With a national debate underway about the value of individual privacy and the protection of personal data, the importance of updating your organization’s privacy policies and adopting a set of best practices has never been more crucial. But, privacy compliance requires more than just drafting and posting a privacy policy. The framework of laws and regulations governing how organizations may handle customer data is global, complex and dynamic. In the United States, for example, an entity must comply with federal, state and local regulations, including a variety of industry-specific statutes, data breach notification laws, data retention laws, cookie tracking and do-not-track requirements and much more. Brands going global will be subject to a laundry list of foreign regulations, notably including major restrictions on cross-border data transfers. Complying with, and anticipating, the growing and tangled web of worldwide privacy regulations requires more than just an auto-generated privacy policy – it requires a complete privacy management system for your business. To get your business privacy compliant, here are seven essential steps to developing a comprehensive privacy framework.

1. GAMABrief:
Beyond the Privacy Policy: Privacy Management in Seven Steps
With a national debate underway about the value of individual privacy and the protection of personal data, the importance of
updating your organization’s privacy policies and adopting a set of best practices has never been more crucial. But, privacy
compliance requires more than just drafting and posting a privacy policy.
The framework of laws and regulations governing how organizations may handle customer data is global, complex and dynamic.
In the United States, for example, an entity must comply with federal, state and local regulations, including a variety of industryspecific statutes, data breach notification laws, data retention laws, cookie tracking and do-not-track requirements and much
more. Brands going global will be subject to a laundry list of foreign regulations, notably including major restrictions on crossborder data transfers.
Complying with, and anticipating, the growing and tangled web of worldwide privacy regulations requires more than just an autogenerated privacy policy – it requires a complete privacy management system for your business.
To get your business privacy compliant, here are seven essential steps to developing a comprehensive privacy framework.
Step
One:
Assess
The first step requires your business to ask two questions: (1) what data do we collect, and (2) how are we using, storing and
transferring that data. A privacy audit by an independent third party can help identify data collection events, classify the sensitivity
of the data collected and ascertain who has access to the data and how securely the data is stored.
Step
Two:
Plan
Planning may be the single most important aspect of adopting a comprehensive privacy framework. This step calls for comparing
your organization’s current data privacy practices to applicable laws and regulations. A data privacy attorney can tell you which
laws apply to your specific business based on your industry, geography and the type of data you collect. In addition, privacy
counsel can advise you as to the trends in regulations around the globe to give you an idea of where the rules are headed. These
data privacy “best practices” represent a target for which an organization can strive.
After determining the applicable laws and industry best practices, it is necessary to decide on policies to help guide your
organization’s decision-making as it relates to personal data. What data will you collect? Who on your team will have access to
that data? How long will it be stored? Will you transfer it to third parties? Will you sell it to third parties?
To help with this, consider that the gap between data privacy best practices (i.e., where the regulations are headed), and your
organization’s current privacy practices, constitutes legal and business risk. As a formula,
Privacy
Best
Prac7ces
-­‐
Current
Privacy
Prac7ces
=
RISK
Legal risk comes in the form of potential regulatory sanctions from administrative bodies, such as the Federal Trade Commission
(FTC), or litigation. Business risk manifests itself as loss of consumer confidence and trust. Both can be devastating to a business in
a consumer industry. In order to decide how you will handle personal data, you will need to determine how much risk your
business is truly willing to assume. Making this decision will allow you to craft organizational policies that can guide your business’
current and future actions. We refer to these overarching policies as a data privacy framework.
A GAMA White Paper produced by Brandon Wiebe © 2013. Gagnier Margossian LLP. All rights reserved.

2. Step
Three:
DraA
Once you have decided on your organization’s privacy framework, you will need to commit these policies to writing. The written
framework should comprise a series of documents, each geared towards a different audience. A public-facing privacy policy – the
type of document most often associated with the term “privacy policy” – can help inform the consuming public about how you
handle personal data. Equally important are documents for employees, managers, vendors and partners. These documents will be
the guidebooks you can use when making decisions about how to get your business where it needs to be.
Step
Four:
Implement
Now that you have codified your data privacy framework, it’s time to implement changes to get your business into alignment with
your policies. A single manager dedicated to overseeing the implementation of these changes can make the process run
smoothly. Most growing organizations dealing with personal data will need to hire or retain an individual to act as Chief Privacy
Officer. The CPO can manage the implementation process by taking the identified deficiencies in privacy practices and breaking
them down into specific milestones and deliverables. For most businesses where the engineering, product and development
teams are often overtasked with bugs, fixes, improvements and releases, it is important have a C-level manager responsible for
prioritizing data privacy implementations or to have a strong relationship with outside privacy counsel.
Step
Five:
Disclose
It’s not enough to simply draft a series of policies if no one ever knows about them. As soon as possible, you should post your
public privacy policy to your website. If you’re a mobile business, it is imperative to post a tailored privacy policy to all ports (iOS,
Android, etc.) and iterations of your applications.
If you’re sending or receiving data to and from third party vendors or partners, you should disclose your policies to those
organizations, as well. It is often necessary to integrate your policies into your sales and vendor contracts, both to comply with
international data transfer regulations as well as to insulate your business from liability caused by the actions of any third party
vendors.
You should also disclose your policies to your managers and employees. Setting up regular employee trainings on data privacy is a
good way to ensure your team is on the same page and working towards the same goals.
Step
Six:
Grow
At its most fundamental level, business growth and development is a series of decisions made by executives, managers, engineers,
product developers, in-house counsel and other teams within an organization. Business success is often a calculus of assumed risk
weighed against potential reward. The purpose of a comprehensive privacy framework is to guide organizations in determining
how much privacy risk to assume. Now that your organization has a series of policies in place for how to handle personal data, it
is imperative to ensure that all decisions remain consistent with these policies. This will help mitigate unnecessary risk while at the
same time cultivating innovation.
By this point, your privacy framework will be imbued not only in your written policies, but also in your organization’s mission and
culture. A privacy-first culture can pilot your innovators to develop products that incorporate privacy by design. Privacy by design
simply means that your organization’s data privacy framework is built into your products and services at the most fundamental
level.
Step
Seven:
Rinse
&
Repeat
Two things are certain: your business will develop, expand and roll out new products and services as it grows, and governments
around the world will legislate new rules. The European Union, for example, is currently undergoing a major overhaul to its data
privacy program. Stateside, more state governments are enacting their own privacy regimes in the absence of meaningful federal
regulations. The FTC is wielding the full extent of its administrative power to crack down on organizations that are not meeting a
minimum threshold of privacy protection.

3. In order to maintain the privacy framework and culture your organization spent time and energy fostering, it is important to
repeat these privacy management steps regularly. Quarterly reassessments of privacy practices can identify updates to your
products or services that may not meet your own privacy standards. New regulations may also arise that require altering or
amending your data privacy framework.
Gagnier
Margossian
LLP
provides
comprehensive
data
privacy
solu7ons
for
businesses
of
all
sizes.
From
developing
a
tailored
data
privacy
framework
&
draAing
policies
to
serving
as
an
organiza7on’s
CPO
and
privacy
manager,
we
offer
a
broad
range
of
legal
&
consul7ng
services
aimed
at
geSng
and
keeping
your
organiza7on
privacy
compliant.
Internet
Intellectual Property
Privacy
Social Media
Technology
The Good Stuff
#nerdlawyers
Los Angeles
Sacramento
T: 415.766.4591
F: 909.972.1639
E: consult@gamallp.com
gamallp.com
@gamallp
San Francisco