Use icons, FAQs, and just-in-time modals for cookie/consent flows (also consider ePrivacy rules). Avoid burying material information in unrelated terms of service.
Get audit-ready with SecureSlate
SecureSlate keeps RoPA, control evidence, and policy versions aligned so privacy notices match what your systems actually do.
FAQ
Is a privacy notice the same as consent?
No. A notice informs; consent is a separate lawful basis requiring a clear affirmative action for optional processing.
How often should we update our notice?
Whenever processing changes in a material way—new vendors, purposes, transfers, or retention. Maintain a change log.
Can we use one global notice for all countries?
Many organizations use a GDPR-centric global notice with jurisdiction-specific addenda for US state laws and other regions.
Disclaimer (legal note)
General information only—not legal advice. Privacy notices must reflect your actual processing and applicable national requirements.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
