Although privacy policies are important, they are just one element in a good privacy program. In order to ensure that your organization complies with applicable laws and adequately protects personal information within its possession, it should develop a program that includes, at a minimum, the following elements:
- Appointment of a Privacy Officer (or for larger organizations, a privacy office)
-
Privacy policies
- Internal-commercial
- Internal-employment
- External/Web policy
- Record retention policy
- Bring your own device policy
- Social Media policy
- Working from home policy
- Technology usage policy
-
Training for employees
- Training for new employees
- Role specific training based upon position
- Annual updates
- Regular review and update of policies and training
- Complaint management process
- Breach response process
- Confidentiality agreements for employees
- Data protection agreements with service providers
- Periodic privacy audits
- Privacy impact assessments for new projects
The above list is not intended to be comprehensive. Privacy programs should be specifically tailored to the unique requirements of your business. You should consult with a privacy law expert to assist with the development of your organization’s privacy program. Furthermore, privacy programs should be evaluated and updated periodically based upon business and legal developments.
