DEREK SMITH: Privacy policies and notices both boost data protection


Derek Smith

Data protection is of the utmost importance in today’s data-driven world. As technology advances and businesses collect more data than ever before, it is increasingly important to understand the difference between data privacy policies and privacy notices in order to protect individual rights and to maintain compliance with regulatory requirements.

Most data privacy laws now require websites to incorporate various information and transparency requirements into their privacy notices and policies. But is a privacy policy not the same as a privacy notice? Otherwise, how do privacy policies and privacy notices differ? The purpose of this article is to explore their contrasts in more detail albeit briefly.

Privacy Policy

The purpose of a privacy policy is to give employees at data controllers or processors, who may handle or make decisions regarding the personal data of users, instructions about how to collect, use, store and destroy data in a compliant and correct manner, as well as about any specific rights the data subjects (users) may have. As part of a privacy policy, a company may also develop mechanisms for enforcing its privacy posture and establishing a system of checks and balances (including penalties) to ensure compliance.

Privacy Notice

In a privacy notice, a company informs customers, regulators and stakeholders about how it uses personal information collected from data subjects. The topics covered are the types of data processed, the lawful basis for processing, the transfer of data to third parties, and the time that data will be stored. Furthermore, it outlines users’ rights regarding their data and provides contact information for the company’s privacy teams, thus fulfilling transparency obligations.

Fundamental differences

Core Audience: The privacy policy is intended for internal employees with access to, or who manage, data. Detailed information on how to handle personal information will be provided to employees in the privacy policy. A privacy policy should be developed and updated according to the latest applicable privacy regulations. Conversely, external users, customers and regulators are the intended audience for the privacy notice. A privacy notice provides more details and explanations about data, rights of users and data sharing policies. A privacy notice is typically based on a privacy policy.

Scope: Privacy policies specify the type of personal data and the stakeholders to whom they apply. On the other hand, a privacy notice explains to data subjects and other external stakeholders how the company commits to processing personal data securely and legally.

Keep components: Privacy policies must have defined internal procedures, methods and standards for data collections, data processing, data retention, data security, data subject rights and compliance. Conversely, the key components of a privacy notice include transparency, accessibility, consent, dates regarding updates to the notice, and specifics regarding data practices.

In conclusion, even though data privacy policies and privacy notices serve different purposes, both are vital in maintaining data and regulatory compliance. In order to create a trusted and secure environment for all stakeholders, companies must craft clear, conciseand transparent documents that respect individuals’ rights and protect their personal data.

• NB: About Derek Smith Jr

Derek Smith Jr. has been a governance, risk and compliance professional for more than 20 years. He has held positions at a TerraLex member law firm, a Wolfsburg Group member bank and a ‘big four’ accounting firm. Mr Smith is a certified anti-money laundering specialist (CAMS), and the assistant vice-president, compliance and money laundering reporting officer (MLRO) for CG Atlantic’s family of companies (member of Coralisle Group) for The Bahamas and Turks & Caicos.


Use the comment form below to begin a discussion about this content.

Sign in to comment