Privacy Policy

It can go without saying that, in a privacy management program, a privacy policy plays a critical role by providing a framework for how personal data will be handled throughout the organisation. It ​​governs the privacy goals and strategic direction of the organisation’s privacy team, helps to ensure that individuals’ personal information is collected, used, and shared in a manner that is consistent with applicable laws and regulations, as well as with the organisation’s own ethical standards.

Important note here is that, under privacy policy, we hereby understand an internal document addressed to employees and internal data users. This document lays out the details of how personal data will be dealt with, kept and shared internally, in a way that satisfies the company’s requirements and all applicable laws and rules. In practice, by privacy policy, an external communication to data subjects which explains how the organization collects, employs, shares and stores personal data may also be meant. Sometimes this is called provision of fair processing information (e.g., articles 13 and 14 of the GDPR), and such external documents may also be labeled as ‘privacy notice’, ‘privacy notification’, etc. However, in this article, under privacy policy, we understand an internal document as described above.

But what general principles should privacy policy comply with to become a good piece of the overall organisation’s compliance machine? Well, a decent privacy policy should:
– be considered at (and approved by) the highest level of management (e.g., ExCom, functional Vice-President, depending on the structure);
– be easy for everyone in the organisation to read and understand;
– be straightforward, yet cover all the necessary information;
– have clear instructions and goals, that are measurable and verifiable;
– be in line with the organisation’s standards in terms of format, layout and purpose, in order to achieve the company’s goals.

There is no uniform industry standard on what information privacy policy should mandatorily contain. However, privacy policy is a high-level document aimed at provision of general framework, and its structure should reflect this nature. So, it would be fair to say that a good privacy policy should typically contain the following components:
– The purpose of the policy, which explains the reasons for its existence and the goals it aims to achieve;
– The scope of the policy, which defines resources (such as facilities, technology, and personnel) covered by the policy;
– The ‘roles and responsibilities’ section that allocates and describes specific roles and responsibilities for protecting privacy within the organization, often supervised by a designated privacy officer or manager, or someone senior (e.g., Vice-President of Legal/Compliance, CIO, etc.);
– Issues relating to compliance with relevant laws and regulations, which can include measures for ensuring compliance within the organization, explanation of data subject rights applicable in the specific jurisdiction, penalties for violations, and understanding other consequences of non-compliance;
– Points of contact (i.e., relevant stakeholders that should be contacted for further information and guidance);
– Revision rules and history (normally, a good privacy policy should be regularly revised – where this is deemed to be necessary or at least every two years).

Associated policies and low-level documentation

As mentioned above, privacy policy is a high-level document, which means that it surely needs to be supplemented with associated policies and documents to work effectively together. Those might be subordinate low-level documents (like privacy manuals, employee privacy handbooks, data subject requests and data breach procedures, etc.), as well as related supporting documentation. Among that supporting documentation might be, inter alia:
– various Information Security policies and manuals;
– acceptable use policy (AUP) – it normally establishes guidelines for appropriate and inappropriate use of the organization’s network or internet access, which the user must agree to in writing or electronically;
– vendor management policies – designed to guide the organisation in managing relationships with third-party vendors, covering all aspects of the process, from procurement to termination. These policies may outline specific requirements for vendors, training for employees, vendor and related risk assessment procedures, etc.;
– data retention and deletion policies;
– Human Resources policies – normally, HR policies that organisations may consider include, from a privacy standpoint, policies for handling applicant information, conducting employee background checks, managing access to employee data, ending access, allowing bring your own device (BYOD) scheme, regulating social media use, monitoring employees and workplace, and employee health programs.

Implementation of policies

It is not enough to just develop privacy policy and other associated policies and governing documentation, it is also similarly important to ensure all of them are properly aligned with each other and comply with applicable legal and other requirements and effectively work together towards compliance. This is what might be especially challenging for organisations operating in different countries across the globe, where legal requirements, industry practices and case law may considerably differ, while different functions and departments inside the organisation may have diverse privacy needs. In global multinational companies it might also well be the case that different legal entities (branches of the international group of companies) have different privacy budgets and resources, thus affecting the timeline and/or effectiveness of how policies are implemented locally. A good (and realistic) privacy program should take into account all these issues and properly address them.
Besides, one should not overlook that, to transform formal policies and documentation into a powerful mechanism that works in practice, personnel in an organization should be duly trained. Training and awareness campaigns for personnel are important tools for ensuring that employees have the knowledge and skills necessary to perform their jobs effectively and safely and are able to react properly in various circumstances. These campaigns can include a variety of different training methods, such as face-to-face training, online webinars, e-learning courses, table-top exercises. They can also include awareness-raising activities, such as seminars, workshops, and informational materials, to help employees understand the importance of certain issues and behaviors.