CUST-19 Privacy Policy

What is this control about?

A Privacy Policy is a statement or a legal document that states how a company or website collects, handles and processes data of its customers and visitors. It is important to review the policy at least annually and update it. Privacy frameworks require that a notification is sent to customers whenever the policy is updated.

Every company with a website typically has this available on the website.

Available tools in the marketplace

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Privacy policy template

Control implementation

Work with legal counsel to document privacy policy.

Review the policy frequently.

For Privacy Framework & regulations (GDPR, CCPA, ISO 27701, etc..)

• Implement a process to send out update notifications to customers whenever the policy is updated

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Provide link to privacy policy

For Privacy Framework & regulations (GDPR, CCPA, ISO 27701, etc..)

• Send out update notifications to customers whenever the policy is updated

Evidence example

From the suggested action above, an example is provided below.

1. Provide a link to privacy policy.

TrustCloud example of privacy policy

For Privacy Framework & regulations (GDPR, CCPA, ISO 27701, etc.)

• Upload example of email notification of privacy policy update.

Example of a email notification of privacy policy

Google search