Privacy Policy and Processes (PPP)

Best Practices

  • Identify an organization’s objectives for the privacy policy.
  • Ensure that the privacy policy articulates the definition of ‘personal information’ and underlines the importance of the data elements that fall under the definition. The definition will vary in case the organization is working in different geographies.
  • Ensure that the privacy policy explicitly states the ‘privacy principles’ an organization will adhere to. The applicability of the privacy principles will depend on the role an organization is playing and the geographies it is serving.
  • Evaluate the state of privacy in an organization to identify the current baseline. The tools such as gap assessment, data visibility exercise, and privacy impact assessment can be used to identify the baseline.
  • Create an inventory of elements that can be attributed to privacy, or are important from the privacy perspective, and which require policy treatments. These elements could be as follows: Privacy principles that need to be adhered by the organization, Structure of Privacy Organization, Strategy for privacy implementation, Accountability of privacy initiatives, etc.
  • Identify the policy items required to address specific or broad challenges an organization is facing with respect to privacy management.
  • Deploy the policy across all business processes, enterprise functions, projects and operations of an organization. Extend the coverage of the policy to partners, vendors and other third party service providers.
  • Against each of the policy items, record the means that have been deployed for enforcement
  • Ensure that a significant level of detailing has been done while designing a process or deploying a technology solution for privacy implementation. All operational scenarios, detailed requirements, fitment into infrastructure ecosystem and culture of an organization should be considered while designing solutions for privacy.
  • Ensure that the privacy policy addresses the distinct roles that an organization performs., i.e. data controller collecting personal data from end customers or data processor receiving the data from the controller for processing or data controller collecting personal data from its own employees.
  • Ensure that the privacy policy is readily available to all organizational units and all communication and collaboration channels are leveraged to publish or create awareness about the policy items.
  • Create a catalogue of processes that are deployed for privacy. Establish a mechanism that oversees the performance of these processes.
  • Ensure that there exists a mechanism that monitors compliance to the policy and assesses the effectiveness of the policy implementation.
  • Ensure that management’s commitment towards the policy is frequently communicated to the employees, partners and service providers.
  • Ensure that the non-compliances to the policy are identified and addressed in a timely manner.
  • Ensure that there exists a mechanism to review the privacy policy.

DSCI Privacy Framework