With a national debate underway about the value of individual privacy and the protection of personal data, the importance of updating your organization’s privacy policies and adopting a set of best practices has never been more crucial. But, privacy compliance requires more than just drafting and posting a privacy policy.
The framework of laws and regulations governing how organizations may handle customer data is global, complex and dynamic. In the United States, for example, an entity must comply with federal, state and local regulations, including a variety of industry-specific statutes, data breach notification laws, data retention laws, cookie tracking and do-not-track requirements and much more. Brands going global will be subject to a laundry list of foreign regulations, notably including major restrictions on cross-border data transfers.
Complying with, and anticipating, the growing and tangled web of worldwide privacy regulations requires more than just an auto-generated privacy policy – it requires a complete privacy management system for your business.
To get your business privacy compliant, here are seven essential steps to developing a comprehensive privacy framework.
2. Step
Three:
DraA
Once you have decided on your organization’s privacy framework, you will need to commit these policies to writing. The written
framework should comprise a series of documents, each geared towards a different audience. A public-facing privacy policy – the
type of document most often associated with the term “privacy policy” – can help inform the consuming public about how you
handle personal data. Equally important are documents for employees, managers, vendors and partners. These documents will be
the guidebooks you can use when making decisions about how to get your business where it needs to be.
Step
Four:
Implement
Now that you have codified your data privacy framework, it’s time to implement changes to get your business into alignment with
your policies. A single manager dedicated to overseeing the implementation of these changes can make the process run
smoothly. Most growing organizations dealing with personal data will need to hire or retain an individual to act as Chief Privacy
Officer. The CPO can manage the implementation process by taking the identified deficiencies in privacy practices and breaking
them down into specific milestones and deliverables. For most businesses where the engineering, product and development
teams are often overtasked with bugs, fixes, improvements and releases, it is important have a C-level manager responsible for
prioritizing data privacy implementations or to have a strong relationship with outside privacy counsel.
Step
Five:
Disclose
It’s not enough to simply draft a series of policies if no one ever knows about them. As soon as possible, you should post your
public privacy policy to your website. If you’re a mobile business, it is imperative to post a tailored privacy policy to all ports (iOS,
Android, etc.) and iterations of your applications.
If you’re sending or receiving data to and from third party vendors or partners, you should disclose your policies to those
organizations, as well. It is often necessary to integrate your policies into your sales and vendor contracts, both to comply with
international data transfer regulations as well as to insulate your business from liability caused by the actions of any third party
vendors.
You should also disclose your policies to your managers and employees. Setting up regular employee trainings on data privacy is a
good way to ensure your team is on the same page and working towards the same goals.
Step
Six:
Grow
At its most fundamental level, business growth and development is a series of decisions made by executives, managers, engineers,
product developers, in-house counsel and other teams within an organization. Business success is often a calculus of assumed risk
weighed against potential reward. The purpose of a comprehensive privacy framework is to guide organizations in determining
how much privacy risk to assume. Now that your organization has a series of policies in place for how to handle personal data, it
is imperative to ensure that all decisions remain consistent with these policies. This will help mitigate unnecessary risk while at the
same time cultivating innovation.
By this point, your privacy framework will be imbued not only in your written policies, but also in your organization’s mission and
culture. A privacy-first culture can pilot your innovators to develop products that incorporate privacy by design. Privacy by design
simply means that your organization’s data privacy framework is built into your products and services at the most fundamental
level.
Step
Seven:
Rinse
&
Repeat
Two things are certain: your business will develop, expand and roll out new products and services as it grows, and governments
around the world will legislate new rules. The European Union, for example, is currently undergoing a major overhaul to its data
privacy program. Stateside, more state governments are enacting their own privacy regimes in the absence of meaningful federal
regulations. The FTC is wielding the full extent of its administrative power to crack down on organizations that are not meeting a
minimum threshold of privacy protection.
3. In order to maintain the privacy framework and culture your organization spent time and energy fostering, it is important to
repeat these privacy management steps regularly. Quarterly reassessments of privacy practices can identify updates to your
products or services that may not meet your own privacy standards. New regulations may also arise that require altering or
amending your data privacy framework.
Gagnier
Margossian
LLP
provides
comprehensive
data
privacy
solu7ons
for
businesses
of
all
sizes.
From
developing
a
tailored
data
privacy
framework
&
draAing
policies
to
serving
as
an
organiza7on’s
CPO
and
privacy
manager,
we
offer
a
broad
range
of
legal
&
consul7ng
services
aimed
at
geSng
and
keeping
your
organiza7on
privacy
compliant.
Internet
Intellectual Property
Privacy
Social Media
Technology
The Good Stuff
#nerdlawyers
Los Angeles
Sacramento
T: 415.766.4591
F: 909.972.1639
E: consult@gamallp.com
gamallp.com
@gamallp
San Francisco