One Corporate Privacy Policy Does Not Fit All
We all agree that protecting personal data is imperative. The information that agencies,
insurers, and retail businesses collect is the same data that identity thieves want
so they can take over our accounts.
Not surprisingly, legislatures in all 50 states and worldwide have enacted privacy
regulations to protect data that consumers legitimately provide in the course of
doing business. Compliance is based on where a company does business or collects
data from. For a national company with web visitors from Europe, the number of regulations
can be overwhelming. To understand the requirements specific to your business, Industry
groups and corporate legal counsel are the definitive sources.
Your Company’s Privacy Policy – Where to Begin
Your company’s public privacy policy is the record of how you agree to protect information
gathered and what legitimate uses are intended for the data. Addressing the topics
of the most restrictive laws is a good start. Like any externally published policy,
this should have executive buy-in and approval by corporate legal counsel. Commonly
this policy document is linked to from the main website and any pages that collect
data and includes a check box attesting to reading and agreeing to the linked privacy
policy before data is submitted.
Resources & Tools for Managing Privacy Risk
The National Institute of Standards and Technology (NIST) has a Privacy Framework
and a NIST Special Publication Series 800-122 on protecting Personally Identifiable
Information (PII Data). The privacy framework shows how detailed a program can be
and the effort involved across the business.
NIST Privacy Framework
https://www.nist.gov/privacy-framework
NIST SP800-122
https://csrc.nist.gov/publications/detail/sp/800-122/final