Go to Content

March 26, 2018

The Pitfalls of Having Outdated Privacy Policies & Untrained Staff!

Failure to manage outdated privacy policies is more of a problem than you realize.

If you’re in business, chances are you have some type of client information stored in digital or hard files.

Processing orders for products and services most often requires full names, addresses, credit card information and other customer profile data.

Employees have to supply their social security numbers for tax documents and payroll.

Some companies even request customers’ SSNs as identification whether it’s necessary or not.

The problem lies with compromised information that’s more than an inconvenience for customers and you.

If someone hacks client, business, or employee information, you become liable for the damages.

You will lose customers, the strength of your brand, and may even become the defendant in lengthy lawsuits; all of which costs your company money and opportunities.

Strengthening your privacy policies is a core step in your data security strategy.

The next step is getting untrained staff where they need to be to help in the fight against security breaches.

Privacy Policy Requirements

Rules on privacy policy in the United States aren’t cut and dry.

There are different privacy policies each company must maintain depending on the type of information they collect from clients and store in their systems.

Outdated privacy policies and untrained staff are unacceptable for medical, insurance/financial, auto, education and web companies.

Even if your industry doesn’t fall in those categories, follow suit as a protection measure for the business and clients.

Federal Trade Commission (FTC) Fair Information Practice

The FTC has organized some best practices for privacy policies in the US-based on laws they have in place to protect customer information.

They’ve extracted requirements from the following policies to give you guidelines on how you should handle sensitive information and privacy policies within your company:

While many of the practices focus on websites and online companies, it’s a foundation for all companies to follow in an effort to protect their data and clients.

Here’s a summary of what you should do to comply with the FTC Fair Information Practice:

-At a minimum, notify users when you collect their personal information and how you plan to use it.

-Give customers a preference on if they want you to continue using their information or in what manner you have permission to use it.

-Customers should have the right to see any of their information you’re using or storing.

-Make it easy for customers and employees to view and access company privacy policies.

-Post privacy policies at a specific location within your store or office and have a clearly visible link to privacy policies online.

Advantages of Having Your Privacy Policy Documented and Your Staff Trained

Even if you don’t feel privacy policy requirements apply to your business, it’s critical to have them in place.

All it takes is an update from legislation to put your business at risk of penalization for non-compliance.

It’s always wise to protect your company from regulations and customer legal action.

Those are the top reasons to review and adjust outdated privacy policies, but there are other advantages:

Steps to Create or Update your Privacy Policies

The Federal Trade Commission has strategic steps they advise companies to use when composing or updating privacy policies:


Step 1: Review documents to get an account of the sensitive data you’re storing in digital or hard copy format.

Work with the entire company to gather information on what documents you have.

Start with breaking it down by department to question each area on how they receive and use information and what they have.

From there, account for data on all systems including laptops, desktops, tablets, phones, drives, disks, copiers, cash registers, portable merchant devices (square or PayPal here swipe) and any other digital devices.

Review your storage or filing system to document the type and amount of hard data you have.


Step 2: Purge documents, keeping only what you need to complete business functions.

Even if you need to use certain information to complete services or transactions, decide if you can get rid of it once you complete the transaction.

For instance, you don’t need to store credit card information unless clients agree to set up a recurring draft for repeat services.

If you’re required to keep documents on file for a certain period, like tax documents or credit reports, make a note of the date and time you can get rid of them.

Use this as an opportunity to create a new system for collecting and/or storing only necessary information.


Step 3: Secure information you do need to keep in your system.

Only allow staff to access personal information as needed to complete their duties.

Beef up security for all areas where you transport, store, and manage sensitive information.

Encrypt email and fax communications, and keep virus and malware protections updated.


Step 4: Destroy information you don’t need, using a secure data destruction and paper shredding service.

Once you’ve separated the necessary from the unnecessary information, don’t just toss it in the garbage.

Hard drives retain some of the most critical data that criminals can access to steal confidential details.

Use a certified company that can securely manage destruction of sensitive documents in all forms.


Step 5: Create a plan to prevent or minimize data security problems and add it to your risk management strategy.

Now is the time to fix outdated privacy policies or create a new one.

You also need to have definite action steps the company should follow in the event of a data breach. Having the right security and updated office technology solutions is paramount.

Outsource or DIY?

Some companies have the skills and expertise to handle privacy policies in-house.

Other companies may need to outsource to ensure all parts of the privacy policy are up to date and fit business needs.

Either way, you can start by reviewing a sample privacy policy to get an idea of what you’ll need to cover.

Once your company completes the updates, get an attorney to review the policy.

Training Staff on Privacy Policy Compliance

If you have untrained staff who doesn’t know the ropes of privacy policies, there are simple ways to implement a training program.

Management or HR can add to a training program they already conduct or they can start from scratch to create a separate privacy policy course.

Some main points you should include in your training materials are:

Avoid the Pitfalls of Outdated Privacy Policies and Untrained Staff

The most important takeaway is to communicate with customers through a strong privacy policy.

A part of that process is also upholding your duty to keep personal data secure.

Get rid of hard and electronic copies of outdated or unnecessary information.

A reliable shred team can help your company comply with privacy policies and limit exposure to identity theft and data breaches.

PROSHRED®, a paper shredding service with NAID certification, will professionally shred your confidential materials without ever leaving your site.

Contact us today to schedule an appointment!

Cookie Policy

We use cookies and other tracking technologies to ensure you get the best experience on our website, assist with navigation, analyze your use of our services, and assist with our promotional and marketing efforts. If you continue without changing your browser settings, you are providing consent to our Cookie Policy. Click here to learn more about our privacy policy.