Open in app

Sign in

Write

Sign in

Introduction to privacy policy implementation in organisations

Shehan Sanjula
SLIIT FOSS Community
8 min readDec 2, 2021

--

The privacy policy is an asset to every organisation. It is the responsibility of organisations to protect the privacy of their employees. It has been a critical term in news media and featured become a target of legislation worldwide in recent years. Most organisations have been facing lawsuits because of errors in their privacy policy mechanisms by today.

This article presents a brief overview of such violations and how to overcome them by implementing a proper privacy policy for the organisation. As far as I am concerned, a well developed and implemented privacy policy protects the organisation and their resources and stakeholders effectively. This article briefly examines the statistics, significance and strengths and weaknesses and recommendations when implementing a privacy policy for an organisation. By providing such views, I encourage the reader to understand privacy policy implementation in an organisation in a better way.

Keywords: privacy policy, history, statistics, significance, strengths and weaknesses, recommendations

An overview of the privacy policy implementation in organisations

Every day, an unimaginable amount of data flows from the workplace to the Internet and vice versa. Each piece of this data leaves behind electronic devices contains trails of various user activities such as everyday conversations with people, sensitive personal information, and monetary transactions. It allows organisations to understand employee/customer behaviours and preferences when properly collected this sort of data and information after storing and processing. The way an organisation manages the personally identifiable information that it gathers and uses during the regular business course, as discussed before, and how they have written, published statements explain the organisation’s policy position on this matter. It can also be described as the privacy policy.

However, the privacy factor remains the most prominent issue that must be solved in how companies could access, collect, process, use, analysis, share, and dissemination such private information of their employees. This concern has come to attention since there have been incidents regarding privacy invasion and online information leaks with increasing cases over the years. As far as we are concerned about privacy policy violations, those incidents have brought adverse effects even for well-recognized companies in the world. Ultimately, those organisations had to pay fines against lawsuits as the price.

To prevent such violations and penalties, organisations tend to monitor employee communications carefully. When they implement policies for such actions, most employees have their staff and organisation in mind while achieving common goals for the organisation. It has been noticed that the privacy of employees is the priority in these topics. At its core, they believe in the need for security and safety in such situations.

When it comes to the privacy policy implementation at the workplace, Nancy Flynn, the Executive Director of the ePolicy Institute, states that,

“To help control the risk of litigation, security breaches and other electronic disasters, employers should take advantage of monitoring and blocking technology to battle people problems — including the accidental and intentional misuse of computer systems and other electronic resources.”

Knowing that there is always someone watching, and what could be monitored and what types of surveillance technologies exist can motivate someone to have their best at the workplace as the outcome of it.

Types of technologies that can be used to surveillance at the workplace:

  • CCTV
  • Background check software
  • Biometric technology (facial recognition, fingerprints, and voice recognition, etc.)
  • Modern cloud-based access control platforms
  • Real-time location tracking (to monitor company assets and endpoint devices within a network)
  • Social Media Monitoring software (SMMs)
  • Identity management systems
  • Occupancy tracking (A series of sensors that can be used to measure the presence of the number of people and the amount of time they spend in a specific area at the workplace)
  • Screen capture/browser monitoring
  • Workplace analytics audit logs

According to Privacy Rights Clearing House, here is the list of things that an organisation is generally permitted to monitor in the workplace:

The “2007 Electronic Monitoring & Surveillance Survey”, which was co-sponsored by American Management Association and the ePolicy Institute, mentioned a long list of privacy policy violations at organisations in their report. Among them, 64% of employees violated company policies under the title of “any company policy violation” in the category of Email and Internet-Related Terminations. Not only employees who violate company policies but also it has come to attention that 48% of bosses violated company policies under the title of “any company policy violation”, in the category of Email and Internet-Related Terminations.

They also included in their report that “45% of employers tracking content, keystrokes, and time spent at the keyboard, 43% store and review computer files, 12% monitor the blogosphere to see what is being written about the company and 10% monitor social networking sites”. After all, it falls under the category of Computer monitoring forms at the organisation.

So, it is evident that there are several things to consider to implement a better privacy policy. Ultimately, a well-documented privacy policy should consider all the above requirements and protect the organisation and the individuals who affect them. It will also start promoting the organisation to earn the public trust for the company automatically.

Strengths of privacy policy implementation

  • Having a privacy policy implemented into your organisational structure can play a vital part if you or your organisation collect, gather, process, and store or manipulate customer data because it’s a legal requirement to collect personal information.
  • If the organisation uses any third-party application or service, they also require a privacy policy implemented into your organisation.
  • One of the main reasons is that if users are concerned about their privacy, they can have a clear idea about what information the organisation or service collects or processes and clarify that they do further business with the organisation.

Weaknesses of privacy policy implementation

  • One of the main things that can happen with privacy policy implementation is that it’s not appropriately documented, including guidelines and procedures. This information about privacy policies should be accessible and adjustable in case of change.
  • Even though privacy policy has various connections all over the business, most businesses only connect privacy policy into their IT security structure or the plan for disaster recovery.
  • Usually, when technology is updated rapidly over time, organisations do not update their privacy policy with the changes. Updating privacy policies and new implementations according to changes of privacy laws does not happen very often with most organisations.
  • When it comes to new implementations, the Internet of Things (IoT) and Bring-Your-Own-Device (BYOD) are harder to implement generally because it connects almost all the devices to the internet and has a vast amount of data to manage and process.
  • Most organisations apply the same privacy policy to all types of data that are insufficient to cover and manage those categories.
  • After implementing privacy policies, organisations need to monitor and maintenance privacy policy implementations without being breached. Since maintenance costs increase with the economy, organisations decide to automate processes instead of working with the workforce, reducing costs, improving control and governance, lack of human errors, and increased efficiency.

Recommendations for privacy policy implementation

  • Do not use only legalese language.

One of the characteristics of a poor privacy policy is the use of legalese. The practice was (and continues to be) so widespread that the European privacy law — the GDPR — went to great lengths to make it clear that privacy policies written in non-plain language are in breach of the law. Transparency is the ultimate goal of a privacy policy.

  • Update privacy policy to match your data practices.

Regularly update the policies to the current practices. If you constantly update your privacy policy, you should inform your users via a privacy policy update notice and ask for consent a second time. Conduct a privacy law self-audit to make sure you have a good grasp of your business’s current privacy practices so you can accurately convey it in your privacy policy and update your policy if needed.

  • Do not miss essential clauses.

Privacy policy needs to strategically represent each of the ways you collect, use and store data. Businesses often miss out on some of the clause’s legislative clauses listed above, such as the need to comply with the GDPR or COPPA.

There might be other clauses missing that result in the privacy policy being incomplete. These often relate to moving or sharing your data with a third party. For example, if you transfer data to another country, you need to say so in your privacy policy. You mainly need this clause if you must comply with the GDPR. Another essential clause frequently missed by privacy policies is the business transfer clause. It states that you will pass the database and its contents over to the new owner if you sell your business. Even if you don’t plan to market your business, you benefit from having this clause.

  • Do not write an enormous block of text.

Not making a privacy policy easily readable is one of the organisations’ biggest mistakes when constructing their policies. Too many still use a 2000s-era format: big words, tiny print, and enormous and almost illegible blocks of text. Readability is increasingly governed by law, and in cases where you market to children, you need to provide a privacy policy they can read.

  • Do not use one privacy policy for different users.

Organisations may have several different types of users: customers, developers, and partners. The way you use data changes based on how they use your service. So, your privacy policy needs to reflect accordingly. Including all three user categories in a single privacy policy makes your document long, complicated, and virtually unreadable. To make it simple, you need a policy for each of your critical categories of customers.

Use separate privacy policy for:

  • Customers
  • Partners
  • Developers
  • General users (“Everyone”)

Each privacy policy is found under its respective heading to clarify what data practices occur at each level.

  • Update employees about what’s in your privacy policy.

You have a privacy policy, and it reflects your data practices on paper. But does your team know what’s in your privacy policy, and more importantly, does their lack of knowledge impact whether you uphold each clause as you should? Everyone who controls, processes, or accesses your data needs to know what’s in your privacy policy, how it matches your operations, and what your consumers expect from you. It makes the privacy policy document more than just a paper and actual authentic practice and reflection of your professional methods.

So, we’ve come to the end of our article. I think you have learned something from this article regarding what you might need to consider when implementing a privacy policy in organisations.

Thank you, and let’s meet with another piece of paper. Until then, stay safe and bye 👋.

You can find my articles from the Blog of Shehan as well. 👨‍💻

References

[1] “Justice Information Sharing | Bureau of Justice Assistance”, Bureau of Justice Assistance, 2006.

[2] Y. Chang, S. Fan Wong and H. Lee, “Understanding Perceived Privacy: A Privacy Boundary Management Model”, Core.ac.uk, 2015.

[3] S. Cox, T. Goette and D. Young, “Workplace Surveillance and Employee Privacy: Implementing an Effective Computer Use Policy”, Scholarworks.lib.csusb.edu, 2005.

[4] “The State of Employee Privacy and Surveillance in 2021 | Kisi”, Getkisi.com, 2021.

[5] “The Latest on Workplace Monitoring and Surveillance”, Amanet.org, 2021.

[6] . Hugl, Ulrike, “Approaching the value of Privacy: Review of theoretical privacy concepts and aspects of privacy management” AMCIS 2010 Proceedings. 2010.

[7] . Kint, B., “5 Ways Your Company’s Privacy Policy Could Be Insufficient” Corporate Compliance Insights. 2019.

[8] . Cloverdx.com. “The 8 Most Challenging Data Privacy Issues (and How to Solve Them). 2020.

[9] . Kint, B., “5 Ways Your Company’s Privacy Policy Could Be Insufficient.” Corporate Compliance Insights. 2019.

[10] . S. Sanjula, S. Fonseka, S. Wijeveera, I. Anjana, U. Madushantha, “Privacy Policy implementation in organisations”, ISPM. 2021.

Privacy Policy
Cyber Security
Sliit Foss

--

--

Shehan Sanjula
SLIIT FOSS Community

Written by Shehan Sanjula

3 Followers
Writer for

Cyber Security Enthusiast | Undergraduate @SLIIT

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams