Governance: building the right policies

The privacy officer goes on vacation and nobody knows how to handle an access request? That is a sign compliance still lives in one person's head, not in written policies. Two documents, internal and public, give the team direction and demonstrate your diligence to the CAI.

Governance in one sentence: who decides what, with which documents, and how you prove it when things go wrong.

Internal (employees) vs public (clients, website)

Internal policyPublic policy
Access to files, devices, remote work, emailPurposes, cookies, individual rights, privacy officer contact
Audience: employees, internsAudience: clients, website visitors
Intranet, HR manualWebsite footer, dated PDF

Templates and web sections: SMB privacy policy, web privacy policy. HR: privacy and human resources.

Minimum governance content

Your policy does not need to be a hundred pages. It must cover the essentials:

Keep documents current without overload

The enemy is not updating. It is the 2019 Word document nobody dares to reopen.

  1. Visible version date: e.g. "Updated May 15, 2026" at the top of a PDF or in the website footer.
  2. Annual calendar review: even thirty minutes; mandatory revisit after any new CRM, HR tool, or marketing platform.
  3. One-line history: "2026-05-15: added cookies section" is enough for an SMB.
  4. Site aligned with the policy: after every tool change, check the banner, forms, and privacy officer mentions (technical scan).

In brief

A policy nobody reads protects nobody. Keep it short, dated, and tied to concrete actions (register, training, incident procedure). That is your lever when leadership asks "where are we with Law 25?"

Useful references

This text is for information only and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.

Check your website

Several obligations show up on your public site (policy, cookies, privacy officer contact). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.