Well thought-out internal privacy policies and procedures are an essential part of any company’s information management program. These internal policies should not be confused with a company’s external privacy notice, which informs the company’s customers as to how it may process, store, and share their personal data. Rather, the company’s internal privacy policy sets forth company goals with respect to protected data and defines company procedures to ensure that those goals are met. Here are five top ways in which such policies are deficient.
- The privacy policy isn’t properly documented
It goes without saying that a company’s privacy policies and procedures themselves should be written down and stored in an accessible location. But all of the underlying information giving rise to those policies and procedures should be thoroughly documented as well. This documentation should include a comprehensive description of the company’s systems, data, and data flows. Documenting this information along with the privacy policy will make it easier to identify when the circumstances underlying the policy have changed so that the policy is in need of an update (See #2 below). It will also ease any transition when new employees become responsible for the company’s information management program. Spending extra time up front to thoroughly inventory, understand, and document company data will pay dividends down the road.
- The privacy policy hasn’t been appropriately updated
Businesses change over time. A company may enter a new line of business in which it gathers a new category of customer data. Or a company’s use of personal information may shift between aggressive and conservative over time. For example, a company may see an opportunity to position itself as a privacy leader in its industry, or it may have to tighten up its data protection practices to minimize reputational harm after a data breach. Such internal changes warrant a re-examination of the company’s privacy policy.
External changes happen as well. New laws and regulations in the field of data privacy are a seemingly daily occurrence. Businesses must account for these changes by appropriately revising their privacy policies. Moreover, even if a business periodically updates its privacy policy when a new law or regulation is passed, it must occasionally look at its privacy policy more holistically to ensure that it is in accordance with the company’s goals and the regulatory scheme as a whole.
- There is one blanket policy that applies to all categories of data
Given the alphabet soup of laws that apply to privacy and data protection, a blanket privacy policy is often insufficient. Privacy laws differ in their definitions of what constitutes protected information. For example, a company may hold personally identifiable information under a state privacy law and also hold protected health information under HIPAA. These different categories of data may require separate privacy policies. Similarly, laws such as the GDPR categorize personal data separately from sensitive personal data with different grounds for processing each. Therefore, privacy policies must separately account for and deal with all of the categories of data that a company processes and place appropriate procedures and safeguards around each.
- The policy does not appropriately limit defined user roles
Even where a privacy policy properly accounts for all categories of data within an organization, it still must ensure that only appropriate users and systems have access to that data. Any privacy policy must therefore establish appropriate access barriers across departments and lines of business. For example, while it may be appropriate to give a certain category of employee (e.g., managers) high-level access to company data within their department, it may not be appropriate to give that category of employee high-level access to company data across the organization. The privacy policy must account for this by ensuring that employees only have the access to company data necessary to carry out their job functions. While this adds a layer of complexity to the administration of user accounts and access rights, it is necessary to ensure that only those with a need to know have access to sensitive data.
- The policy hasn’t been adequately communicated to the workforce
Even the best-conceived and comprehensive privacy policy won’t do much good if it isn’t communicated throughout the organization. Moreover, simply posting the company’s privacy policy on the company intranet or including it in an employee handbook may be insufficient. Appropriate employees need training on the policy with refresher training as policies evolve. Client or customer-facing employees in particular warrant special attention, as they have to be able to externally communicate the contours of the company’s privacy policies and procedures. Regular internal communication about the company privacy policy also ensures that privacy is at the forefront of employees’ minds, rather than just an afterthought.
Developing a comprehensive internal company privacy policy and implementing procedures to put that policy into action is certainly not an easy task. It requires input from multiple stakeholders and buy-in from all levels of the corporate structure. Moreover, once a privacy policy is in place, it must be viewed as a living document that is regularly reviewed, analyzed, and updated. Nevertheless, having a complete and updated policy in place is essential to protect your company and your customers’ data.