Back to all blog posts

Having a privacy policy is just a start

Consumers, both business and individual, not only expect your organization to have a privacy policy, they also expect you to regularly train your staff, enforce the policy, and assess the overall health of the privacy program.. A company’s privacy policies, processes, and oversight reflect how the organization is responding to the responsibility of protecting personal information their customers have provided. Larger organizations have teams in place that ensure that the customers’ privacy expectations are met; for SMBs this can be a challenge.

The need to address privacy protections is not just the right thing to do, it is a legal requirement. Forty-six US states have responded to their residents’ desire for privacy protections with legal protections. These protections generally focus on protecting the state’s residents’ information regardless of where an organization collects and processes that data. A business in New Mexico, for example, is subject to Massachusetts law if the business is collecting personal information on Massachusetts residents.

It is not unusual for an SMB to be without a documented internal privacy policy and  processes. I have found that there are numerous cases where processes at an SMB have evolved as the company grew. These processes are often not documented. The result: numerous variations of the process across the staff. Operations function, revenue is generated, and as budgets and staffing is tight it is easy to leave well enough alone. The personal information collected, however, could be at risk.
In contrast, these same SMBs may have a notice on their web site to inform customers about the company’s stance on privacy. Whether the privacy notice is original work or copied from another company’s web site, this overall situation is not good.

By publishing a privacy notice a company is setting their consumer’s expectations as to how their personal information will be collected, used, and protected. To successfully meet these expectations the organization’s staff needs to be informed about the company’s position, trained on associated procedures, and then their execution needs to be assessed. Then, based on this assessment, the privacy policy and procedures can be improved, the efficiency of the processes enhanced, and the policies refined to meet ever changing business needs. The cycle of assessing the privacy program, refining policies and procedures, and providing training to the staff should be done on an annual basis. (Privacy Ref can help, check out our Privacy Program Assessment offering.)