Nowadays there is often a lack of understanding of why and how privacy policy is important for any organization that processes personal data. This blog post sheds light on the notion of the privacy policy, its importance, structure, and enforcement. Hopefully, after reading this blog you will be able to understand the reasons why privacy policy should be considered as a building block of the privacy program. Thus, this blog tends to explain the reasons why privacy policy must be carefully established, continuously monitored, enforced in practice, and updated. In other words, to answer the question: why does privacy policy matter?
Privacy policy is not just a privacy statement
There is a common perception that a privacy policy is a document that serves to inform individuals whose data is processed about data processing practices as well as data protection rights. This understanding is not a misperception, but it is too narrow. Moreover, the common perception about privacy policy often distorts or underestimates the significance of privacy policy.
Whereas many see just unimportant semantical differences between the privacy policy and privacy statement, privacy professionals make clear distinctions between these concepts. Namely, the internal document addressed to employees in one organization that clearly states how personal information will be handled to meet organizational needs (as well as regulatory requirements) is understood as a privacy policy. So, it is a document communicated internally, to those that should take care of the operational aspect of data processing. A privacy notice or privacy statement is to be seen as external communication to data subjects (e.g. customers) and it describes how the organization collects, uses, shares, retains, discloses, or otherwise processes personal data.
Terminological differentiation between the privacy policy and privacy statement (notice) should not be taken for granted. There is often confusion (even among privacy professionals) about how privacy policy differs from privacy notice (statement). Thus, it is quite usual to come across sources (titled as a privacy policy) that state how personal data is processed (g. at some website). The practice of using semantical determent ‘privacy policy’ for privacy statement (or privacy notice) is not unlawful. However, what is more important for an organization that processes personal data and does care about proper privacy governance, is to develop a document (policy) that defines all aspects of data protection in the organization. Thus, the privacy policy should include how the privacy statement (notice) will be formed, what it will contain and how it will be addressed.
Transparency and privacy policy
If we turn to the relevant provisions of the GDPR, it would not be difficult to infer that there is no explicit requirement to create and publish (make available) a document titled as the privacy policy. However, the GDPR laid down the scope of relevant information about persoas the privacy policy. However, the GDPR laid down the scope of relevant information about the personal data processing that must be presented and properly communicated to data subjects. Information about an entity that processes data, the purpose of data processing, the legal basis for lawful processing, who receives data, where the data is transferred, and where the data has been obtained (if it is received from a third-party and not from a data subject directly), must be provided to the data subject. Therefore, it would not be wrong to claim that the privacy policy is a legal document that contains information about the practice of personal data processing.
Apart from the requirements that should be included in the policy, the GDPR imposes another set of requirements. It pertains to how necessary information should be communicated. The GDPR states that information about data processing practice should be provided ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language’. Obviously, the presentation of information should be tailored in a way that enables an average representative of the targeted audience to understand applicable facts without difficulties. There is no universal way to accomplish this task, but avoiding legal jargon, using the multi-layered presentation of facts (starting from the most general toward specific ones), or even the use of visualizations such as icons or video tutorials are recommendable. So, we may sum up that privacy policy is not only a means that contains necessary information about personal data processing but also that properly communicates them to the targeted audience.
Privacy governance and privacy policy
Privacy governance refers to activities and components that lead a privacy function to compliance with privacy and data protection regulation as well as to support business (or other types of) objectives. One of them refers to the development and enforcement of privacy policy. Thus, privacy policy could be viewed also as a document that governs the privacy objectives and strategic orientation of an organization regarding privacy and data protection. This document is supposed to derive from an organization’s privacy and data protection mission and vision, and thus it is the highest-level document that regulates the privacy program. It should stipulate the development of additional sources of self-regulation such as additional policies, procedures, protocols, and guidelines to strengthen privacy governance.
From the above, it would not be wrong to claim that the purpose of the policy is to regulate privacy programs by establishing foundations for the execution of the program in practice. Therefore, policy should adequately define what it protects, determine roles and responsibilities, and properly explain data protection principles, rights, and obligations.
Having a privacy policy is not enough
As might be seen, it is fundamentally important to design a policy that would cover relevant privacy and data protection aspects. However, we should not forget that the term ‘policy’ refers not only to a set of written principles but to actionable items and the implementation of principles in practice. Therefore, any privacy policy must be wisely communicated among different functional groups (e.g. CEO, HR, DevOps, IT) for the purpose of the policy implementation. Different groups must have a fundamental understanding of privacy importance and data protection to support independent initiatives and projects that contribute to the privacy program. By doing so, supportive policies that provide practical guidance on potential issues or specific intent could be developed. For instance, an information security policy (as well as accompanying procedures, protocols, and guidelines) could be introduced. This policy also protects data but for different purposes, by use of different tools, and engaging different sources.
Implementation of the policy in practice is a long-term and demanding process. There is no universal advice on how to carry this out but having educational and awareness campaigns is a recommended option. Apart from educating people about privacy and data protection functions, it is also important to conduct monitoring, control, and assess the state of data protection readiness. In that way, potential gaps in the privacy program could be identified. As a follow-up, privacy policy could be properly updated, and additional sources of self-regulation could be developed and enforced.
Conclusion
Having a well-developed and effectively communicated privacy policy is a building block of any privacy program. It ultimately serves to protect personal data during and after processing operations. However, creating the policy does not mean that data users (e.g. employees) can understand, follow, and implement the policy. For that purpose, supportive elements are needed such as training and awareness campaigns, as well as additional documents that will reinforce basic concepts in practice.
The privacy policy is a living document. It must be regularly adapted to cover emerging facts regarding data processing, evolvement of the business environment that affects data protection, development of legislation and regulation, and many more. This policy has a transversal nature which means that the implementation of privacy policy prevails over most processes in an organization. Additionally, it is a document tightly linked with ethical discourse concerning data protection and hence it specifies some of the ethical principles laid down by ethics policy and privacy mission and vision. Therefore, privacy policy cannot be seen as an isolated source of regulation. It is rather to be regarded as a bridge between properly setting up ethical principles on one side and operational rules on another.
