CUST-19 Privacy Policy

What is CUST-19 Privacy Policy Control?

A “Privacy Policy” is a statement or legal document that states how an organization or website collects, handles, and processes the data of its customers and visitors. It is important to review the policy at least annually and update it. Privacy frameworks require that a notification be sent to customers whenever the policy is updated.

Every organization with a website typically has a “Privacy Policy” available on the website.

Available tools in the marketplace

Tools

No tool recommendations for this section

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version:

• Privacy policy template

Control implementation

To implement this control,

1. Work with legal counsel to document the privacy policy.
2. Review the policy frequently.
3. For Privacy frameworks and regulations (GDPR, CCPA, ISO 27701, etc.),
   1. Implement a process to send out update notifications to customers whenever the policy is updated.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Provide a link to a privacy policy.

For Privacy frameworks and regulations (GDPR, CCPA, ISO 27701, etc.),

1. Send out update notifications to customers whenever the policy is updated.

Evidence example

For the suggested action, an example is provided below:

1. Provide a link to the privacy policy.
   Here is an example of the Privacy Policy at TrustCloud.

For Privacy frameworks and regulations (GDPR, CCPA, ISO 27701, etc.),

1. Upload an example of an email notification of a privacy policy update.
   The following screenshot shows an email notification for the “Privacy Policy” update.
   Google search