It is not enough for a business to create a privacy policy and place it on its website; a business must define policies and practices, verify that their employees are following the practices and complying with policies, and confirm that third-party service providers are adequately protecting any shared information as well. As customer demands and regulatory requirements change, the business’ privacy practices and policies must be reviewed and revised to meet this changing business environment.

So, how do you get started? Well, every journey begins with the first step. Here are 10 steps to kick-start your organization’s privacy program.

  1. Identify an owner

It is critical to identify someone to own the privacy program and the process to create it. Optimally, this will be someone in your senior leadership team, thereby demonstrating the priority being given to privacy within the business. Appointing a senior leader to this role will also show your customers, staff and partners your commitment to protecting personal information.

You can imagine that different functions within your organization may have different perspectives on privacy. Marketing, human resources and legal, for example, may have very different perspectives on how personal information should be collected and used. Establishing a core team to support the program owner, consisting of members from the various functions within your organization, will allow each of their voices be heard and appropriate balances to be struck as the program gets established.

  1. Take inventory

To develop effective policies and practices, you need to understand what is important to the various functions of your organization. Taking inventory of the personal information already on hand is a great way to gather these requirements.

Using the core team members to work within their own functional teams, they can determine:

  • What personal information is collected;
  • Why the information is collected;
  • How the information is collected;
  • How the personal information is stored and protected;
  • If the information is shared with a third party and, if so,
    • How it is transmitted and
    • How the third party protects the information, and
  • When the information is destroyed and by what process.

Once created, keeping this inventory current will help ensure compliance with your policies and practices.

  1. Understand your legal, regulatory and partner requirements

In addition to exploring the internal requirements for the use and protection of personal information, you also need to explore external requirements. There are three primary sources for these requirements:

Legislative bodies
Throughout the world, laws have been established governing the collection, use, transfer and protection of personal information. These laws vary by jurisdiction with differences most often based on culture, history and business climate.

Regulatory bodies
Depending upon your industry and the information you collect, there may be requirements that government or industry regulatory agencies impose. For example, if you use credit cards for payment, you should be compliant with the Payment Card Industry Data Security Standards. Participants in the U.S. healthcare industry must comply with The Health Insurance Portability and Accountability Act of 1996. Privacy in the U.S. financial industry is covered in the Gramm-Leach-Bliley Act.

You may have agreements in place with your customers or your suppliers that specify privacy requirements. Regardless of what you establish as an organizational standard, these agreements will override your standard policies and practices for these stakeholders.

  1. Define your high-level policy

Taking your internal and external requirements into account, you are now ready to define your privacy policy. Often organizations want to become detailed and specific in their policies but this frequently leads to an inability for the business to address unforeseen circumstances.

When you consider your privacy policy, think of it as a moral compass for your organization defining what is “the right thing to do.” Supplement this with some high level guidance on implementation, i.e. personal information will be encrypted in transit, but leave the details for your functional areas to define. This allows for the policy to remain unaffected as technology, requirements or the business climate changes.

The policy should also define the consequences to an employee, contractor or temporary worker if the policy is violated.

  1. Define processes, standards and guidelines

To support your policy and to ensure your staff understands what to do to meet your requirements, supporting documentation needs to be created to specify how the staff should behave. There are three different ways to document these instructions:

  • Process is step-by-step instructions describing how a task must be accomplished,
  • Standards define minimum requirements that must be met (though exceeding these requirements should be encouraged), and
  • Guidelines are suggestions about how things should be done.

The core team can work within their own functional areas to define their appropriate level of documentation for their area. This will engender a sense of ownership of these documents by your stakeholders. However, you should consider using the core team as a whole to review and approve each of these documents.

  1. Train your staff

With everything now in place it is time to train your staff. Simply asking them to read the documented policy, processes, standards and guidelines will not be effective; think of all the email and reading each of us gets in a typical day. A formal training, either face-to-face or computer-based, needs to be undertaken.

Training should occur when the privacy program is initially introduced. New hires should be trained upon joining the organization as should contractors and temporary employees. Annual refresher courses should also be put in place.

Privacy training should be required of every member of the staff annually; completion of the training should be logged and considered part of the performance review process.

  1. Review your vendor/service agreements and third-party practices

Your organization is responsible for data it collects and shares even when it is provided to a third party for processing. To be sure that everyone with whom you share information is protecting the data to your satisfaction, your business needs to consider a few questions:

  • Are the third parties meeting your new policies?
  • If not, are they willing to meet the new requirements?
  • If not, are there ways to remediate or compensate for the requirements in questions?
  • If not, is there a different third party you could use to meet the requirements?

Similar to providing training for your staff, holding a series of webinars for your third parties describing your new policy will give notice to these organizations about the changes in your requirements. You can follow up with a questionnaire to determine if your requirements are being met.

You should also modify your standard contracts to include language that requires your policies be met. This will become a negotiation point for most of your vendors, but if your requirements are reasonable, it will be easy to achieve a meeting of the minds.

  1. Declare victory and celebrate

Establishing a privacy program is a significant milestone in the maturity of an organization. Holding an event to recognize the achievements of the program owner, the core team and the organization as a whole is appropriate. The event will also reinforce the importance placed upon protecting personal information by the organization.

  1. Post a notice to your customers

Having the program publicized internally and with your service providers is a start, but your customers need to be informed as well. Typically this is done through a Privacy Notice, also known as Privacy Statement or Privacy Policy, on your web site.

The notice is not only a legal document; it can be used as a strategic marketing tool. If you do not share information and your competitors do, then call that out. You can make the notice part of an educational experience by explaining why privacy is important, how your customers can protect their own information on a day-to-day basis and how your policy supports their efforts.

The notice should reflect your organization’s perspective on the importance of protecting personal information, giving insight into

  • When you collect personal information;
  • Why you collect personal information;
  • What information is collected;
  • How you protect the information;
  • When you share the information, and
  • What a customer should do if they think their information has been compromised.

This notice should be dated with links provided to it conspicuously throughout your website. If a change is made to the notice, customers should be notified on the website when they visit.

  1.  Review, reassess and revise

Your business and the privacy landscape is changing, so it is important to review your privacy policy and supporting processes, standards and guidelines at least annually. In fact, some legislative and regulatory agencies require this. Ongoing training is also required by some legislative and regulatory agencies.

An annual, independent review is also advisable. This will provide an outside, unbiased look at your privacy program identifying what is working and what can use improvement.

Editor’s Note: For more on how to build a privacy program at your organization, see also Bob Siegel’s “We learned our data privacy basics in high school.”

Written By



If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»