Is a Privacy Policy Enough to Be Compliant?

is-privacy-policy-enough
 

Whether it’s for the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), or other data privacy laws, businesses generally (and understandably) want to take the simplest route to compliance. For many, it’s tempting to say, “We already have a privacy policy on our website, so we’re good on compliance.” 

It’s important to know, however, that a privacy policy alone does not make your business compliant with the CCPA, GDPR, or other data privacy laws.

What Your Current Policy Is Missing

It’s true that a big part of data privacy compliance centers around making certain disclosures on your website, but if what your business currently has on its website is a generic privacy policy generated by a free online service, it almost certainly does not meet current data privacy standards. Each of the data privacy laws has its own set of specific requirements and definitions that must be adhered to, and a generic privacy policy isn’t going to hit on all of these points.

You might be thinking, “But our policy generator has separate modules for the CCPA and GDPR.” This gets to a more important point: The disclosures required by data privacy laws aren’t just empty recitations of boilerplate language; they require a deep dive in your business’s current practices. Like the proverbial tip of the iceberg, they are the outward manifestation of a lot of behind-the-scenes work. 

Here are just a few examples of the questions you may need to answer:

  • Do all of your vendors have the required service provider or processor documentation? If not, can you still use them?
  • Are you processing any categories of personal data that require special protection?
  • What is your lawful basis for each type of processing?
  • Are you using data in a way that is considered selling or sharing? (Hint: If you use targeted advertising, the answer is yes)
  • Which processing activities may need to be restricted upon request?

These kinds of analyses require a careful look at the day-to-day operations of your business and often involve multiple stakeholders (Marketing, HR, etc.). There are ways to streamline the process (learn more below), but you definitely can’t skip it.

Compliance Goes Beyond a Privacy Policy

Even if you have a privacy policy that contains all the required disclosures, compliance doesn’t stop there. There are a number of other requirements you may need to meet, e.g., logging consent from website visitors or maintaining sufficient security measures. The biggest one by far is responding to privacy requests from consumers.

Every new data privacy law since the GDPR has included the right for consumers to make certain requests regarding their information, such as deletion, access, or correction of data. While these requests may seem straightforward, in practice they can be quite complicated. In response to a deletion request, for example, you will have to consider:

  • What kind of verification procedure is necessary
  • Where all your data is stored
  • Whether you may retain all or some of the consumer’s data
  • Whether your vendors have a self-service deletion option or do you need to submit a request
  • What to do if you can’t respond within the required timeframe

Being able to handle these requests in a timely manner requires a lot of preparation and organization, much of which functions in tandem with the work you did to create your privacy disclosures. By completing all of the back-end preparation in advance, you can respond to a privacy request in a way that is compliant and also much more efficient.

How to Become Fully Compliant Quickly

If your business is required to comply with one or more data privacy laws, a standard online privacy policy isn’t going to cut. While the complexities of compliance can seem daunting, that shouldn’t keep you from moving forward. Rather than paying out tens of thousands of dollars to a specialist law firm, you can get your business compliant all on your own with the right tools. TrueVault Polaris is designed by attorneys to help small and medium-sized businesses reach full compliance quickly and at a much lower cost. By progressing through our guided software experience, businesses can become compliant in as little as a few hours. Contact TrueVault today for a demonstration.

Schedule Call