Many people think that complying with data protection law is simply a case of preparing a privacy policy. In doing so, there appears to be a tendency to simply “cut and paste” from an existing privacy policy online. This is possibly due to the fact that privacy policies have now become ubiquitous in the online world.
However, what many do not often realise is that many of these online privacy policies are a direct result of legislation and the various court judgements that protect “personal information” (PI). These differ from country to country and one cannot guarantee that they will comply with the data protection laws that you must comply with.
So be careful: your privacy policy may be totally wrong and inappropriate.
We often get asked to simply review a client’s privacy policy “for compliance” and frequently experience pushback when we explain to clients that before you can even think about reviewing or drafting your privacy policy you need to have a privacy strategy in place and also should have conducted a Privacy Impact Assessment (PIA).
The purpose of a privacy policy
At the end of the day, a privacy policy must:
- be designed to allay consumers concerns about the manner in which their PI is being treated and make them feel comfortable about doing business with you; and
- satisfy the legal requirements of the law and the sectoral Codes of Conduct provided for in data protection law – if you are doing business on a global basis, you will also have to comply with international privacy laws.
Many privacy policies in existence have only focused on the former. Drafting a privacy policy that complies with law, whilst addressing consumer sensitivities and reflecting business objectives, is a tremendous challenge.
You must update your privacy policy often
Furthermore, many organisations assume that once their privacy policies are in place, that the job is completed. This is a mistake. Every time content or services are added, or website functionalities change, there is a risk of exposing users to privacy breaches and contravening the laws.
Don’t forget internal employee privacy policies
When we talk about privacy policies, most organisations only focus on their external, public-facing privacy policy, which is distributed to customers and made available on the website. However, a separate privacy policy needs to be in place to govern the way you manage data internally, including your employee PI. This policy must be clearly written as employees need to understand what is expected of them, the reasons behind expectations, and the consequences if they fail to meet their obligations.