Failure to manage outdated privacy policies is more of a problem than you realize.

If you’re in business, chances are you have some type of client information stored in digital or hard files. Processing orders for products and services most often requires full names, addresses, credit card information and other customer profile data. Employees have to supply their social security numbers for tax documents and payroll. Some companies even request customers’ SSNs as identification, whether it’s necessary or not.

The problem lies with compromised information that’s more than an inconvenience for customers and you. If someone hacks client, business, or employee information, you become liable for the damages. You will lose customers, the strength of your brand, and may even become the defendant in lengthy lawsuits, all of which costs your company money and opportunities.

Strengthening your privacy policies is a core step in your data security strategy, as well as training staff to help in the fight against security breaches.

 

What is a Privacy Policy?

A privacy policy is a legal document that notifies the public about what kind of personal information a company collects from customers, as well as how it collects, stores, uses, and distributes that information. It is a way to be transparent about data that is being collected, and gives a company a set of guidelines to follow in regards to information collection and how that information is protected.

Privacy policies are either required by law for certain industries, or are put in place by businesses and institutions that understand the significance of privacy policies as a good business practice. To be effective, a company must actually follow the rules set in place by their privacy policy and keep it updated in case of any changes.

 

Why You Need a Privacy PolicyFACTA-HIPAA

Rules on privacy policy in the United States aren’t cut and dry: there is no one law or statute that requires every company to have a privacy policy. But there are some instances where privacy policies are required by law, and by not having one, those companies or institutions can become liable. A few examples of federal laws that govern privacy policies include the Children’s Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA).

If your business isn’t legally required to have a privacy policy, it is still a recommended practice. That’s because privacy policies create a safeguard for both you and your customers and keeps information about your data collection practices transparent and easy for everyone to access.

 

Federal Trade Commission (FTC) Fair Information Practice

The FTC has organized some best practices for privacy policies based on laws the U.S. has in place to protect customer information. They’ve extracted requirements from the following policies to give you guidelines on how you should handle sensitive information and privacy policies within your company:

  • Right to Financial Privacy Act
  • Fair Credit Reporting Act
  • Cable Television Protection and Competition Act
  • Video Privacy Protection Act
  • Electronic Communications Privacy Act

While many of the practices focus on websites and online companies, it’s a foundation for all companies to follow in an effort to protect their data and clients. Here’s a summary of what you should do to comply with the FTC Fair Information Practice:

  • At a minimum, notify users when you collect their personal information and how you plan to use it.
  • Give customers a preference on if they want you to continue using their information or in what manner you have permission to use it.
  • Customers should have the right to see any of their information you’re using or storing.
  • Make it easy for customers and employees to view and access company privacy policies.
  • Post privacy policies at a specific location within your store or office and have a clearly visible link to privacy policies online.

 

Reasons to Update Your Privacy Policy

Even if you don’t feel privacy policy requirements apply to your business, it’s critical to have them in place. All it takes is an update from legislation to put your business at risk of penalization for non-compliance, and it’s always wise to protect your company from regulations and customer legal action. Those are the top reasons to review and adjust outdated privacy policies, but there are other advantages:

  • Stay ahead of the game with privacy policy requirements and law changes
  • Protect your company from lawsuits and minimize business risk
  • Prevent identity theft and data compromises
  • Retain satisfied customers who are confident in your business
  • Preserve and protect your brand from a negative outlook based on data breaches
  • Keep employee information safe and reduce turnover
  • Have confidence in your staff and their ability to properly handle sensitive client information

 

Steps to Create or Update a Privacy Policy

The Federal Trade Commission has strategic steps they advise companies to use when composing or updating privacy policies:

Step 1: Review documents to get an account of the sensitive data you’re storing in digital or hard copy format. Work with the entire company to gather information on what documents you have. Start with breaking it down by department to question each area on how they receive and use information and what they have. From there, account for data on all systems including laptops, desktops, tablets, phones, drives, disks, copiers, cash registers, portable merchant devices (square or PayPal here swipe) and any other digital devices. Review your storage or filing system to document the type and amount of hard data you have.

Step 2: Purge documents, keeping only what you need to complete business functions. Even if you need to use certain information to complete services or transactions, decide if you can get rid of it once you complete the transaction. For instance, you don’t need to store credit card information unless clients agree to set up a recurring draft for repeat services.

If you’re required to keep documents on file for a certain period, like tax documents or credit reports, make a note of the date and time you can get rid of them. Use this as an opportunity to create a new system for collecting and/or storing only necessary information.

Step 3: Secure information you do need to keep in your system, and only allow staff to access personal information as needed to complete their duties. Beef up security for all areas where you transport, store, and manage sensitive information. Encrypt email and fax communications, and keep virus and malware protections updated.

Step 4: Destroy information you don’t need, using a secure data destruction and paper shredding service. Once you’ve separated the necessary from the unnecessary information, don’t just toss it in the garbage. Hard drives retain some of the most critical data that criminals can access to steal confidential details. Use a certified company that can securely manage destruction of sensitive documents in all forms.

Step 5: Create a plan to prevent or minimize data security problems and add it to your risk management strategy. Now is the time to fix outdated privacy policies or create a new one.

You also need to have definite action steps the company should follow in the event of a data breach. Having the right security and updated office technology solutions is paramount.

Step 6: Decide whether to handle the privacy policy yourself or have a legal firm help. Some companies have the skills and expertise to handle privacy policies in-house, while other companies may need to outsource to ensure all parts of the privacy policy are up to date and fit business needs. Either way, you can start by reviewing a sample privacy policy to get an idea of what you’ll need to cover. Once your company completes the updates, get an attorney to review the policy.

 

Training Staff on Privacy Policy Compliance

Having staff that understand your privacy policy and know how to follow the rules it sets is imperative to maintaining the integrity of the document. If you have staff who don't know the ropes of privacy policies, there are simple ways to implement a training program.

Management or HR can add to a training program they already conduct, or they can start from scratch to create a separate privacy policy course. Some main points you should include in your training materials are:

  • Why privacy policies are important and how employees can help maintain customer privacy.
  • How to communicate with customers about privacy policy information.
  • The importance of having strong passwords.
  • Keeping information confidential by not leaving it unattended, not sharing processes, and locking computers and digital devices.

 

Avoid the Pitfalls of Outdated Privacy Policies and Untrained Staff

The most important takeaway is to communicate with customers through a strong privacy policy.  A part of that process is also upholding your duty to keep personal data secure. To help achieve that, it’s important to get rid of hard and electronic copies of outdated or unnecessary information, such as defunct hard drives or old paper records. A reliable shred team can help your company comply with privacy policies and limit exposure to identity theft and data breaches with hard drive shredding and paper shredding services.

At Proshred® Philadelphia, we are a paper shredding service with NAID certification and can professionally shred your confidential materials on site, so your sensitive information doesn’t leave your location until it is completely destroyed. If you are interested in one of our data destruction or information security services, contact us today to schedule an appointment!

Share this: