Policy Development

Whether you need a standalone policy or a comprehensive privacy management program, Privacy Matters has you covered.

Privacy compliance in this day and age is made more complicated by the many and emerging privacy laws around the world. While compliance varies from jurisdiction to jurisdiction, a comprehensive suite of policies will provide guidance for your staff, demonstrate accountability to your clients and partners, and will serve as a foundational piece of your privacy program.

Any organization that handles personal information is subject to privacy laws and should therefore have a privacy management program. A privacy management program is more than just demonstrating compliance: it helps foster a culture of privacy throughout the entire organization, which in turn, gives organizations a competitive edge. Strong privacy management programs will minimize organizational risks and help foster trust with clients and partners.

Policy Development FAQs

  • It is likely that your organization will need more than just an external-facing website privacy policy. You need to consider what internal policies you currently have and where gaps exist. Such policies include:

    • Data retention and destruction policies

    • Breach response policies

    • Responsible use policies

    • Privacy-related complaints policies

    • Access to and correction of personal information policies

    • Cookie policies

    • CASL compliance policies

    • Remote work policies

    • Other employee and organizational policies

  • A privacy policy is a statement of an organization’s practices around the processing of personal data. It lets visitors to your website or users know what personal information you collected, how you use this information, and how you keep it safe. Generally, a privacy policy includes:

    • The types of information collected by the website

    • The purpose of this data collection

    • Data storage, security, and access

    • Details of data transfers

    • Affiliated websites or organizations

    • Cookies

    • The contact information of the individual who is responsible for overseeing privacy issues in your organization

  • A quick Google search will pull up hundreds of privacy policy templates or generators, but it is best to avoid templates and boiler-plate language as they will not be able to capture the nuances specific to your organization. Sure, these alternatives may be cheaper at first, but they may also open your organization up to more problems down the road.

    Privacy Matters will work with your organization to develop policies that are tailored to your organization and budget.

  • Yes, in most cases it is a legal requirement to display a privacy policy on your website. In British Columbia, private-sector organizations are subject to the Personal Information Protection Act (PIPA), which requires organizations to develop and follow policies and practices to meet their obligations under the Act and to make these documents available on request.

    There are similar provisions in the federal Personal Information Protection and Electronic Documents Act (PIPEDA) that require private-sector organizations to have privacy policies that outline how they collect, use, and disclose their clients’ personal information.

    What does this mean?

    If you collect any of the following information, then PIPA or PIPEDA applies to you:

    • Names

    • Dates of birth

    • Email addresses

    • Billing/shipping addresses

    • Phone numbers

    • Banking information

    • Drivers licenses, social insurance numbers, other non-changeable identifiers.

    This is not an exhaustive list of examples of personal information. If you’re unsure about the data that your organization collects, contact us for a free consultation.

    Not only are privacy policies required by law, but many third-party services that you may use require a privacy policy. For example, if you use Google Analytics, you need a privacy policy because it uses cookies to collect information about your website’s visitors. Their Terms of Service dictate that any business who uses their services must:

    “…post a Privacy Policy and that Privacy Policy must provide notice of your use of cookies, identifiers for mobile devices (e.g., Android Advertising Identifier or Advertising Identifier for iOS) or similar technology to collect data. You must disclose the use of Google Analytics, and how it collects and processes data.”

  • Let’s be clear: not having a privacy policy breaches privacy laws. The ramifications of this include monetary fines for non-compliance and reputational harm to your organization. The severity of fines depends on the country whose privacy laws have been breached.

    For example, penalties under the E.U.’s General Data Protection Regulation (GDPR) for non-compliance include:

    • Monetary fines of up to £500,000

    • Prosecutions and prison sentences for severe and deliberate breaches

    • Mandated actions to prove compliance and to avoid further prosecution

    • Compulsory auditing

    While your business may not conduct any business in the E.U., it is useful to note that the GDPR is considered the “gold standard” for modern privacy laws and Canada is in the process of amending its privacy legislation to better mirror it. California has already taken this step and we are seeing more states follow suit.

    If in doubt, it is always better to err on the side of caution and provide an accessible, clear, comprehensive, and updated privacy policy on your website.

    Not sure where to start or if your existing policies are good enough? We are here to help! Book your free consultation.

Ready to get started?