[BreachExchange] 5 Ways In Which Your Company’s Privacy Policy Is Insufficient

Destry Winant destry at riskbasedsecurity.com
Wed Apr 10 01:51:15 EDT 2019


https://www.jdsupra.com/legalnews/5-ways-in-which-your-company-s-privacy-44530/

Well thought-out internal privacy policies and procedures are an
essential part of any company’s information management program.  These
internal policies should not be confused with a company’s external
privacy notice, which informs the company’s customers as to how it may
process, store, and share their personal data.  Rather, the company’s
internal privacy policy sets forth company goals with respect to
protected data and defines company procedures to ensure that those
goals are met.  Here are five top ways in which such policies are
deficient.

1. The privacy policy isn’t properly documented

It goes without saying that a company’s privacy policies and
procedures themselves should be written down and stored in an
accessible location.  But all of the underlying information giving
rise to those policies and procedures should be thoroughly documented
as well.  This documentation should include a comprehensive
description of the company’s systems, data, and data flows.
Documenting this information along with the privacy policy will make
it easier to identify when the circumstances underlying the policy
have changed so that the policy is in need of an update (See #2
below).  It will also ease any transition when new employees become
responsible for the company’s information management program.
Spending extra time up front to thoroughly inventory, understand, and
document company data will pay dividends down the road.

2. The privacy policy hasn’t been appropriately updated

Businesses change over time.  A company may enter a new line of
business in which it gathers a new category of customer data.  Or a
company’s use of personal information may shift between aggressive and
conservative over time.  For example, a company may see an opportunity
to position itself as a privacy leader in its industry, or it may have
to tighten up its data protection practices to minimize reputational
harm after a data breach.  Such internal changes warrant a
re-examination of the company’s privacy policy.

External changes happen as well.  New laws and regulations in the
field of data privacy are a seemingly daily occurrence.  Businesses
must account for these changes by appropriately revising their privacy
policies.  Moreover, even if a business periodically updates its
privacy policy when a new law or regulation is passed, it must
occasionally look at its privacy policy more holistically to ensure
that it is in accordance with the company’s goals and the regulatory
scheme as a whole.

3. There is one blanket policy that applies to all categories of data

Given the alphabet soup of laws that apply to privacy and data
protection, a blanket privacy policy is often insufficient.  Privacy
laws differ in their definitions of what constitutes protected
information.  For example, a company may hold personally identifiable
information under a state privacy law and also hold protected health
information under HIPAA.  These different categories of data may
require separate privacy policies.  Similarly, laws such as the GDPR
categorize personal data separately from sensitive personal data with
different grounds for processing each.  Therefore, privacy policies
must separately account for and deal with all of the categories of
data that a company processes and place appropriate procedures and
safeguards around each.

4. The policy does not appropriately limit defined user roles

Even where a privacy policy properly accounts for all categories of
data within an organization, it still must ensure that only
appropriate users and systems have access to that data.  Any privacy
policy must therefore establish appropriate access barriers across
departments and lines of business.  For example, while it may be
appropriate to give a certain category of employee (e.g., managers)
high-level access to company data within their department, it may not
be appropriate to give that category of employee high-level access to
company data across the organization.  The privacy policy must account
for this by ensuring that employees only have the access to company
data necessary to carry out their job functions.  While this adds a
layer of complexity to the administration of user accounts and access
rights, it is necessary to ensure that only those with a need to know
have access to sensitive data.

5. The policy hasn’t been adequately communicated to the workforce

Even the best-conceived and comprehensive privacy policy won’t do much
good if it isn’t communicated throughout the organization.  Moreover,
simply posting the company’s privacy policy on the company intranet or
including it in an employee handbook may be insufficient.  Appropriate
employees need training on the policy with refresher training as
policies evolve.  Client or customer-facing employees in particular
warrant special attention, as they have to be able to externally
communicate the contours of the company’s privacy policies and
procedures.  Regular internal communication about the company privacy
policy also ensures that privacy is at the forefront of employees’
minds, rather than just an afterthought.

Developing a comprehensive internal company privacy policy and
implementing procedures to put that policy into action is certainly
not an easy task.  It requires input from multiple stakeholders and
buy-in from all levels of the corporate structure.  Moreover, once a
privacy policy is in place, it must be viewed as a living document
that is regularly reviewed, analyzed, and updated.  Nevertheless,
having a complete and updated policy in place is essential to protect
your company and your customers’ data.


More information about the BreachExchange mailing list