Privacy policies should be reviewed once a year, at the same time each year. After each yearly review, it needs to be mandatory that it be shared with all employees, who must acknowledge (through a click) that they understand and will abide by the policy. Preferably, the policies should be presented as a mandatory on-line course with a test all employees must pass.
The main way that the policy can be made forward-looking is by requiring that all information kept on customers can be segregated on an individual basis. In other words, if future privacy laws by a particular government affect a certain subset of information (for example, specifically social security numbers) then it will be much easier for the company to implement if their forward-looking policy had made allowances that individual data segments can be selected for special handling.
© 2019 Praveen Puri
Praveen Puri is the Strategic Simplicity® expert who has delivered over $400 million in value. He helps clients "weaponize" simplicity and bridge the gap between strategy and execution. Visit PuriConsulting.com