What are they?
Primarily, Privacy Policies are those statements drafted, emended and eventually approved by the Controller; i.e, the entity in charge of establishing the purpose for the personal data usage. Although the following formal definition is US-focused, I think it’s worth to click on this Wikipedia post to have a more precise idea of this important concept.
Actually, from a personal perspective, the Privacy Policies could be split in two different categories, briefly described as following.
Public Privacy Policies
In this case, we coincide with the definition given in the Wikipedia. Summarizing, it’s about the controllers’ statement on:
- who’s processing personal data;
- for which purposes;
- for how long personal data will be processed/stored (the so-called «retention period«);
- to whom (if any) personal data will be disclosed and why;
- what rights are granted to the subjects;
- how to exercise those rights;
- how to contact with the DPO (Data Protection Officer), if any.
Tip: generally speaking, the more transparent, the better.
Internal Privacy Policies
On the other hand, we have these internal policies, where the Controller should establish the internal security rules for a safe processing of personal data.
Of course, there is no a «one size fits all» strategy in drafting these rules. Consequently, the Controller should establish the rules according to its own criteria and combining them with the legal requirements.
Hence, I’d like to suggest the following bullets points as an interesting path to reach a proper and useful document:
- What the rules are for? In other words, what is the entity objective? what do you want to achieve in implementing these rules?
- The scope: are the rules applicable to all your employees? Think about employees who don’t have direct access to the personal data: maybe they would need different rules;
- Define who is in charge of what. Talk to the stakeholders and dive deep into their daily routines: you can be even surprised knowing the real truth about you own company and what is going on behind the scenes;
- Rules must be obeyed: I know, it could sound harsh, but it is true. If the employees think that there’s a better way to comply with the data protection and data privacy obligations, they should feel free to participate in the conversation; at the end of the day, there’s always room for improvement. What is not admissible is to circumvent the established rules; in this case, consistent penalties should be stated;
- Let the (DPO) door open: invite all the stakeholders asking questions, establish a privacy-pedia, renew the continual awareness and training programs. Lastly, make the rules part of the daily routine of the entity.
Most importantly, the rules established by the Controller must be consistent with the legal requirements and with the way the entity processes personal data and the rest of the information. This is not an easy task; on the contrary, it is pretty challenging. But this is what, among other things, makes the privacy domain always interesting.
To conclude: need a help in drafting your own Privacy Policies? Feel free to send us an email anytime. You know, we love privacy policies…