Feb 2, 2021
Privacy Policies & Procedures
In part 1 of our Guide to Data Privacy And Security, we touched on some processes that should be performed, and information you can gather prior to the development of your privacy program framework, followed by how you can build it. In this installment, Part 2: Policies And Procedures, we explore the "whys" and "hows" of privacy policies and procedures, and the role they play in data privacy.
Let's start with a fact: under privacy regulations, every company is obligated to publish a privacy notice on their website. Indeed, you should be concerned with a clear privacy statement for your potential clients and existing customers, but your responsibility in terms of documentation extends way beyond that.
Identifying Policy Stakeholders
Before answering the big "why's" and "how's" of privacy, it is important to identify your stakeholders as they range from the owners of these policies and processes to the audience that is intended to read and abide by the policy documents.
Ownership is always assigned to an individual or group of individuals who have control over the policy based on decision-making power. The audience must be considered so you can choose the appropriate language, style, and level of detail necessary to ensure the policy is clear and exhaustive. Adding a scope description to each document can also serve the document's purpose more efficiently. On the same note, describing roles and responsibilities can assign ownership to the different actionable items that are part of the document.
Policies, Procedures & Notices
The first important definition is to differentiate policies, procedures, and notices. These are three important concepts that will help you with drafting your privacy documentation.
Policies are meant to set the parameters for decision-making at a higher level, leaving some for flexibility. They show the "why" that serves as a guideline. On the other hand, procedures explain "how" things must be done from an operational standpoint detailing the step-by-step instructions for routine tasks and processes.
Considering these obligations, tools do exist to help controlling revision dates, versioning, approval, and categorizing the different types of documents. A few of these documents are:
Privacy Policy (or a Code of Practice)
Data Processing Impact Analysis Process
Supplier Assessment Process
Data Incident Response Process
Lastly, notices are the building blocks to everything you must and should be communicating externally. Notice requirements cover data processing activities under privacy regulations to inform customers and regulators about business practices, individual rights, and serve as a basis for informed consent and opt-out. Some of the different types of notices are:
Privacy Notice
Just-in-time notice
Data Subject Requests
Effective Internal Communication
Considering nowadays all companies deal with data on a daily basis, and data is an asset, the privacy policies and procedures must be endorsed by top management (by the Data Protection Officer, for example) and communicated within the company. Most of these guidelines cover cross-functional teams and might even relate to groups dispersed around the globe. This is when a cloud-based solution does the trick by being accessible anytime and anywhere.
In any event, before collecting any personal information, privacy notices should appear and must demand affirmative action from the audience (explicit opt-in). This is where the importance of these notices lies. One of the main reason's privacy regulations were formulated was to make sure individuals have control over their data and can make "informed decisions" (these are the exact words used in the General Data Protection Regulation text). Documenting why you are doing things, how you and your company perform such tasks, and ensuring all privacy policies and procedures are crystal clear to your clients is a legal requirement you must satisfy.
Summary
Policies and procedures are critical to defining and enforcing data privacy and compliance. Without them, your company would be missing both the overarching guidance that policies provide in everyday decision making, as well as the day-to-day processes to maintain compliance. Notices also play an important role in your program as they alert both internal and external stakeholders of any policy or procedural changes and communicate rights to consumers.
Stay tuned for part 3 in our guide to data privacy where we will be taking a look at accountability; why it is key to data privacy, and how it helps organizations manage data privacy compliance.
A Guide to Data Privacy and Security
Part 1: Preparing and Building Your Privacy Program Framework
Part 2: Policies and Procedures
Part 3: Accountability
Part 5: Supplier Assessment Process
Part 6: Data Processing Agreements
Part 7: Data Categorization and Mapping
Part 8: Privacy Assurance
How Can StandardFusion Help?
With StandardFusion, you can manage policies and procedures throughout their entire life cycle within a single tool. Develop your policies from the ground up or update them as needed with our in-app document editor. Maintain different policy versions for auditing and assurance purposes. Define procedures and ensure they are followed by tracking the complete history of tasks performed and have easy access to associated supporting documents.
Take advantage of an automated, single source of truth and manage your policies, procedures and notices within your privacy program using StandardFusion. Request your demo today!