A privacy notice is not only a statement required by privacy laws that discloses and explains a company’s data handling practices but is also an ideal opportunity for companies to inform and educate their customers — an important step toward building trust and loyalty through transparency and credibility. The content of a privacy notice will depend upon applicable laws and may need to address requirements across geographical boundaries and legal jurisdictions. It’s a company’s responsibility to demonstrate through its privacy notice that it has accurate and up-to-date knowledge of applicable privacy laws and personal data handling practices.
So, how should organizations think about drafting and updating their privacy notice and what are the major components?
Based on our experience spanning medium-sized companies through Fortune 50, we recommend a three-step process:
- Develop a complete set of requirements and create a draft
- Plan for and execute a roll-out including any supplementary communications
- Manage feedback and ongoing changes
Develop a complete set of requirements
To draft a privacy notice, you first need to understand your company’s privacy vision and mission along with your data processing activities, current data inventory, data flows, and applicable laws. This process is much easier for companies with presence in limited jurisdictions; large, multi-national organizations may need to consult outside counsel who specialize in certain jurisdictions where the privacy team or inside counsel lacks expertise.
A thorough review of existing personal data processing activities is essential to ensure these are reflected accurately in the notice. This requires collaborating with various business functions and teams that handle personal data, such as sales, marketing, customer service, and so forth. The privacy team will need to conduct interviews with key stakeholders within these functions to obtain an understanding of current and anticipated data use.
If your company maintains records of processing activities (aka ROPAs) pursuant to Article 30 of the GDPR, this information will be instrumental to the process. Of course, a privacy notice is a legal document that can be used by a court or regulators to hold the company accountable, so it’s important to get it right. Our consulting teams are experienced in assisting clients with aligning data privacy protection strategies to business goals and can assist with the creation of clearly worded privacy notifications.
Once the privacy and legal teams have finalized the draft, it should be socialized with senior leadership to get approval and buy-in. This step ensures that the notice aligns with the overall mission and vision of the organization. At this point, it’s easy to assume the bulk of the work is complete … but this is when the fun begins! (provided you think detailed project management is fun).
Plan and execute a comms rollout
Once the privacy notice is ready for publication, it’s time to create a project plan with realistic timelines, breaking this complicated task into manageable chunks. Again, for smaller companies with presence in few jurisdictions and with minimal avenues of data collection, this process will be significantly easier; however, large multinationals have a monumental task ahead. Taking the time upfront to document business requirements will help define the scope of your rollout. Prior to creating your project plan, it will be helpful to do the following prep work:
- Take inventory of sites, customer help pages/articles, links, and so forth, that will need to be updated
- Identify languages for translations
- Create the user notification email content
- Create the announcement to various marketing, sales and business development groups, PR, and government relations
- Create customer service talking points
- Account for various time zones in roll-out where necessary
During this stage, you’ll see lot of moving parts and lot of synergy between various teams to ensure rollout in a timely manner. Because this effort involves stakeholders and teams from across the business, it is a perfect opportunity to build relationships — and relationships are perhaps the most important component of succeeding in privacy management.
In terms of outreach, use the need to reach customers as an opportunity to promote how your company is increasing transparency, improving functionality, and acknowledging the company’s desire for compliance. This is a tangible reminder of your commitment to protecting their privacy and proof of trustworthiness.
Once the privacy notice is published, users must be notified as soon as possible, any delay in notification can cause frustration and distrust in your customers. Sending an email to your users that summarizes the major updates and how they impact users is a great practice. This not only helps build customer trust but also increases confidence and loyalty in your brand.
Managing feedback and ongoing changes
Often, when you publish and notify users of a new or updated privacy notice there is a periodic increase in inquiries from users. This can pose a challenge for organizations who have not planned for handling these volumes. Prepare your customer service team for a surge by ensuring they have the information they need to assist callers. Equip the team with talking points on the updates so they can handle calls efficiently and provide accurate information to customers. Partnering with marketing on this step will help you avoid communication errors and will aid in weaving marketing into the process.
Publishing your privacy notice is not a one-and-done exercise. On the contrary, you now have a living document that needs to be kept up to date.
The need to update the privacy notice is typically driven by one of two things: legal requirements (e.g., when you are expanding into new territory or a new law is passed) or a change in your personal data processing activities (e.g., you plan to collect additional data or use the data you collect for new purposes).
In practice, business stakeholders submit to the privacy team their request for an update based on a new — or preferably upcoming — business practice. Having a documented process for these submissions will help to ensure this process goes smoothly. The privacy team then reviews the request and categorizes it into low, medium, or high priority buckets. The priority level assigned to changes depends largely on the impact to the company. Typically, low priority changes have no substantial financial, operational, or legal impact and can wait until the next update cycle or later, while medium priority changes do have an impact on operations, though not significant, and should be prioritized for the next update. High priority changes may require an out-of-cycle update and are often triggered by a change in legal obligations or have an immediate and significant financial impact on the business.
Once again, every time an update is ready to be published, you need to repeat the rollout steps to be sure that the change is reflected everywhere necessary, and that your customers are made aware of it.
The Ethos Privacy consulting team assists medium-sized businesses and the Global Fortune 500 in drafting and updating privacy notices to fit their needs. We have the expertise to help you build an efficient program to simplify this important process.