Governance: building the right policies
The privacy officer goes on vacation and nobody knows how to handle an access request? That is a sign compliance still lives in one person's head, not in written policies. Two documents, internal and public, give the team direction and demonstrate your diligence to the CAI.
Governance in one sentence: who decides what, with which documents, and how you prove it when things go wrong.
Internal (employees) vs public (clients, website)
| Internal policy | Public policy |
|---|---|
| Access to files, devices, remote work, email | Purposes, cookies, individual rights, privacy officer contact |
| Audience: employees, interns | Audience: clients, website visitors |
| Intranet, HR manual | Website footer, dated PDF |
Templates and web sections: SMB privacy policy, web privacy policy. HR: privacy and human resources.
Minimum governance content
Your policy does not need to be a hundred pages. It must cover the essentials:
- Privacy officer: role, contact details, how to reach the person (privacy officer profile).
- Data lifecycle: collection, retention periods, destruction (data lifecycle).
- Incidents: who alerts whom, register, CAI notification if required.
- Individual rights: access, rectification, portability, consent withdrawal (individual rights).
- Training: minimum employee awareness (training).
Keep documents current without overload
The enemy is not updating. It is the 2019 Word document nobody dares to reopen.
- Visible version date: e.g. "Updated May 15, 2026" at the top of a PDF or in the website footer.
- Annual calendar review: even thirty minutes; mandatory revisit after any new CRM, HR tool, or marketing platform.
- One-line history: "2026-05-15: added cookies section" is enough for an SMB.
- Site aligned with the policy: after every tool change, check the banner, forms, and privacy officer mentions (technical scan).
In brief
A policy nobody reads protects nobody. Keep it short, dated, and tied to concrete actions (register, training, incident procedure). That is your lever when leadership asks "where are we with Law 25?"
Useful references
- CAI, Protection of personal information: governance and transparency expectations.
- Privacy officer: role and publication of contact details.
- SMB privacy policy: structure of the public document.
This text is for information only and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.
Check your website
Several obligations show up on your public site (policy, cookies, privacy officer contact). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.