When and how to update your company's privacy policy

You've done the hard work and implemented a privacy policy to guide and govern your organization through the thicket of laws, regulations, and expectations that have grown around the concept of data privacy. Your work, though, is not done. With new technologies, laws, and a constantly evolving competitive landscape, your privacy policy will need to be periodically updated, or at least, evaluated.

Privacy policy defined

A privacy policy is an internal document that guides and governs an organization on the creation of processes to meet organizational privacy goals. It provides the basis for all of your organization's privacy-related guidelines and procedures, ranging from website terms and conditions to handling of any personally identifiable data.

It also provides a guideline for privacy notices, that is, any external communications to individuals, customers, or data subjects concerning your organization's privacy practices.

Reasons to change a privacy policy

There are many circumstances that could trigger a need to examine whether your organization should change its privacy policy, including:

• Changes in laws and regulations. Such changes may have been the reason your organization decided to implement a privacy policy in the first place, and the legal landscape continues to evolve. Overarching laws, such as the EU's General Data Protection Regulation (GDPR), protect European citizens even from afar, and other countries and American states continue to consider and pass laws protecting individuals' privacy.
• When new products and services are introduced. New products and services can trigger a need to change your privacy policy. For example, a new product for children could trigger special child privacy laws, such as the Children's Online Privacy Protection Act (COPPA), which mandates special handling of data for children under 13.

• Corporate change. Likewise, if your organization is looking to acquire or enter into another business or market, the scope of that new business—whether it involves a new product, a new service, or a new geographical area—could trigger the need for an updated privacy policy.
• When your organization wishes to process data differently. Your organization may be sitting on a trove of personal data that you wish to use for other purposes, but your privacy policy does not allow for such usage. In these cases, in addition to examining all relevant laws and internal procedures emanating from your old privacy policy, you should provide notice to customers or data subjects concerning such changes. In many cases, this may require approval from the data subject before you can proceed with this new data usage. You should take care to consult a privacy expert before proceeding.
• Time. Like many other aspects of business, your privacy policy may have quietly slipped into obsolescence. It happens. A periodic checkup may reveal the need for a tune-up, if not a complete overhaul.

How to change your privacy policy

Much like the preferred method of implementing a privacy policy in the first place, you should consult with a team of stakeholders to form a cross-discipline privacy team in your organization. This team should be composed of representatives from any corporate department that handles personal data, as well as departments such as legal, HR, finance, communications, sales and marketing, and IT. Shaping a privacy policy can involve significant resources and expertise, and obtaining buy-in from your entire organization is crucial.

Once the new policy is in place, your employees who handle personal data should be trained—and reminded on a periodic basis—on how best to handle such data. These communications should take place across a spectrum of platforms, including email, posted notices, and even offbeat events such as a celebration of International Privacy Day (January 28) to remind employees of their roles in the protection of personal data. You can make it fun, yet always try to make it memorable.

And, finally, once an organization's privacy policy has changed, any documents—including privacy disclosures, contracts with vendors, and documented internal procedures—that are reliant on the old privacy policy should be examined to see whether they, too, need to be modified for compliance with the updated policy.

Modifying a privacy policy can be a daunting process, but help is available. Organizations such as the International Association of Privacy Professionals (IAPP) have resources to help guide you through to, if not the end, then the next time your organization's privacy policy needs to be examined and perhaps changed.