- Information you Collect – Use this section to identify what types of information you are collecting about your user, and the categories it falls under. Identify the information provided to you by the user, and the information that you collect through automatic means – like cookies, traffic data, web beacons, location data, etc.
- Vendor Management – This section should outline how you hold your vendors and third parties to data security standards – by agreement or audit.
- De-identification Standards – This section defines any standards you’ve implemented for de-identification or pseudonymization of data.
- Industry Specific Sections – Your industry may have specific requirements. For example, if you’re in healthcare – follow HIPAA. If you’re in finance, consider SOC 2 regulations.
- Governance – Outline how you internally govern your data privacy standards – including by use of a Data Privacy Officer, or third party compliance standard.
- How You Use Information – Use this section to let your users know, very clearly and in plain terms, how you’re using the information and data they are providing you with – and what legitimate business or legal purpose this serves.
- Disclosure of Information – Use this section to let your users know that you may disclosure the aggregated information you collect about your users to third parties – such as subsidiaries, vendors, etc. – along with law enforcement in case of a court order, subpoena, or regulatory request.
- Accessing and Correcting Information – Use this section, and set forth ways in your internal procedures, to let users know that they can contact you or use built-in features of your website to access and correct information you have about them.
- Right to be Forgotten – Data Privacy Regulations like CCPA and GDPR mandate that your users have the right to be forgotten. Make sure you clearly write out that your users have this right.
- Enforcement Standards – This section should outline what enforcement authorities you report to, and standards you set yourself to.
Let us Help
Kader Law can help you navigate and draft information security, and other policies. If you need legal assistance, feel free to contact us.
This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader.