Published on: Feb 2, 2021
How to Create Privacy Policies and Procedures
In this article we will explore the "why's" and "how's" of privacy policies and procedures, and the role they play in data privacy.
Let's start with a fact: under privacy regulations, every company is obligated to publish a privacy notice on their website. Organizations should be concerned with a clear privacy statement for potential clients and existing customers, but your responsibility in terms of documentation extends far beyond that.
Identifying Policy Stakeholders
Before answering the big "why's" and "how's" of privacy, it is important to identify your stakeholders as they range from the owners of these policies and processes to the audience that is intended to read and abide by the policy documents.
Ownership is always assigned to an individual or group of individuals who have control over the policy based on decision-making power. The audience must be considered so you can choose the appropriate language, style, and level of detail necessary to ensure the policy is clear and exhaustive. Adding a scope description to each document can also serve the document's purpose more efficiently. On the same note, describing roles and responsibilities can assign ownership to the different actionable items that are part of the document.
Policies, Procedures & Notices
The first important definition is to differentiate policies, procedures, and notices. These are three important concepts that will help you with drafting your privacy management documentation.
Policies are meant to set the parameters for decision-making at a higher level, leaving some for flexibility. They show the "why" that serves as a guideline. On the other hand, procedures explain "how" things must be done from an operational standpoint detailing the step-by-step instructions for routine tasks and processes.
Considering these obligations, tools do exist to help controlling revision dates, versioning, approval, and categorizing the different types of documents. A few of these documents are:
Privacy Policy (or a Code of Practice)
Data Processing Impact Analysis Process
Supplier Assessment Process
Data Incident Response Process
Lastly, notices are the building blocks to everything you must and should be communicating externally. Notice requirements cover data processing activities under privacy regulations to inform customers and regulators about business practices, individual rights, and serve as a basis for informed consent and opt-out. Some of the different types of notices are:
Privacy Notice
Just-in-time notice
Data Subject Requests
Third-party disclosures
What Types of Personal Information Are Collected?
A core element of any effective privacy documentation is transparency around the types of data your organization collects. Websites are routinely gathering a range of personal information from users. To craft clear and comprehensive notices, you first need to determine exactly what’s being collected, and then make sure this information is shared in plain language.
Common categories of personal information typically collected by websites include:
Contact details such as names, email addresses, phone numbers, and physical addresses.
Device and usage data including IP addresses, browser type, device identifiers, and information about how users interact with your site.
Account information like usernames and passwords, or any credentials necessary for user accounts.
Demographic details such as age, gender, and location, sometimes inferred or collected through forms and surveys.
Payment and billing data when e-commerce comes into play, including credit card numbers or bank details, often processed through third-party providers like Stripe or PayPal.
User-generated content, for example comments, reviews, uploaded files, and feedback submitted through forms.
Marketing and preference data gathered via cookies, analytics tools (like Google Analytics), or sign-ups for newsletters and alerts.
When drafting your privacy notices, it’s critical not only to list these categories but also to explain why each type of data is collected, how it will be used, and whether it will be shared or transferred to third parties. By doing so, you set the stage for informed consent and help stakeholders understand the value and limits of your data practices.
How Websites Collect Personal Information
Websites gather users’ personal information through various channels, often without you even realizing it. The most common methods include:
Online Forms: When you sign up for a newsletter, submit a contact request, or make a purchase, you’re typically asked to provide details such as your name, email address, or payment information.
Cookies and Tracking Technologies: Cookies, web beacons, and pixels quietly collect data about your browsing habits, device, and preferences. Think of these as invisible notetakers that help sites remember who you are and what you like.
Account Registrations and Logins: Creating a user account or logging in with social media credentials gives websites access to information tied to your profiles—sometimes far more than you’d expect.
Surveys and Feedback Tools: Participating in a quick survey or providing product feedback often means handing over demographic or opinion-based information.
Automated Data Capture: Websites also gather connection information like your IP address, browser type, and location, all in the background as you browse.
Transparency around these collection methods is not only a regulatory obligation but a building block of trust with your users.
Effective Internal Communication
Considering nowadays all companies deal with data on a daily basis, and data is an asset, the privacy policies and procedures must be endorsed by top management (by the Data Protection Officer, for example) and communicated within the company. Most of these guidelines cover cross-functional teams and might even relate to groups dispersed around the globe. This is when a cloud-based solution does the trick by being accessible anytime and anywhere.
In any event, before collecting any personal information, privacy notices should appear and must demand affirmative action from the audience (explicit opt-in). This is where the importance of these notices lies. One of the main reason's privacy regulations were formulated was to make sure individuals have control over their data and can make "informed decisions" (these are the exact words used in the General Data Protection Regulation text). Documenting why you are doing things, how you and your company perform such tasks, and ensuring all privacy policies and procedures are crystal clear to your clients is a legal requirement you must satisfy.
What to Include in Your Privacy Notices and Policies
A well-crafted privacy policy doesn’t just tick a box—it gives your customers a genuine understanding of how and why you collect their personal data. It should spell out:
What data you collect: Types of personal information gathered, whether it’s names, email addresses, purchase histories, or browsing behavior.
How you use the data: The specific purposes for processing personal information (e.g., to provide services, for marketing, to improve user experience).
With whom you share it: Categories of third parties or partners who may access the data, such as service providers or business affiliates.
How you secure it: A brief outline of the measures in place to protect personal information against unauthorized access or disclosure.
How long you keep it: The retention period for each category of data.
What rights individuals have: This includes the right to access, correct, or delete their data, and in some cases, to opt out of certain uses or the sale of their information.
Jurisdiction-Specific Requirements
GDPR (European Union): Your privacy policy must clearly state the legal basis for processing, detail the purposes for each type of processing, list the data retention periods, and explain with whom data is shared. Individuals must be informed of their rights, such as access, rectification, and erasure (the "right to be forgotten").
CCPA (California, USA): You must include the categories of personal information collected, the business or commercial purposes for collection, the categories of third parties with whom information is shared, and details of consumer rights—such as the right to know, the right to delete, and the right to opt out of the sale of personal data.
Data Sharing and Third-Party Disclosures
Another key aspect of privacy policies involves addressing how your organization may share or sell users’ data with third parties. This is more common than most realize, whether it’s working with vendors like Google Analytics, partnering with advertising networks, bringing in contractors for specific projects, or even collaborating with external data processors.
If your company engages in any such data sharing, transparency is not just recommended; it’s essential. Make it clear in your privacy notice under what circumstances data may be disclosed to external parties. Outline the types of recipients—such as advertisers, consultants, analytics providers, or subcontractors—and the reasons for sharing: for example, operational support, marketing initiatives, or business analytics.
The goal here is precision. Generic statements like “We may share your data with trusted partners” don’t cut it anymore. Instead, strive to provide enough detail so users can make informed decisions about their information: list categories of recipients and summarize the types of data shared, always keeping in mind jurisdictional requirements and customer expectations.
Taking the time to detail these elements ensures your privacy documentation is not only compliant, but also instills trust, making it clear that your company respects and protects individual privacy rights at every step.
Ensuring Third-Party Compliance
When it comes to third-party service providers—whether that's your payroll company, a marketing automation provider, or even major players like Amazon Web Services or Salesforce—oversight is just as crucial as your own internal processes. Safeguarding personal data means not only setting (and following) your own robust standards, but also holding your partners to them.
To do this effectively, organizations should:
Conduct Due Diligence: Vet each provider thoroughly before onboarding, reviewing their data privacy practices, security certifications (such as SOC 2 or ISO 27001), and history of regulatory compliance.
Establish Clear Agreements: Include well-defined privacy and security clauses in your contracts. Think Data Processing Agreements (DPAs) that specify responsibilities, permitted uses of data, and breach notification requirements.
Request Regular Documentation: Insist on regular audits, compliance reports, or third-party certifications. For example, ask your cloud provider for their most recent SOC 2 Type II report, or your email service provider for proof of GDPR compliance.
Monitor On an Ongoing Basis: Set a schedule for periodic reviews, using checklists or supplier assessment processes to ensure ongoing alignment with privacy regulations. Don’t treat this as a set-it-and-forget-it task, a provider compliant today can quickly fall behind or change practices.
This diligence not only helps you meet your regulatory obligations, but also protects your brand and bottom line from the fallout of someone else's mishaps.
Summary
Policies and procedures are critical to defining and enforcing data privacy and compliance. Without them, your company would be missing both the overarching guidance that policies provide in everyday decision making, as well as the day-to-day processes to maintain compliance. Notices also play an important role in your program as they alert both internal and external stakeholders of any policy or procedural changes and communicate rights to consumers.
