Privacy PowerUp Series #5
Businesses handle an enormous volume of personal data today, making privacy contracting a crucial aspect of data management. Understanding the intricacies of privacy contracting is essential for legal professionals, especially those working in privacy.
This article aims to provide a comprehensive guide to privacy contracting, focusing on Privacy and Security Disclosures, and Policies and Addenda.
Setting the stage: The goals of privacy contracting
Before getting into the specifics, start by understanding your overarching goal in privacy contracting. Whether you’re building a privacy program from scratch, or trying to keep a customer satisfied, the primary objective should always be to build trust.
Robust privacy agreements can establish and reinforce your brand’s credibility, while poor execution of these documents can erode trust.
Privacy and security disclosures
Think of Privacy and Security Disclosures as the exterior shell of your privacy program. These non-negotiable documents provide vital information on a company’s data protection practices.
Privacy policy
Also known as a Privacy Disclosure or Privacy Statement, this document explains how a company collects, uses, stores, and shares personal information. A well-crafted Privacy Policy should include:
- Types of data subjects (website users, customers, partners, employees)
- Types of information collected
- How data is used and/or shared
- Links for data subjects to contact the company or exercise their data subject rights
Sub-processors and affiliates disclosure
This disclosure provides information about the sub-processors and affiliates a company may share personal data with. It should include:
- Sub-processor entity details
- Location of the sub-processor
- Purpose of data processing
- Safeguards for data transfer (e.g., DPF, SCCs)
- Data privacy representative/contact information
Technical and organizational measures (TOMS)
TOMS set out an organization’s privacy, security, governance, and compliance commitments. Key elements include (as applicable):
- Encryption measures
- Data center locations
- Physical security controls
- Third-party compliance audits
- Access controls
- Penetration testing
- Data deletion, export, and return policies
Cookie policy
If your organization uses cookies, the Cookie Policy should provide detailed information about the types of cookies collected (essential, analytics, content) and how data subjects can disable or delete certain cookies.
Policies and addenda
Once you’ve established a solid shell with your Privacy and Security Disclosures, it’s time to get into contracting. These agreements are pivotal in establishing or eroding trust with potential customers.
Data Processing Agreement (DPA)
A DPA is a legal contract between a data controller and a data processor. It outlines the rights and obligations of the parties involved in data processing.
Key clauses typically include:
- Purpose of data processing
- Type of data processed
- Data processing instructions
- Duration of data processing rights
- Obligations of both parties
Acceptable use policy
This document describes prohibited uses of an organization’s services, content, output, or documentation. It includes:
- Usage Restrictions
- Prohibition of illegal, harmful, or offensive use
- Rights to monitor and enforce prohibitions
Accessibility policy
For organizations with an online presence, this is where to showcase a commitment to Web Content Accessibility Guidelines (WCAG) 2.1AA (if applicable).
Security addendum
Sometimes customers may require further commitments regarding an organization’s security posture. A Security Addendum usually includes:
- Administrative safeguards (incident response, change management, background checks, etc.)
- Technical safeguards (physical security, vulnerability scanning, network security, etc.)
- Organizational safeguards (security program, third-party assessments, disaster recovery, etc.)
Business Associate Addendum (BAA)
A BAA is a legally binding contract that protects personal health information (PHI). Required under HIPAA when a Covered Entity uses a Business Associate to perform services involving PHI, it ensures that any party handling PHI adheres to specific standards to protect the data.
Ensure strong privacy contracting practices
Privacy contracting is not just about compliance; it’s about building and maintaining trust with your customers. By focusing on robust Privacy and Security Disclosures and well-crafted Policies and Addenda, you can establish a strong foundation for your privacy program.
Ready to refine your privacy contracting approach?
Discover Trust Center by TrustArcLeverage a no-code solution that lets you unify, showcase, and streamline trust and safety information. You can create your own in days versus taking months to build one and make updates instantly. Take a tour of some of the features to see how easy it is to create a modern unified Trust Center!
Continue mastering the privacy essentials by reviewing all the resources in the Privacy PowerUp series.
Privacy Contracting Infographic
Save this infographic for a simple overview of the privacy contracting foundations.
View now
PowerUp Your Privacy
Watch all ten videos in the Privacy PowerUp series – designed to help professionals master the privacy essentials.
Watch nowRead the next article in this series: #6 Choice and Consent: Key Strategies for Data Privacy.
Read more from the Privacy PowerUp Series:
- Getting Started in Privacy
- Data Collection, Minimization, Retention, Deletion, and Necessity
- Building a Data Inventory, Mapping, and Records of Processing Activities (ROPA)
- Understanding Data Subject Rights (Individual Rights) and Their Importance)
- The Foundations of Privacy Contracting
- Choice and Consent: Key Strategies for Data Privacy
- Managing the Complexities of International Data Transfers and Onward Transfers
- Emerging Technologies in Privacy: AI and Machine Learning for Privacy Professionals
- Privacy Program Management: Buy-in, Governance, and Hierarchy
- Managing Privacy Across the Organization
