Why You Should Create a Forward-Looking Privacy Policy - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // Security & Risk Strategy
08:30 AM
John Edwards
John Edwards
Connect Directly

Why You Should Create a Forward-Looking Privacy Policy

New privacy rules are coming. Is your organization ready?

Data privacy, once primarily a concern for finance and healthcare, is rapidly becoming a priority for nearly all types of organizations, particularly those that collect personal information for marketing analysis.

Today's collection of piecemeal and rapidly changing privacy mandates makes planning for future requirements much like aiming at a moving target. Yet a growing number of businesses are gradually coming to the realization that failing to anticipate the demands of future privacy legislation may leave them vulnerable to future lawsuits and significant financial losses.

Image: sdecoret - stock.adobe.com
Image: sdecoret - stock.adobe.com

There's currently no comprehensive law governing the collection, use sale, or other disclosure of personal information across the United States, noted Gerald Sauer, a founding partner of Los Angeles-based law firm Sauer & Wagner. "A handful of laws set guidelines for use of personal information for specific purposes, such as medical and financial information."

Scott Pink, special counsel at Los Angeles-based law firm O'Melveny, believes that future mandates are likely to promote greater consumer control over personal data. "Some jurisdictions will consider providing more robust private rights of action, although there has been pushback on this in the United States," he observed. "There will [also] be increased focus on more sensitive types of data, such as biometric data, facial recognition and tracking of activities in the home."


As Congress considers a national data privacy law fashioned along the lines of the European Union's General Data Protection Regulation (GDPR), organizations should err on the side of caution, Sauer advised. "Don’t reveal user information without express authorization to do so," he suggested. "Provide users the opportunity to opt-out of (or opt-in to) data collection and comply with existing laws that apply to your industry, the type of information you handle or the use of personal data in your state."

An organization’s ultimate compliance with a government’s privacy policy standard will depend on its location, industry, target audience, and the type of data the organization collects, said Robert Hanna, a partner at Cleveland-based law firm Tucker Ellis.

Robert Hanna, Tucker Ellis
Robert Hanna, Tucker Ellis


"Staying current with a national standard, like the one from the National Institute of Standards and Technology (NIST), is one way to stay ahead or at least even with changing demands," Hanna advised.

While it's not possible to create a privacy policy that fully anticipates future demands made by regulatory authorities, it's still advisable to pay attention to the trends and actions that drive the need for privacy policy revisions. "These include new categories of data or worldwide enforcement actions," noted Dawn Rogers, general counsel for Veracode, an applications security provider. She added that organizations can also join privacy groups, such as the International Association of Privacy Professionals (IAPP), to stay on top of changes and access self-education resources.

Be prepared

Although rules are rapidly emerging and evolving, every privacy policy should include a few fundamental considerations. "For example, no matter what laws and regulations require, organizations will need to have very solid asset management, asset classification, data retention and data/media disposal procedures that implement the privacy policy," explained Summer Craze Fowler, an adjunct professor at Carnegie Mellon University's Heinz College. "Privacy policies should address the types of information collected by the website or app, the purpose for collecting the data, security and access details, data transfers or shares, and affiliated partnerships that may share data."

Dawn Rogers, Veracode
Dawn Rogers, Veracode


Before attempting to build a forward-looking security policy, it's important to conduct a thorough data inventory to fully understand exactly what types of data are being collected, how the data is being used, and where it is stored, Pink observed. "You cannot create an effective policy without having this understanding."

It's also essential for organizations to conduct frequent and thorough security audits of current IT assets and practices. "As part of the audit, businesses should include social engineering, which reviews whether their employees are demonstrating vulnerability when it comes to safeguarding confidential information," advised Ted Wagner, vice president and CISO at SAP National Security Services. "To make sure the organization’s privacy policy anticipates future demands made by governments and other regulatory authorities, businesses should also request regular IT audit reports from their vendors and business partners," he added. This step will ensure there are no cracks in their infrastructure that could potentially expose the organization and its data to bad actors.

An organization’s privacy policy must accurately reflect the organization's actual practices. "An inaccurate privacy policy or worse, an accurate one that is not followed, can open the doors to liability," Hanna warned. The policy also needs a maintenance schedule managed by a designated staffer. "Part of the governance process is having someone in charge of the policy and having him or her consider the policy as part of everyday actions and business decisions," Fowler said.

Ted Wagner, SAP National Security Services
Ted Wagner, SAP National Security Services


Privacy regulations alone don't offer consumers more privacy. "Privacy regulations are aimed at making collectors and processors of data better custodians of collected data, and more accountable for what they do with the data," Rogers explained.

Laws will never be able keep up with the rapid pace of technological change, so predicting future requirements is a little like crystal-ball gazing, Sauer observed. "However, industry watchdogs and trade groups tend to be proactive in anticipating trends, so it would be prudent to follow their guidance and stay current on trends," he recommended.

For more on data privacy, check out these articles:

Data Privacy: How to be Worthy of Consumer Trust

GDPR One Year Later: Was the Hype Worth It?

How to Convince Wary Customers to Share Personal Information

CIOs: Are you Ready for the California Consumer Privacy Act?



John Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll