To understand the differences between both vehicles, let us look at semantics.
A policy, as expected in the ISO management family of norms, like ISO 9000 for the management of quality and ISO 27000 for the management of security, intends to outline and specify a set of standards within an organisation. It helps to clarify the company objectives and set out the best practices that staff and other stakeholders should observe to reach those objectives.
- the purpose of the policy, setting out the organisation’s privacy goals and delineating how the policy is meant to help the organisation achieve them;
- the scope of the policy, and to whom it applies;
- the risks and responsibilities, setting out the roles responsibilities regarding privacy and data protection within the organisation and clarifying how violations of the policy impact compliance and the business and how might be sanctioned by management, including the disciplinary actions if staff is found to fail the fulfillment of those responsibilities.
A notice is a disclaimer. It is purely a way of communication that transparently informs the reader. Therefore, a Privacy Notice is a notice that data controllers use to fulfill its duty to inform data subjects and transparency obligations.
The common elements of a privacy notice are:
- information about the organisation and its contact details, including the Data Protection Officer (DPO) contact details when applicable;
- description of the personal data that is being processed by the organisation, how it will be used, for what purposes and for how long;
- the legal bases for processing, when applicable;
- information about the recipients that the organisation may share personal data; and
- information about the data subject rights and how to exercise them, including the information about the existence of automated decision-making, when applicable;
- Information about the international data transfers and safeguards in place, when applicable.
For instance, articles 12 to 14 of the GDPR outlines what information a data controller must provide to data subjects with regards to what data they process (data points), why they need those data (purposes), how they legitimise their use (lawful basis), what rights can be exercised in relation to that processing, for how long they will retain the information, among other details.
Meanwhile, a privacy notice is a notice that organisations use to provide transparency about the processing of personal data to data subjects and comply with the information obligations set in privacy laws and regulations. The target audience is external to the organisation: the data subject whose personal data is being processed by the organisation.
(1)IAPP. Privacy Program Management. P. 78.