General Data Protection Regulation

How to Write Best Data Privacy Policy



By Alexandra Klébé

SKEMA Business School

Paris, France




On May 2018, the European Commission enforced the law about personal information protection with the General Data Protection Regulation (GDPR). Indeed, it brings several improvements in data protection but could be seen as an obstacle for companies which business is based on the collection and use of personal information. The aim of this paper is to give best practices to these companies to still maintain their business while respecting the new regulation. By following both qualitative and quantitative methods, it will be present clauses that must be taken as an example for the concerned companies so that they would write and apply proper data privacy clauses.

Keywords – Personal information, Contracts, Data privacy, Privacy policy, Collection, GDPR, Project Management


“On Friday, September 28th, Facebook forced 90 million users to log out as a safety measure”[1]. Indeed, it has been attacked by hackers who had exploited a breach to break into users’ accounts. The hackers tried to collect private information from 50 million accounts, such as name, sex, and hometown. This happens barely four months after the European Commission enforced the law about personal information protection with the General Data Protection Regulation (GDPR) on May 2018.

Actually, the European Commission decided to reinforce data privacy through the GDPR in May 2018 for the protection of personal data for Europeans inside and outside the EU. It brings several improvements over the Data Protection Act 1998. Here are some of them. First, privacy policies will have to be written in a clear and straightforward language, no more complicated terms. Businesses will also have to collect affirmative consents from users for using their data, silence is no longer consent. The GDPR claims for more transparency: users have to know when their data is transferred outside the EU, and collection of data has to be done for only a well-defined purpose. The GDPR also enforces users’ rights about information, data transfer, and access, and give them a clearly defined ‘right to be forgotten’ – data can be deleted easily. Last but not least, it offers stronger enforcements such as fines when businesses violate the rules.[2]

However, even if companies have to follow new rules, data protection is still a current issue as proven by the Facebook incident on September. Indeed, a lot of concerns remain as presented in the fishbone diagram below[3]:

There are many issues about data privacy – especially about the collection and use of personal information – companies should be aware of when conducting projects. Let’s remind here that, according to Max Wideman’s Comparative Glossary, a project is: ’A novel undertaking or systematic process to create a new product or service the delivery of which signals completion. Projects involve risk and are typically constrained by limited resources.’[4]


To read entire paper, click here


Editor’s note: Student papers are authored by graduate or undergraduate students based on coursework at accredited universities or training programs.  This paper was prepared as a deliverable for the course “International Contract Management” facilitated by Dr Paul D. Giammalvo of PT Mitratata Citragraha, Jakarta, Indonesia as an Adjunct Professor under contract to SKEMA Business School for the program Master of Science in Project and Programme Management and Business Development.  http://www.skema.edu/programmes/masters-of-science. For more information on this global program (Lille and Paris in France; Belo Horizonte in Brazil), contact Dr Paul Gardiner, Global Programme Director paul.gardiner@skema.edu.

How to cite this paper: Klébé, A. (2019). General Data Protection Regulation: How to Write Best Data Privacy Policy, PM World Journal, Vol. VIII, Issue V, June. Available online at https://pmworldlibrary.net/wp-content/uploads/2019/06/pmwj82-Jun2019-Klébé-How-to-Write-Best-Data-Privacy-Policy.pdf



About the Author

Alexandra Klébé

Paris, France



Alexandra Klébé is a MSc Project and Programme Management & Business Development student at SKEMA Business School, Paris. Born at Paris, she integrated SKEMA Business School Lille on the results of an entrance examination. In her school, she took the opportunity of living abroad in both Brazil, Belo Horizonte and the United States, Raleigh. Coming back to France, she worked as an Assistant Project Manager in a design agency where she was in collaboration with French, Europeans, and International brands. Ending her studies, she is actually writing a thesis before graduation.

Alexandra lives in Paris, France and can be contacted at alexandra.klebe@skema.edu


[1] Isaac, M., & Frenkel, S. (2018, September 28). Facebook Security Breach Exposes Accounts of 50 Million Users. The New York Times. https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html

[2] European Commission. A new era for data protection in the EU (n.d.). Retrieved from https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-changes_en.pdf

[3] By Author. Fishbone Diagram.

[4] Wideman Comparative Glossary of Project Management Terms v5.5. (n.d.). Retrieved from http://www.maxwideman.com/pmglossary/PMG_P12.htm – Project