"I'm an Attorney and a Certified IT Engineer."
– Chris Maes
- What data is being collected from your customers?
- Why this data is being collected?
- How can your customers access the data collected about them?
- How can this data be destroyed at the request of your customers?
- Is customer data shared or sold to third parties?
- Before data is collected, does a customer have to “opt-in”?
- How does a customer “opt-out” if they no longer want their data collected?
- Are security measures like data anonymization and encryption being utilized to protect customer data?
- What data needs to be collected for business operations?
- What data is nice to have, but not necessary for business operations?
- How long should data be retained before being destroyed?
- How should the data be destroyed to ensure it is irretrievable?
- Where is customer data stored and how is it accessed?
- Is the customer data secure while in transit and at rest?
- If the business is not following a cybersecurity framework, should it be?
As these questions demonstrate, privacy policies can be useful instruments for internal business operations as well.