as IT staff - who craft and maintain those screens - we lack concrete requirements as to what actually needs to be changed or added at our existing user "touch points" to achieve and demonstrate compliance.

Though not always legally required, terms & conditions (also called ToS – terms of service, terms of use, or EULA – end user license agreement) are pragmatically required

Under EU law (specifically the GDPR) you must keep and maintain “full and extensive” up-to-date records of your business processing activities, both internal and external, where the processing is carried out on personal data.

However, even if your processing activities somehow fall outside of these situations, your information duties to users make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone.

Firstly, it’s critical to note that even where this exception to the consent requirement applies, you’ll still need to inform the user of your use of cookies via a cookie policy

If you profile your users, you have to tell them. Therefore, you must pick the relevant clause from the privacy policy generator.

In case you’re implementing any ADM process, you have to tell your users.

The Cookie Law does not require that records of consent be kept but instead indicates that you should be able to prove that consent occurred (even if that consent has been withdrawn). The simple way to do this would be to use a cookie management solution that employs a prior blocking mechanism as under such circumstances, cookie installing scripts will only be run after consent is attained. In this way, the very fact that scripts were run may be used as sufficient proof of consent.

You are legally obliged to list all websites/companies belonging to one group.

If a website/app collects personal data, the Data Owner must inform users of this fact by way of a privacy policy. All that is required to trigger this obligation is the presence of a simple contact form, Google Analytics, a cookie or even a social widget; if you’re processing any kind of personal data, you definitely need one.