Notices

Your privacy program should provide notice to data subjects regarding a spectrum of information on your data processing activities, including the purpose for collection, data subjects’ rights, how the data will be retained and disposed of, to whom the data will be transferred and how, what security measures have been deployed, and more.

Less Mature

An immature notice and disclosure management process may have some or all of the following characteristics:

• Incomplete, inconsistent, inadequate, or confusing privacy notices.
• Infrequent updates.
• Lack of transparency around data processing activities. 

As a result, individuals won’t understand what your organization is doing with their data, what rights they have in regard to that data, and whether or not your organization can be trusted with their personal information. Not only does this damage your relationship with groups like potential stakeholders, but it also puts you at risk of violating data privacy regulations.

More Mature

In contrast, a mature notice and disclosure management process involves:

• Clear and concise notices that are easily understandable by data subjects.
• Notices that are available in the languages of your data subjects.
• Privacy notices that avoid nested, hidden, or externally linked sections where key provisions may be lost.
• Clear explanations of data subjects’ privacy rights and how to exercise them.
• Providing data subjects with disclosures before their data is shared with third parties.
• Regularly reviewing and updating notices to assess for ongoing compliance with data processing activities, best practices, and legal requirements.

Recommended Next Steps

To increase the maturity of your privacy notice and disclosure management process, you can take the following actions:

• Understand who your data subjects are. What kind of voice and tone will make sense to them? What language do your policies need to be in?
• Review and update notices and disclosures to ensure that they are clear, concise, and meet legal and regulatory requirements.
• Conduct regular privacy impact assessments and maintain your data inventory and/or record of processing activity (RoPA) to identify any new data processing activities that require notice and disclosure to individuals. This is especially crucial since, without an understanding of how your organization is processing data, you won’t understand what information you need to disclose to data subjects.
• Provide individuals with information on how they can exercise their privacy rights, such as the right to opt in or out of data collection and to access, delete, or modify their personal data.
• Listen to feedback. Are there easy ways for data subjects or stakeholders to connect with your privacy team? Are there common themes that you need to address in your policy for improved awareness?
• Train employees on what data processing activities need to be cataloged and disclosed in privacy notices.
• Develop notices and disclosures that are clear and accessible.