How to make your Privacy Policy GDPR Compliant6 min read

There are quite a number of things to freaked out about…

A  debit alert from your Mastercard when you didn’t even use it…

Missing your flight and having to pay extra on your ticket…

Or that influx of emails from companies in your inbox asking you to read their updated GDPR privacy policies.

Did you even get the emails from services you can’t remember subscribing to?  

We’re sure you’re thinking, if you get one more GDPR mail, you would pull your hair out.

We know, we feel the same way too but we alas, we cannot ignore the almighty GDPR

What is the GDPR?

For short, it stands for General Data Protection Regulation.

It is a set of laws created by the European Union to protect the personal data of European Union citizens. This was necessary in order to help people have control over the use of their personal data.

So as Nigerian, the next question is: well, how does this concern me or affect my business?

The GDPR protection affects more than just businesses operating in the EU. It crosses borders, since its sole reason is to protect its citizens; any company processing data that is offering goods or services to EU citizens are bound by the regulation!

So your little ankara business by the side that involves you shipping purchases to the EU countries like Netherlands, France or even Germany? As long as you require their data, you’ve got to comply.

Now that we’ve got that out of the way, if you are yet to update your privacy policy, you need to do so ASAP.

Defaulting organizations can be fined up to £20 million or 4% of annual global turnover. Imagine a huge corporation paying out 4% of their annual turnover. That could rack up to be some really handsome fees.

What form of data falls under the GDPR?

Any information that can be classified as personal details and be used to identify any citizen of the EU is what is protected by the regulation. Examples are:

  • Name
  • Photo
  • Social media posts
  • IP addresses
  • Bank details
  • Email addresses
  • Medical information
  • Biometric identifiers such as fingerprint, iris screening and so on

This is not the full extent of the policy as it also extends to anyone considered to be a minor. That is anyone 16 years and below cannot legally grant consent for their personal data to be used except permissions are granted by parents or guardians.

How do you make your privacy policy compliant GDPR?

In order to do this, you will have to follow the examples of those companies that bug you with an updated privacy policy! There’s no need to be anxious, we will walk you through the necessary steps to take to make this run as smoothly as possible. The first thing you might want to check out is:

  • What the GDPR requires
  • Safely handling the transfer of data across borders
  • That you provide any form of data breach notifications
  • That you accurately have the consents of subjects for data processing
  • That you make the collected data anonymous in order to protect privacy
  • You are also expected to appoint a data protection officer to oversee GDPR compliance.
  • We believe you now understand the meaning of this regulation and that you get the reason for it. So let’s get to the crux of the matter.

How should your new privacy policy look?

1. Short. Readable and concise.

How many times have you clicked on the “I accept” button without really reading through the privacy policy? We’ll let you have a good laugh over that one.

Companies have been known to fill their privacy policy with long difficult phrases that the average person would not understand. The EU says that’s got to stop!


2. Your use of data would be explained.

There is a need to be transparent with what you intend to use the collected data for.

You need to make it plain, make people understand whether you sell their data off to third parties or you use it for marketing purposes.

3. Explain how you make use of cookies.

(Even if they won’t read it) This explains why every website you visit nowadays is asking you questions about whether or not you want to enable the use of cookies.

If you as a business have not done this, it’s important you do. For instance, if you make use of cookies for online behavioural advertising by tracking visitors’ interests and online habits you need to let the site visitors know.

Surfing through an online selling platform and find the same products you checked out on a completely different platform is not by accident!

4. In case you do share data with third parties.

Make it plain to people you render services to.

You need to state with whom you share these data, and for what purpose.

Even though it is within the law for you to share these data with certain people, you won’t be justified by the law if you do not inform people you are doing so.  


5. You will have to include the contact of the Data Protection Officer of the company as well as details that explain how the information is being shared, and that your customers have the right to complain to the Data Protection Authority.


6. If you have promised each individual that they have the right to request or access their personal data, then there has to be a confirmation of this promise.

We’ve talked a lot about a Data Protection Officer, and it’s good for you to know that you might not need one if you do not fall into any of these categories;
i. Public authorities
ii. Organizations that engage in large-scale systematic monitoring
iii. Organizations that engage in the large-scale processing of sensitive personal data (Art. 37)

You can check Art. 39 of the GDPR to locate the tasks of the data protection officer. The need for this officer is to make things easier for your company by having someone knowledgeable about the topic of privacy doing the question answering and checking out any policy breach that could be harmful to your company.


To get a DPO, you can make use of the same standards as you do for any other hiring; their professional qualifications and knowledge in the field of data would be all that is necessary. Such person must know a great deal about your company so that monitoring your data processing would be effectively done.

A good example of a company actively using the GDPR is Facebook. This could be seen in  their new tool that enables users opt-in to facial recognition being used to scan their photos, but also handing the users the ability to switch it off when they want to.

Of course, there is a positive side to doing this for your company. It allows you win the trust of your platform users. And it’s also a good way to engage with them. You are saving yourself from a huge financial fine and you are winning the trust of your users. It’s really a win-win situation.

So… ready to get compliant?