Increasing online commerce, advancements in online data sharing, and spiking consumer adoption of online services are all spurring companies to put a privacy policy in place.

As I outlined in a previous article, the struggle to balance privacy with other factors, such as the public good and the right of businesses to earn money, will never end. Acknowledging the need for a privacy policy is the key to avoiding liability issues and to building customer confidence.

A first step in developing a privacy policy is to examine current tools and technologies that hit many privacy policy touch points, such as looking at existing laws and practices, generating policies, conducting policy audits, establishing a Chief Privacy Officer role, and continuing to assure customer privacy.

Initiating the privacy process
In general, customer privacy should be managed as a part of an organization’s information security process and procedures. When we look at information security management, there are generally four stages:

  • Preparation: This stage includes identifying best practices and requirements for customer privacy; defining customer privacy policies and strategies; auditing current customer privacy policies, practices, and procedures; and creating a plan to implement and align customer privacy practices with the organization’s customer privacy policy and strategy.
  • Prevention: In this stage, it’s time to implement mechanisms, e.g., securing customer databases, to assure (or minimize risk to) customer privacy in alignment with your organization’s customer privacy policy.
  • Protection: In this stage, the focus is on continual monitoring and maintenance of customer privacy mechanisms.
  • Postincident: This stage occurs when a breach of customer privacy has happened. You should record the incident, determine the cause(s), and identify methods to remedy the current problem and methods to prevent it from happening again. You also need to determine how, when, and what you will communicate to your customers.

Tools for managing customer privacy
There are many existing sources of information and tools to help you manage your customer privacy. The following list will help you start building your own policy.

Sources for current laws and practices
There are many online sources that provide a comprehensive picture of the state of privacy issues today, as well as examples of acceptable guidelines and practices. Here are a few valuable resources:

Tools for generating privacy policies
The following tools will help create a draft privacy policy that can be reviewed by your organization and legal counsel:

  • Model Privacy Statement: This model privacy policy is provided by Truste in the Privacy Resource Guide mentioned earlier.
  • DMA Privacy Policy Generator: The Direct Marketing Association provides an automated tool that will generate a privacy policy Web page for you based on what you respond on a survey.
  • The OECD Privacy Statement Generator: The Organization for Economic Cooperation and Development has also developed a similar tool to the DMA Privacy Policy Generator.

Tools for auditing privacy practices
A crucial part of implementing a privacy policy includes creating an audit process. Here are several online resources that can help get the audit process going:

  • Data Security and Privacy Audits Adding Value to the Organisation: This paper outlines the benefits of privacy audits to organizations. If you are trying to justify conducting a privacy audit, this provides you with a starting argument.
  • Conducting a Privacy Assessment: This presentation outlines how your organization can go about completing a privacy risk assessment.
  • Privacy Audit Checklist: This document provides a general checklist for conducting a privacy audit.
  • High-Level Privacy Assessment Matrix: The table in Figure A provides a matrix that can be used for a high-level analysis during brainstorming sessions with personnel and in reviewing existing documentation.

Figure A

Client type Which information is collected? Where and how is information stored and handled? How is the information used? Which information is shared with external sources and for what purpose?

Assessment matrix

Chief Privacy Officer resources
Many enterprises, spurred by security issues and customer-centric approaches, are creating a new position that fits between the business units and the IT unit—the Chief Privacy Officer (CPO), a new position for many organizations. Following are two resources that provide insights into the CPO role and responsibilities:

Technologies for managing privacy policies
When reviewing available technologies for implementing privacy policies, CIOs need to consider elements for assuring fair privacy practices.

Several different frameworks have been developed by different governmental and private organizations worldwide. At the heart of each are the right of the individual to:

  • Know how personal information is being used.
  • Choose how the personal information will be collected and used.
  • Access the information collected on him or her.
  • Have data remain accurate and secure.

Popular approaches in disclosing policies
The primary technology used with privacy policies is online public notice—most e-commerce sites today provide their privacy policy on the e-storefront door page.

Another, more interactive method, is using the Platform for Privacy Preferences (P3P) methodology. This technology allows site owners to post the privacy policy in machine-readable language.

Online visitors who have P3P-compliant browsers and privacy preferences defined can be notified online automatically if a site does not meet their specific privacy requirements. To learn more about implementing this technology, check out this previous article, and visit this P3P site for more information.

Compliance tools gaining favor
In addition to online policy posting and P3P adoption, there are several different software tools on the horizon for managing privacy policies. However, it is still a new segment. The major types of compliance tools are as follows:

  • Privacy ratings and privacy seals—Several different organizations provide services to rate Web sites for privacy guidelines’ adherence. You should note that each service has its own set of criteria, so your site might be rated differently through each organization. There are also privacy seal programs that you can join. With these programs, an organization joins the program and then can display a seal, which indicates that it follows the privacy guidelines of the program. The two leading privacy programs for the Internet are Truste ( and the Better Business Bureau (
  • Consumer-focused compliance software—The oldest segment of software are those tools that have been developed for consumers to use. These programs are designed to address different privacy issues, including securing consumer communication, keeping personal information private by separating the person from the transactions he or she is performing, and erasing history of Internet use patterns. The Electronic Privacy Information Center keeps a comprehensive list of these types of programs.
  • Proxy- and filter-based programs—These programs protect customer data by blocking access to specific customer data through Web sites. Two examples of these types of programs are iPrivacy and PrivacyRight TrustFilter system.
  • Probing and scanning programs—These programs look at patterns for collecting, storing, and sharing customer data and compare them to your organization’s defined privacy policy. PrivacyWall and Watchfire CPO are examples of this type of software.

Share your privacy policy tips

Have you developed a privacy policy and learned some lessons the hard way? If so, write and tell us about your policy, and we’ll share it with TechRepublic members.