One of the provisions in the ISO 29100 privacy framework is that the top management of an organization should “establish a privacy policy” that, among other things:

  • Provides an internal organizational framework for setting objectives,
  • Includes a commitment to satisfy applicable privacy safeguarding requirements,
  • Includes a commitment to continual improvement.

The privacy policy envisioned under the ISO 29100 is not the same as public-facing privacy notices that are posted on company websites that explain to the public how personal information is collected, shared, and processed. Instead, it would be an internal company policy that is communicated within an organization and governs how the organization will handle personal information. The privacy policy is designed to be supplemented by more detailed rules and obligations, created by various stakeholders internally.