A survey published this month by DataGuidance, a global provider of data compliance resources, shows a dismal state of IT privacy policies for online companies. In fact, the survey found that 23 percent of online companies had no privacy policy at all, and of those that had policies in place, a third raised concerns about readability (translation: the policies were difficult to decipher for someone not fluent in legalese).
Notably, the survey also found that small and mid-sized businesses tend to perform worse than larger corporations, which may not come as a surprise to any IT business owner who's tried to construct a privacy policy while juggling about 3,000 other projects on any given day.
Here's a look at how the IT privacy policy survey found its data and what its results mean for owners of small IT firms. (Read more on data privacy in the article "Data Security Remains Top Concern about Cloud Computing Options.")
Too Many Businesses Using Generic IT Privacy Policy Templates
One key finding of the "privacy sweep," which involved investigators browsing websites to check privacy policies against a set of standards, was that many online companies posted policies that seemed to come directly from a generic IT privacy policy template. In other words, companies are using boilerplate language without any modifications to take into account…
- State or federal data privacy laws.
- Data usage or functions specific to a company or its website.
While it's certainly understandable why tech professionals would turn to IT privacy policy templates to save time and money, it's equally important to recognize that a generic information security policy might not be much better than no policy at all.
Why? In part because of how information protection laws work in the U.S. At present, the only data privacy laws that exist at the federal level are those outlined by HIPAA, which regulate businesses in the healthcare sector. For everyone else, data privacy is regulated by a patchwork of state laws. And if you serve clients in more than one state, you may be required to adhere to info security laws in multiple jurisdictions.
Still, there's no getting around the time issue: many IT professionals (including independent contractors, computer consultants, and those who run small IT businesses) simply don't have the time to build a detailed, legally sound privacy policy from the ground up - and they don't have the money to hire a lawyer to do the job for them.
The simplest solution is to take a hybrid approach: owners of tech firms can start with a boilerplate (such as this free privacy policy template), then adjust it to account for the specific services and products they offer. Once they have a working draft, they can hire a lawyer to help with revision and finalization.
This approach helps ensure that a privacy policy both meets legal muster and adequately addresses relevant laws and the specific services offered by a given company.
Writtten by Brenna Lemieux - check her out at Google+ or Twitter
