Unless you only do things with data that would be blindingly obvious to people, it's the law to have one.
More than that, they are starting to become the subject of regulator attention having been in the shadows up to now, so they need to be right for your organisation.
Most organisations "get" this for their websites, but what about apps, instore, over the phone etc? In today's 'single-view' driven, big-data crunching world the same things happen to people's data regardless of channel, so you need one per channel.
The challenge is twofold. Firstly, how do you get the comms piece right for each channel? You can't use 4,000 words over the phone; you could on the web, but do you want to in any case?
Secondly, should you have one policy or multiple ones each tailored to their specific channel? The latter is seen by regulators as best practice, the former is far easier to manage in practice. If you approach it on the right basis, our view is that one policy can and will work.
2. Set out what you collect, and don't be economical with the truth
You can summarise areas which are complex, but be aware that this can creep into sweeping generalisations and look like a cover up without care. (This accusation has been levelled at Google's door).
Break things down as much as possible. Be specific. Put it all in there, however unpalatable.
Then get your best copy writers and PR people to structure it well and sell it positively (after all, this data should be driven at improving your services and customer benefits, not gratuitous snooping).
If you don't like what you are writing change your approach to people's data, not your policy.
3. Set out where you collect it from
Apply the same principles we set above.
4. Set out all of the purposes you use it for
Again, apply the same principles we set out above.
Regulators look at powerful "hidden" uses such as profiling, segmentation and data set combination because they can be intrusive (these areas are also being raised by the EU in challenging Google), so don't forget to consider what goes on behind your closed doors.
5. Treat it as a snapshot in time of what you do now
6. Review it and update it systematically
If you don't and it becomes materially inaccurate, you run the risk of effectively lying to your customers, which could land you in legal hot water: ever heard of the law of misrepresentation, or the OFT's views on being honest with customers? The link between these areas of law and data protection compliance is arguably a new, emerging factor but don't ignore it.
When it comes to update time, you will need a communication plan to get the message out and manage transition, and this should include seeking customer consent to any particularly new or novel or intrusive things you want to do. This may be a bitter pill to begin with but it is one you will probably have to swallow eventually. (If the EU change the law as intended in the not too distant future, consent is going to become king for most things privacy-related, so you will be better placed than most to comply).
7. Consider what other things might influence a customer's views on you
Common issues include security, international transfers, retention periods, your approach to complaints, individual's rights, and which regulators they can take things to if they are really unhappy. Consider putting your approach to such issues into your policy.
This kind of comfort language can help soften the message about what might otherwise look like a scary set of data and practices.
It also reinforces the messages you would want to send if a regulator or the media come calling.
The UK ICO have said they expect privacy policies to cover international transfers and retention periods. The former is relatively easy to do in principle; being specific is a lot harder. Take this statement and multiply it ten-fold for retention periods, which in a sophisticated organisation can be very, very complex. Our suggestion is you deal with them, but keep your comments high level.
8. Align your processes and practices
Strictly, your policy should represent them not the other way around, but some gaps and need for tweaks do normally arise. Make sure they are both 100% aligned, or at least that you have a proper plan of action to get there (oh and don't forget to execute it).
9. Keep it short and put it in plain English
Doing this is not easy given everything mentioned above. It will take some time.
It's not up there with price, product and service in importance, but it is inching a bit closer. Aim to give the customer a great experience. Make it simple. Be transparent. Use it to build trust.
Top 10 Tips For Getting Privacy Policies Right