Why You Should Create a Forward-Looking Privacy Policy

New privacy rules are coming. Is your organization ready?

John Edwards, Technology Journalist & Author

August 6, 2019

5 Min Read
Robert Hanna, Tucker Ellis

Data privacy, once primarily a concern for finance and healthcare, is rapidly becoming a priority for nearly all types of organizations, particularly those that collect personal information for marketing analysis.

Today's collection of piecemeal and rapidly changing privacy mandates makes planning for future requirements much like aiming at a moving target. Yet a growing number of businesses are gradually coming to the realization that failing to anticipate the demands of future privacy legislation may leave them vulnerable to future lawsuits and significant financial losses.


There's currently no comprehensive law governing the collection, use sale, or other disclosure of personal information across the United States, noted Gerald Sauer, a founding partner of Los Angeles-based law firm Sauer & Wagner. "A handful of laws set guidelines for use of personal information for specific purposes, such as medical and financial information."

Scott Pink, special counsel at Los Angeles-based law firm O'Melveny, believes that future mandates are likely to promote greater consumer control over personal data. "Some jurisdictions will consider providing more robust private rights of action, although there has been pushback on this in the United States," he observed. "There will [also] be increased focus on more sensitive types of data, such as biometric data, facial recognition and tracking of activities in the home."


As Congress considers a national data privacy law fashioned along the lines of the European Union's General Data Protection Regulation (GDPR), organizations should err on the side of caution, Sauer advised. "Don’t reveal user information without express authorization to do so," he suggested. "Provide users the opportunity to opt-out of (or opt-in to) data collection and comply with existing laws that apply to your industry, the type of information you handle or the use of personal data in your state."

An organization’s ultimate compliance with a government’s privacy policy standard will depend on its location, industry, target audience, and the type of data the organization collects, said Robert Hanna, a partner at Cleveland-based law firm Tucker Ellis.


"Staying current with a national standard, like the one from the National Institute of Standards and Technology (NIST), is one way to stay ahead or at least even with changing demands," Hanna advised.

While it's not possible to create a privacy policy that fully anticipates future demands made by regulatory authorities, it's still advisable to pay attention to the trends and actions that drive the need for privacy policy revisions. "These include new categories of data or worldwide enforcement actions," noted Dawn Rogers, general counsel for Veracode, an applications security provider. She added that organizations can also join privacy groups, such as the International Association of Privacy Professionals (IAPP), to stay on top of changes and access self-education resources.

Be prepared

Although rules are rapidly emerging and evolving, every privacy policy should include a few fundamental considerations. "For example, no matter what laws and regulations require, organizations will need to have very solid asset management, asset classification, data retention and data/media disposal procedures that implement the privacy policy," explained Summer Craze Fowler, an adjunct professor at Carnegie Mellon University's Heinz College. "Privacy policies should address the types of information collected by the website or app, the purpose for collecting the data, security and access details, data transfers or shares, and affiliated partnerships that may share data."



Before attempting to build a forward-looking security policy, it's important to conduct a thorough data inventory to fully understand exactly what types of data are being collected, how the data is being used, and where it is stored, Pink observed. "You cannot create an effective policy without having this understanding."

It's also essential for organizations to conduct frequent and thorough security audits of current IT assets and practices. "As part of the audit, businesses should include social engineering, which reviews whether their employees are demonstrating vulnerability when it comes to safeguarding confidential information," advised Ted Wagner, vice president and CISO at SAP National Security Services. "To make sure the organization’s privacy policy anticipates future demands made by governments and other regulatory authorities, businesses should also request regular IT audit reports from their vendors and business partners," he added. This step will ensure there are no cracks in their infrastructure that could potentially expose the organization and its data to bad actors.

An organization’s privacy policy must accurately reflect the organization's actual practices. "An inaccurate privacy policy or worse, an accurate one that is not followed, can open the doors to liability," Hanna warned. The policy also needs a maintenance schedule managed by a designated staffer. "Part of the governance process is having someone in charge of the policy and having him or her consider the policy as part of everyday actions and business decisions," Fowler said.



Privacy regulations alone don't offer consumers more privacy. "Privacy regulations are aimed at making collectors and processors of data better custodians of collected data, and more accountable for what they do with the data," Rogers explained.

Laws will never be able keep up with the rapid pace of technological change, so predicting future requirements is a little like crystal-ball gazing, Sauer observed. "However, industry watchdogs and trade groups tend to be proactive in anticipating trends, so it would be prudent to follow their guidance and stay current on trends," he recommended.

For more on data privacy, check out these articles:

Data Privacy: How to be Worthy of Consumer Trust

GDPR One Year Later: Was the Hype Worth It?

How to Convince Wary Customers to Share Personal Information

CIOs: Are you Ready for the California Consumer Privacy Act?



About the Author(s)

John Edwards

Technology Journalist & Author

John Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic Design. He has also written columns for The Economist's Business Intelligence Unit and PricewaterhouseCoopers' Communications Direct. John has authored several books on business technology topics. His work began appearing online as early as 1983. Throughout the 1980s and 90s, he wrote daily news and feature articles for both the CompuServe and Prodigy online services. His "Behind the Screens" commentaries made him the world's first known professional blogger.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights