The International Association of Privacy Professionals (IAPP) set out guidelines to distinguish the difference between privacy policies and privacy notices, the two primary types of documents that communicate privacy practices. Policies are different from notices in that they are internal-facing documents, addressed to employees, that clearly state how an organization handles personal information. A privacy policy is aimed at providing details to employees and vendors of an organization regarding responsible data handling, collection, use, storage, and deletion.
On the other hand, a privacy notice is an external facing document – usually a notice on a website – which aims to accustom visitors to a website to the privacy practices adhered to by the organization. A privacy notice usually outlines how the organization processes information and what a user of the website can expect. Oftentimes these privacy notices are also, wrongfully, referred to as privacy policies on websites.
What is the Purpose of a Privacy Policy?
A privacy policy asks employees and third parties to adhere to the requirements and procedures outlined in the policy for the proper handling of personal information as set forth by the organization. A privacy policy helps with the continued development of privacy practices within the organization and helps to communicate privacy to stakeholders. It helps to bring awareness to all employees of the relevant laws and regulations which must be followed in order to maintain adequate data privacy, guiding employees towards compliance.
What Should the Privacy Policy Include?
The privacy policy should include at least an effective start date, who the policy applies to, how data is meant to be protected while it is in use, how it is going to be destroyed when it is no longer needed for processing, policy ownership (who is responsible for the policy), and disciplinary measures should there be areas of non-compliance.
What is the Purpose of a Privacy Notice?
A privacy notice serves as a public notification to visitors of a website that their personal information may be collected, processed, and used for certain purposes. This notice offers information on the protection of their personal information by going into details about what information is collected, why it is collected, and how the organization stores and uses this data. Certain information may be stored for marketing purposes but this purpose must be clearly outlined on the privacy notice.
What Should the Privacy Notice Include?
There are a number of considerations necessary to ensure the protection of the data subject’s rights. You need to have the contact details of the organization as well as the contact details of the data protection officer if applicable, you must outline the purpose of data collection and its processing, it must be outlined exactly what sensitive information is collected, procedures for overseas data transfer, lawful grounds for processing, all data subjects rights, collection of any geo-location information of the visitor, any intent to share information with third parties, and data analytics information.
What’s the Difference Between a Privacy Policy and Privacy Notice?
While these two are often used interchangeably it’s important to know the difference between them and to understand within your organization that they are not the same. The most important difference between a Privacy Policy and a Privacy Notice is the aim to which each document is directed. The term Privacy Policy should only be used to indicate an internal-facing document used to guide employees’ and vendors’ data processing procedures. The externally facing Privacy Notice should always be directed to the visitors of your organization’s website to describe the organization’s data handling practices as they relate to applicable standards and regulations.
A privacy policy guides employees and vendors on proper procedures, it tells these employees and vendors what they can and cannot do with personal information. A privacy notice, conversely, tells visitors, stakeholders, and other relevant persons how personal information is handled and what is done with the personal data collected.
By its very nature, a privacy policy is more strict than a privacy notice. It includes within it operational details towards privacy compliance as well as procedures for remaining compliant. A privacy notice offers more flexibility, especially with regard to data protection.
Utilize Privacy Policies with Carbide
It is essential to your security program that you develop information security policies that are clear, concise, and align with your business. Policies are the foundation of your security infrastructure and outline the reasoning for any cybersecurity technology you need. We can help you achieve compliance with security standards, like GDPR, that will require you to provide internal privacy policies for your team and external privacy notices for visitors to your site. If you are looking to achieve multi-compliance with industry security standards and laws, book a meeting and talk with our team of security experts.