The privacy policy is a critical component of any data privacy framework. Its primary function is to give a piece of public information about how a particular company collects information, how they use the information and in general, it details the end-to-end management of information received by a company. Yet, most Nigerian companies overlook the importance of this piece in their data privacy governance strategy.
Section 2.5 of the Nigerian Data Protection Regulation (NDPR) shines a light on the importance of having a privacy policy. It states that companies that collect and process data of customers must “display a simple” privacy policy that is comprehensible.
It is essential, therefore, for companies to create a clear and concise privacy policy that is free of jargons. Current research reveals that privacy policies on many Nigerian companies’ website are a convolution of idioms that makes no sense. In a recent chat with a Nigerian stakeholder, she argued that her Nigerian and international customers don’t read privacy policies.
But that’s a wrong way to look at privacy policy. The privacy policy is a document that shows that the company is serious about the data protection and privacy. It is not and should not be a generic document downloaded from the internet. If it’s not constructed well it can expose the company to legal and reputational damages.
A privacy policy shows how companies collect information. Inform customers if you collect their information via the web, through the telephone or a filled paper form.
What’s more, the privacy policy should also clearly state to the customer the third parties processors who process the information on behalf of the data controller.
This processes helps companies uphold the transparency principle, which shows that the company is open about how they manage data in their possession. If the paint on a house gives us a perspective about the house, then the privacy policy is that paint that provides the customer with the views of the company.
I must mention here too that companies must understand that the type of privacy policy they are writing. They must ask the critical question, who is our audience? Some privacy policies seem to be addressing employees and customers at the same time. The Data Protection Officer or privacy consultant representing the company should clarify who the privacy policy addresses.
If a company is trying to treat customers right, then the words within the privacy policy should send that message.
Privacy policies, according to the Nigerian Data Protection Regulation, must be clear. That is, the words in a privacy policy should not carry words that confuse customers.
I have mentioned in past articles how companies like Infinix phones and MTN present dangerous privacy policies. But, they are not the only culprits.
Other companies don’t even have privacy policies on their websites. For example, many insurance companies, health care services, and other companies don’t have a clear privacy policy. And yet, they collect information daily from Nigerians.
It is vital for companies to know the importance of privacy policies and especially understand who they are trying to address before they write these privacy policies. Overlooking privacy policies is not only putting the company in danger in terms of exposing them to privacy policy breaches but also tells much about the company. If a company can’t pay attention to their privacy policy, then how can customers be sure they will take care of their information safely and securely.
