Business owners and employers know they need to comply with privacy laws, but the scope of the compliance has expanded. In the past, organizations created general privacy policies, posted them on their websites, and went about their business. Today, privacy compliance requires more. Organizations must complete both external and internal tasks to create a successful privacy program.
External Compliance
To achieve external compliance, you should view your organization’s website from a customer’s perspective and make privacy information clear and readily available. A customer should see links to privacy notices and applicable policies when they first visit the site.
Typically, when visiting an organization’s website, customers are greeted with a popup explaining how the website uses cookie data. You should add a sentence inviting users to visit the privacy policy if they have questions. The invitation gives users an opportunity to learn about the company’s privacy practices before you collect their information.
Privacy notices should include:
- Sources you use to gather personal information (e.g., website, employment listings, advertising and marketing, and trade shows);
- Categories of data collected;
- Specific pieces of data gathered within those categories;
- Whether the information is pulled together directly from an individual or a third party;
- Whether you sell the information to third parties; and
- Phone number and e-mail address where users can submit privacy questions.
Although the above content will help show your business is taking privacy seriously, compliance requires internal work as well.
Internal Compliance
Internally, you should adopt policies and procedures, train your employees on the privacy requirements, create an incident-response protocol, and establish a method for evaluating privacy risks.
Adopt policies. Your internal privacy policies and procedures should reflect the legal requirements of privacy regulations such as the California Consumer Privacy Act (CCPA) or the General Data Protection Regulation (GDPR). When conducting an investigation, privacy regulators always ask for a copy of an organization’s policies and procedures. Having the paperwork developed and ready at a moment’s notice only makes sense.
Train employees. Each year, you should identify any employees who may collect customers’ data and set a target date to train them along with your new hires. The training program should clearly explain key privacy terms, what qualifies as a data incident or a privacy request, and how to report them.
Create protocols. To create an effective incident-response protocol, you should purchase cyberliability insurance, elect an employee as a response coordinator, and construct a simple flow chart explaining how the organization escalates and responds to incidents. Every employee should receive a copy of the protocol. You should test the process at least once a year so employees know how to respond when an incident occurs.
Evaluate risks. When you adopt a new process, product, service, software, or hardware, your organization should have a method for evaluating whether it creates privacy risks. Ideally, you should conduct a privacy review early in the adoption lifecycle to identify risks and develop strategies to mitigate them before implementation. By documenting and addressing the risks, you demonstrate a serious approach to privacy.
Bottom Line
Privacy is a complicated, amorphous topic that changes from year to year. Processes that have been effective in the past won’t work in today’s complex legal environment. Accordingly, you must adopt external and internal privacy policies and procedures to ensure a successful privacy program.
Tsutomu L. Johnson is a Privacy Attorney at Parsons Behle & Latimer. You can reach him at tjohnson@parsonsbehle.com.