Today, there is often a lack of understanding of why and how privacy policies are important to organizations that process personal data. This article explains the concept of a privacy policy, its importance, structure and enforcement. Therefore, this article tries to explain why a privacy policy should be carefully established, continuously monitored, enforced in practice, and updated. In other words, to answer the question: Why are privacy policies important?
A privacy policy is more than just a privacy statement
There is a general perception that a privacy policy is a document intended to inform individuals whose data are being processed about their data processing practices and their data protection rights. This understanding is not misleading, but it is too narrow. Additionally, popular perceptions of privacy policies often distort or underestimate their importance.
Although many people think there is a minor semantic difference between a privacy policy and a privacy statement, privacy experts make a clear distinction between these concepts. In other words, a privacy policy is an internal document addressed to an organization’s employees that clearly states how personal information will be processed to meet the organization’s needs (and regulatory requirements). This is therefore an internally communicated document that must handle the operational aspects of data processing. A privacy notice or privacy statement is considered an external communication to data subjects (such as customers) and explains how an organization collects, uses, shares, retains, discloses, or otherwise processes personal data.
The difference in terminology between the privacy policy and privacy statement (notice) should not be taken for granted. There is often confusion (even among privacy experts) about how a privacy policy differs from a privacy notice (statement). Therefore, it is common to come across a source (titled as a privacy policy) that indicates how personal data is processed (for example, on some websites). The practice of using semantic disabling “privacy policies” in privacy statements (or privacy notices) is not illegal. However, what is more important for organizations that process personal data and care about good privacy governance is to create a document (policy) that defines all aspects of data protection within the organization. Therefore, your privacy policy should include how the privacy statement (notice) is formed, contained and treated.
Transparency and Privacy Policy
Looking at the relevant provisions of the GDPR, it’s not hard to guess that there is no explicit requirement to create and publish (make available) a document titled Privacy Policy. However, the GDPR defines the scope of relevant information regarding privacy policies. However, the GDPR defines the scope of relevant information regarding the processing of personal data, which must be presented and properly communicated to data subjects. the entity processing the data, the purpose of the data processing, the lawful basis for the processing, the person receiving the data, the places to which the data is transferred and where the data was obtained. It is therefore not wrong to claim that a privacy policy is a legal document containing information about our personal data processing practices.
Apart from the requirements that you must include in your policy, the GDPR imposes another set of requirements. It’s all about how you convey the information you need. The GDPR states that information about data processing practices should be provided “in a format that is concise, transparent, understandable and easily accessible, using clear and plain language.” Clearly, the presentation of the information should be adjusted so that the average representative of the intended audience has no trouble understanding the relevant facts. There is no universal way to accomplish this task, but avoiding legal jargon, presenting facts in layers (from the most general to the most specific), and using visuals such as icons and video tutorials is recommended. A privacy policy does not only contains the necessary information regarding the processing of personal data, but also is a means of adequately communicating them to the intended audience.
Privacy Governance and Privacy Policy
Privacy governance refers to the activities and components that make privacy features compliant with privacy and data protection regulations and support business (or other types) objectives. One of them concerns the development and implementation of privacy policies. A privacy policy can therefore also be viewed as a document that governs an organization’s privacy goals and strategic direction regarding privacy and data protection. This document is supposed to be derived from the organization’s privacy and data protection mission and vision, and is therefore the highest-level document that defines a privacy program. It should provide for the development of additional sources of self-regulation, such as additional policies, procedures, protocols, and guidelines to strengthen privacy governance.
All of this makes it fair to argue that the purpose of policy is to regulate privacy programs by establishing the foundations on which they actually run. Therefore, the policy should adequately define what is protected, determine roles and responsibilities, and adequately describe the principles, rights and obligations of data protection.
Having a privacy policy is not enough
As you can see, it is of fundamental importance to design a policy that covers relevant privacy and data protection aspects. However, it should be remembered that the term “policy” refers not only to a set of documented principles, but also to the actionable items and the actual implementation of the principles. Therefore, privacy policies need to be sensibly communicated among various functional groups (CEO, HR, DevOps, IT, etc.) for policy implementation. Various groups should have a basic understanding of the importance of privacy and data protection in order to support independent initiatives and projects that contribute to privacy programs. In doing so, we can develop supportive policies that provide practical guidance on potential issues and specific intentions. For example, an information security policy (and accompanying procedures, protocols, and guidelines) can be put in place. This policy also protects data, but it serves different purposes, uses different tools, and involves different sources.
The actual policy implementation is a long and demanding process. There is no universal advice on how to do this, but we recommend conducting education and awareness campaigns. Apart from educating people about privacy and data protection features, it is also important to monitor, control and assess data protection readiness. In this way, potential gaps in your privacy program can be identified. As a follow-up, we may update our Privacy Policy appropriately and develop and implement additional sources of self-regulation.
Conclusion
Having a well-developed and effectively communicated privacy policy is a component of any privacy program. Ultimately, they serve to protect personal data during and after processing. However, creating a policy does not ensure that data users (such as employees) understand, comply with, and implement the policy. This requires supporting elements such as training and awareness campaigns, as well as additional documentation that really reinforces the basic concepts.
A privacy policy is a living document. It needs to be changed periodically to cover new facts about data processing, the evolution of the business environment affecting data protection, the development of laws and regulations, etc. This policy is cross-cutting in nature. In other words, implementing a privacy policy takes precedence over most processes within an organization.
