What a Data Handling Policy Needs to Say

What data do you collect? Be specific: names, email addresses, payment information, device identifiers, location data, behavioral data. Vague language ("certain information") signals that you do not actually know.

Why do you collect it? For each data category, the legitimate business reason. "To process payments." "To send transactional emails." "To improve the product." Generic purposes are a red flag.

Where is it stored? Cloud provider, country, whether it is encrypted at rest. This matters when a customer asks — and customers increasingly ask.

Who can access it? Internal roles with access. Vendors and third parties who receive it. Whether you sell or share it (and with whom).

How long do you keep it? A retention period for each data category. "We keep it as long as necessary" is not a retention period.

A policy that exists but no one follows is worse than no policy — it creates an expectation you are not meeting. Publish the customer-facing version. Train anyone who handles personal data on the internal version. Review it every time you adopt a new tool or vendor that touches customer data. Set a reminder.

Every vendor you use that touches customer data is an extension of your data practices. Before signing up for any tool that handles personal information, ask: where does it store data, does it sell or share data with third parties, and does it provide a data processing agreement. If a vendor cannot answer these questions, that is your answer.

The Data Privacy Baseline Workflow walks you through building a data inventory and drafting a handling policy for your specific business situation.