Organizations recognize they need to comply with privacy laws; however, the scope of that compliance has expanded. In the past, organizations created general privacy policies, posted them on their websites and went about their business. Today, privacy compliance requires more. Organizations must complete both external and internal privacy tasks to create a successful privacy program. 

External Compliance

To achieve external privacy compliance, organizations should view their website from the perspective of a customer and make privacy information clear and readily available. A customer should see links to privacy notices and applicable privacy policies when they first visit the website. 

Typically, when visiting an organization’s website, customers are greeted with a popup explaining how the website uses cookie data. Organizations should add a sentence inviting users to visit the organization’s privacy policy, if they have privacy questions. That invitation gives every user an opportunity to learn about the organization’s privacy practices before the organization collects the user’s information. 

Privacy notices should include: 

• Sources an organization uses to gather personal information (i.e. website, employment listings, advertising and marketing, and trade shows) 
• Categories of data gathered 
• Specific pieces of data gathered within those categories 
• Whether the information is gathered directly from an individual or from a third party 
• Whether the organization sells that information to third parties
• A phone number and email address where users can submit privacy questions to the organization

Although the above content will help demonstrate that an organization is taking privacy seriously, privacy compliance requires internal work as well. 

Internal Compliance

Internally, an organization should adopt policies and procedures, train its employees on privacy requirements, create an incident response protocol and create a process for evaluating privacy risks. 

Organizations must adopt internal privacy policies and procedures reflecting legal requirements of privacy regulations such as the California Consumer Privacy Act (CCPA) or the General Data Protection Regulation (GDPR). When conducting an investigation, privacy regulators always ask for a copy of an organization’s policies and procedures. Having this paperwork developed and ready at a moment’s notice only makes sense.  

Each year, organizations should identify which employees may collect customers’ data and set a target date to train those employees as well as new hires. The training program should clearly explain key privacy terms, what qualifies as a data incident or a privacy request and how to report data incidents and privacy requests. 

To create an effective incident response protocol, organizations should purchase cyberliability insurance, elect an employee as an incident response coordinator and create a simple flow chart explaining how the organization escalates and responds to incidents. Every employee should receive a copy of the incident response protocol. Organizations should test the response process at least once a year so employees know how to respond when an incident occurs. 

Organizations must have a method for evaluating privacy risks. When an organization adopts a new process, product, service, software or hardware, the organization should have a method for evaluating whether that new object creates privacy risks. Ideally, the organization should conduct a privacy review early in the adoption lifecycle to identify risks early and develop strategies to mitigate those risks prior to implementation. By documenting and addressing risks, an organization demonstrates a serious and proactive approach to privacy. 

Privacy is a complicated, amorphous topic that changes year to year. Processes that have been effective in the past won’t work in today’s complex legal environment. Accordingly, organizations must adopt external and internal privacy policies and procedures to ensure a successful privacy program.