- Determine the audience
- Understand the business
- Analyze the legal requirements
- Develop the content of the policy
Privacy notices and policies are important for both external and internal purposes.
- A privacy notice is generally an external notice used to notify the public of the organization’s privacy practices.
Determine the audience
- An external-facing privacy notice typically addresses the general public, customers, users of the website, products, services, and other third parties.
Understand the business
- Review the business products/services, processes, systems, business applications, and third parties that interact with personal information.
- Identify privacy issues inherent to particular business processes, systems, or third party relationships.
- Identify and address operational challenges of deploying privacy notices and policies. Key considerations include the types of technology and platform used, as well as the user’s experience.
Analyze the legal requirements
- Research and analyze relevant state, federal, and international privacy regulations applicable to the organization.
Develop the content of the policy
- Determine what information is collected.
- Identify specific personal data elements collected by your organization.
- Utilize the data inventory to outline all the types of data your organization collects from users, including basic demographic information, IP addresses and other log file data, device identifiers, financial information, medical/health care information, biometric information, etc.
- Determine how information is collected.
- Consider whether your organization collects information about users’ devices, including IP addresses, cookies, website beacons, widgets, mobile devices and mobile app activities, connected devices, IoT, etc.
- Identify where personal information is collected from a third party, and not directly from the data subject.
- Identify whether your organization buys personal information.
- Determine how information is used.
- Identify and describe each of the current business purposes for using personal information.
- Only describe your practices as they actually are (“current state”), not how they will be or should be (“future state”), i.e., avoid references to anticipated business use cases.
- Regularly update your policy as business purposes change.
- Determine how information is stored and secured.
- Identify how personal information is stored, and the retention periods for keeping personal information.
- Identify how your organization ensures physical, technical, and administrative security and privacy of personal information.
- Physical safeguards are ways you protect the company’s physical office or paper documents, such as locked drawers, a receptionist during office hours, badge access to office space, and a clean desk policy.
- Technical safeguards describe ways digital information and workspaces are protected, such as firewalls, secure servers, encryption, intrusion-detection tools, and password-protected devices.
- Administrative safeguards are internal policies and rules designed to keep information safe, such as role-based access controls, documented and enforced data retention policies, requirements that employees treat personal information as confidential, and so on.
- Determine why and to whom personal information is disclosed.
- Determine the purposes for sharing personal data.
- Identify the categories of third parties with whom personal information is shared (e.g. service providers, affiliates, business partners, etc.).
- Identify whether the business engages in the sale of personal information, and if so, identify the categories of personal information sold.
- Describe any rights and consent preferences offered to individuals.
- State whether individuals may access, update or correct, or request deletion of their personal information, and how.
- State whether individuals may restrict the use of their personal information or object to the processing of their personal information, and how.
- State whether the company will provide a copy of the individual’s personal information, either to the individual or to another company on the individual’s behalf;
- Describe the types of consent preferences that individuals may exercise (e.g. can individuals opt-out of direct marketing, targeted advertising, communications, sale of personal information, etc.).
- State whether individuals have a right to lodge a complaint with the organization and/or another third party entity (such as a regulatory body).
- Consider a layered structure, which provides sufficient notice, legitimacy and transparency to the users:
- Proofread to ensure accuracy, consistency and compliance with style guidelines.
- Obtain legal approval of the content and sign off for distribution.
- Have non-privacy professionals, including colleagues in other fields, read the policy to ensure the policy is easy for the average person to understand and navigate.
- Institute a periodic review of the policy to ensure it reflects the most current data practices of the business as well as complies with applicable laws.
- Archive older versions of the policy for reference.