Although it is common practice to approach privacy notice and privacy policy as the same, they are very different and serve different purposes. This article aims to define both privacy policy and privacy notice and to address their differences.
To understand the differences between both vehicles, let us look at semantics.
A policy, as expected in the ISO management family of norms, like ISO 9000 for the management of quality and ISO 27000 for the management of security, intends to outline and specify a set of standards within an organisation. It helps to clarify the company objectives and set out the best practices that staff and other stakeholders should observe to reach those objectives.
Hence, a privacy policy is a document that outlines the organisation’s approach and best practices regarding privacy and data protection, setting the organisation’s privacy goals and strategies and defining the means of achieving them. This policy can reference other internal documentation about privacy and data protection practices. These might include handbooks, guidelines, standard operating procedures, manuals, job-aids, etc.
The format of the privacy policy will follow the organisations standards, however, it should include at least (1):
The privacy policy must be published and communicated within the organisation, in order to ensure that all employees and stakeholders are aware of its responsibilities. Alternatively, this policy may be referred to as the data protection policy.
Therefore, the “privacy policies” published by organisations on their website in order to provide transparency for data subjects regarding the processing of their personal data, are not a privacy policy per se, as a privacy policy is an internal document that organisations use to structure their internal governance in privacy and data protection. A privacy notice is what actually organisations publish on their website.
A notice is a disclaimer. It is purely a way of communication that transparently informs the reader. Therefore, a Privacy Notice is a notice that data controllers use to fulfill its duty to inform data subjects and transparency obligations.
The common elements of a privacy notice are:
For instance, articles 12 to 14 of the GDPR outlines what information a data controller must provide to data subjects with regards to what data they process (data points), why they need those data (purposes), how they legitimise their use (lawful basis), what rights can be exercised in relation to that processing, for how long they will retain the information, among other details.
The privacy notice may also be referred to as a privacy statement or even privacy policy, although the latter is not adequate.
In a nutshell, a privacy policy is an internal instrument that will outline the organisation’s approach and best practices regarding privacy and data protection. The target audience is internal: the organisation’s staff and stakeholders and it constitutes a data protection governance tool.
Meanwhile, a privacy notice is a notice that organisations use to provide transparency about the processing of personal data to data subjects and comply with the information obligations set in privacy laws and regulations. The target audience is external to the organisation: the data subject whose personal data is being processed by the organisation.
(1)IAPP. Privacy Program Management. P. 78.