Many privacy policies could benefit by becoming more concise, legible, and tailored to the privacy-related needs of customers and other relevant readers, according to an analyst at this week’s Gartner Security & Risk Management Summit.
By following these and other best practices, organizations can make policies less of a burden and more of a “business enabler,” according to Gartner Research Director Carsten Casper during a presentation at the summit, held near Washington, D.C. Organizations are increasingly reviewing their privacy policies, he said, due to factors including new technological developments, growing privacy concerns, and changing privacy regulations.
One problem with many policies, he said, is that they focus more on how organizations can protect themselves and less on the ways that personal data and other private information are protected, he said.
Though all policies need legal input (and Casper mentioned that Gartner doesn’t offer clients legal advice), some policies could benefit from less legal language, he said. To make policies clearer, an increasing number of organizations are also providing policy summaries, sometimes as short as a page, he said.
At the top of policies, it can be good to describe some of an organization’s overarching policy objectives, Casper said. An example could include describing how an organization collects as little personal information as possible to best run the business, he said.
Stronger policies also tend to demonstrate accountability, he said. Effective ways to convey this can include describing the organization’s privacy-related personnel structure. Increasingly, organizations are also making it easier for readers to ask questions or send comments, he said; some policies include an e-mail address, for example, of a privacy officer.
Other important points to convey can include how personal data is only stored for a limited time, he said. It is also useful to describe ways that customers, employees, and others can access stored data.
Another best practice can include describing any privacy principles followed by an organization, Casper said. In the United States, these could include the Generally Accepted Privacy Principles of the American Institute of Certified Public Accountants, for example. Mentioning any privacy-related certifications or seals can also be good, he said.