Organizational Privacy Policies

Image

Examples of consumer privacy notices can be found all over the Internet. However, organizations need to address privacy on a number of other fronts with inward-facing organizational privacy policies.

Here, the IAPP has collected examples of organizational policies that involve the handling of customer and organizational data, with some tips on creating the right policies for your organization, in an effort to inform the process for your organization.

Featured Resources

Setting data retention timelines

When setting retention timelines for your data, start with this plan: If you don’t need to have it, then delete it. However, figuring out the exact timelines you can adhere to is more complicated than you might have planned on. Privacy engineer Lea Kissner offers guidelines privacy professionals might find useful when setting data retention timelines.
Read More

Data Processing Agreements: Coordination, Drafting, and Negotiation

The commentary in this book should assist you in better understanding the contracting and third-party accountability aspects of your projects and provide you with tools for success.
Read More

Does the CCPA regulate internal transfers?

Little attention has been placed on the effects of the CCPA on intragroup data transfers, and many assume the act does not impose any limits on them.Lydia de la Torre breaks down the interpretation of intragroup sharing within the CCPA.
Read More


Latest News and Resources

How to manage insider threats without violating privacy laws

The idea of an "insider threat" is becoming a key issue in companies' business risk management, and data privacy requirements have a significant impact on the mitigation measures companies can take against inadvertent and malicious threats. While organizations are fundamentally interested in mitigating insider threat-related risks to information security, IT and compliance professionals must be aware of competing legal requirements and compliance issues to be able to effectively mitigate those r... Read More

How to draft a GDPR-compliant retention policy

Data minimization, storage limitation, records of processing activities and requirements for providing information and access to personal data under the EU General Data Protection Regulation all have one thing in common: You need to be able to clearly define the period for which personal data will be stored or, if not possible, criteria to determine that period. Most organizations implementing the GDPR consider retention policies or retention rules necessary to achieve this. At first it seems a... Read More

How To Construct Your Do-Not-Call Policy

The Data & Marketing Association has developed this checklist to assist marketers in developing a do-not-call policy for consumers. It was designed to be consistent with the DMA's Guidelines for Ethical Business Practice as well as with Federal and State Do-Not-Call laws.  Click To View (PDF) ... Read More

Building a program? Better get your internal audit game right

It can be challenging for a business to correctly identify its unique privacy risks and the sufficiency of any safeguards in place to manage those risks. That’s where a well-developed internal-audit function is essential, writes Sara van Spronsen in this exclusive for The Privacy Advisor. “Without the independence, skills and expertise, and cross-border abilities of a well-developed internal audit function, an organization may find itself struggling to provide the necessary substance to back its... Read More

Data Protection and Information Access

Data Processing Agreements: Coordination, Drafting, and Negotiation

Executive Editor: Justin B. Weiss, CIPP/A, CIPP/E, CIPP/US, CIPM, FIPPurchase Digital Justin is the global head of data privacy for the Naspers Group of companies. He originated a practicum course on data processing agreements as faculty at the University of Maine School of Law’s 2018 Information Privacy Summer Institute and currently serves as the vice chairman on the board of directors of the International Association of Privacy Professionals. Members of the Privacy Bar Section of the Inte... Read More

Sample Data Protection Policy Template

White Fuse has created this data protection policy template as a foundation for smaller organizations to create a working data protection policy in accordance with the EU General Data Protection Regulation. This document offers the ability for organizations to customize the policy. Click to View (DOC) This additional template from IT Donut can be used by organizations creating a data protection policy that does not need to take into account the EU General Data Protection Regulation.  Click ... Read More

Data Retention and Destruction

How to draft a GDPR-compliant retention policy

Data minimization, storage limitation, records of processing activities and requirements for providing information and access to personal data under the EU General Data Protection Regulation all have one thing in common: You need to be able to clearly define the period for which personal data will be stored or, if not possible, criteria to determine that period. Most organizations implementing the GDPR consider retention policies or retention rules necessary to achieve this. At first it seems a... Read More

BYOD, Social Media and Employee Monitoring

Privacy Guidelines: Monitoring and Personal Data Privacy at Work

The Hong Kong Office of the Privacy Commissioner for Personal Data offers these guidelines on to provide guidance to employers on the steps they can take in assessing whether employee monitoring is appropriate for their business, and where it is deemed appropriate, how they can develop privacy compliant practices in the management of personal data obtained from employee monitoring. Click To View (PDF) ... Read More

Human Resources Data Policies

Developing a Privacy Policy Under PIPA

This document from the Office of Information & Privacy Commissioner for British Columbia is designed to help organizations develop a privacy policy. Privacy policies describe how an organization handles personal information in a manner that is compliant with PIPA. They are an important resource for staff to follow. Privacy policies can also let individuals know how an organization handles personal information and what rights they have to access to that information.  Click To View (PDF) ... Read More

Vendor Policies and Contracts

Third-Party Vendor Management Means Managing Your Own Risk – Article Series

Last Updated: June 2015 This series presents nine elements of a successful vendor-management program and a checklist to help you, the privacy pro, to manage an effective program. Sometimes themes can help us remember information, so for that reason, we’ll use the solar system to guide us through this series: Picture your company as the star around which all vendors revolve—outer space was so much more appealing than an oceanic theme where sharks circle. Part 1: Mercury – Why Have a Vendor ... Read More