Sorry folks, it’s been far too long since I last blogged! When things get crazy I have to drop certain things in order to focus on other things that actually put food on my table. I dream of the day when that’s no longer a concern and I can spend my days crafting, gardening, and writing about privacy… sigh.
One of the things I have been focusing on is the new privacy & information risk management course that I’ve developed for the USC Gould School of Law online MSL/LLM certificate program. It’s been an amazing process for many reasons, but one is that it’s given me the opportunity to really sit back and think on why I build privacy programs in the way that I do.
I’ve always had an ordered methodology, but it’s not often that a client wants to pay my billable rate for an explanation of why it’s important to tackle data retention before data subject rights. They’re usually pretty content to trust the process, and my process starts with a Privacy Code of Conduct.*
What is a Privacy Code of Conduct, you ask? Well my friend, this is the document that forms the core of your privacy program. The exact substance varies by client but generally it includes the organization’s corporate privacy mission statement, followed by a list of principles that the company agrees to adhere to in its collection, use and disclosure of personal data. These principles are rooted in legal requirements, like the European General Data Protection Regulation, the California Consumer Privacy Act, and U.S. Federal Trade Commission standards. A good privacy program will have multiple corporate policies but all of them should tie back to this core document.
If you’re an inquisitive soul, you may be asking questions like: Don’t those legal requirements apply regardless of any internal document? Why do I need to summarize my legal obligations? What is the value of this document if I’m going to have other corporate policies that go into the details of each privacy principle?
My answer to the first question is yes, your legal obligations are the same whether you codify them internally or not.
My (somewhat facetious) answer to the second question is that you don’t “need” to do anything. You can omit this document from your program or you can even choose to forgo a program entirely. The choice is yours to make; you are the decider and you decide what is best for your organization.
However, if you want your employees to follow applicable privacy and data protection laws, it behooves you to give them clear and simple instructions.
Which brings us to my answer to the third question: the value of the Privacy Code of Conduct is that it tells your employees, in plain language:
· that privacy is important to your organization;
· the ways in which they need to put privacy in action within your organization; and
· the consequences for failing to meet these expectations.
It also gives you the opportunity to have employees expressly acknowledge their obligations toward personal data if this document is included in the onboarding packet that they review and acknowledge upon hiring.
Lastly, this document provides you with another arrow in your quiver for demonstrating accountability, which is a defined obligation in Article 5 of the GDPR and an expectation of any regulator. It won’t be enough to say that you follow the law; you will have to show how you follow the law.
* To be clear, you don’t have to call it by that exact name; I’ve used or seen others like “Personal Information Policy,” “Privacy Policy,” or “Data Protection Policy.” A rose (or corporate policy) by any other name is still a rose. However, I like to refer to it as a “code of conduct” because the title alone establishes that this is not just a piece of paper but a collection of expected actions.