Does your organization need a privacy policy?

You may have been told that your organization needs a privacy policy if you’re processing people’s personal data.

However, did you know this is only the case if you are subject to specific laws?

In this blog, we explain the circumstances under which you’re required to create a privacy policy, and why you may benefit from having one.

Privacy policies and the GDPR

Any discussion of data protection and privacy invariably begins with the GDPR (General Data Protection Regulation) – even when it comes to U.S. businesses.

That’s because many organizations process EU residents’ personal data and are therefore subject to its requirements.

Remember, the GDPR’s scope is governed by the location of individuals rather than the organisation.

So, what does the GDPR say about privacy policies?

Article 12 requires organizations “to provide any information … relating to processing [of] the data subject.”

Recital 60 adds that this information shall “give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing.”

Essentially, this means that you must create a provide policy to inform your customers about the types of data you’re collecting and what you’re doing with it.

A GDPR-compliant policy should also contain information about how you are collecting data – e.g. through a form, cookies or in person.

What about other laws?

The GDPR is just one of many legislations that includes requirements for privacy policies.

Indeed, the U.S. data protection landscape is comprised of a patchwork of sector-specific and medium-specific laws, including some that address telecommunications, health information, credit information, financial institutions, and marketing.

Certain states have enhanced their privacy laws to require that businesses operating under their jurisdiction meet specific privacy and cybersecurity standards.

If you do business in, or target citizens of, California, Connecticut, Delaware, Michigan, or Nevada, you may be subject to certain laws that require you to outline details of data processing.

Likewise, if you deal with sensitive information or special categories of personal data, certain laws may require you to outline details of processing related to this sensitive data.

Even if there isn’t a legislation requiring you to create a privacy policy, you may have a contractual obligation to produce one. For example, many third-party data dealers and other “data processors” have flow-down language in their vendor contracts requiring partners to publish privacy information.

Benefits of creating a privacy policy

Although it may feel like a burden to create a privacy policy, you’ll find that doing so is good for business.

The aim of a privacy policy is to protect individuals and organisations from data protection and privacy violations.

By clearly outlining your data handling process, your customers and stakeholders can get assurances that you’re using data responsibly – giving you a competitive advantage.

Privacy policies also provide a framework to help you understand what you can and can’t do with personal data. With clearly defined rules, you’ll avoid data handling practices that may put sensitive information at risk – thereby mitigating the possibility of a data breach or privacy violation.

Be careful about what you include

When you write a privacy policy, you are restricting on what you will and won’t do with personal data. It doesn’t matter whether these are mandated by legislations such as the GDPR or simply your internal rules, you must ensure that you don’t stray from them.

If you do, you are subject to UDAP (Unfair and Deceptive Acts and Practices) statutes. These are enforced by state attorney generals, and some have the power to issue large penalties.

To mitigate this risk, you should consider seeking expert advice when creating your privacy policy.

Our Privacy as a Service solution is an ideal option for those who want comprehensive advice on their data privacy strategy.

With this subscription service, our experts review your policies and processes, ensuring they comply with relevant laws, including the GDPR, CPRA (California Privacy Rights Act), and New York’s SHIELD Act.


A version of this blog was originally published on 13 March 2019.

No Responses