Keeping Your Business And Clients Safe With Digital Policies
Digital workers, especially web designers and developers, need to recognize that policy influences their products online much as it does offline. Whatever the scale of our enterprise — whether a large corporation, small digital agency, software company or personal venture — we must work within this system of legislated regulations (what we simply call “policies”) in order to maintain our compliance with the law.
Every Business Needs Digital Policies
Our present regulatory environment is a world of rules we must navigate every day at the workplace, especially if we own a business. Why, then, should we expect the digital world in which we build websites and transact business to be any different? It isn’t — in fact, if anything, the regulatory environment on the web has grown more complex and codified in recent years, with new requirements arising quickly for accessibility (the UK in 2010), cookies (the EU in 2011), online privacy (the US in 2012), the right to be forgotten (the EU in 2014), the exporting of personal citizenship information (Russia in 2015) and so on. Keeping track of global legal requirements is not always easy. Some might even seem illogical to us, like the EU VAT law that affects software companies, but can pose a serious threat to our businesses.
Adherence to digital policy should be as fundamental as paying taxes for any company or individual that does business online. In my policy work over the past 15 years, I have witnessed that working in the digital space has just as many risks and liabilities as in the analog world. If you do not have and follow digital policies, you are putting your company, clients and income at risk.
Digital Policies Don’t Have To Be Difficult
If you are new to this, then the conversations on digital policies might sound very legal and strict. Don’t be afraid, though. We will give you some general hints and resources on how to approach digital policies and provide you with some basic knowledge so that you can discuss digital policies with an attorney, legal department or digital policies consultant.
To help you get started, we will cover:
- examples of what can go wrong if digital policies are not taken care of,
- types of digital policies,
- a digital policy template,
- how to navigate the constantly changing digital landscape,
- how to choose the right policies approach.
Digital Policies Govern Digital Business
Of course, not all companies are dismissive of digital policies. Some, especially small digital agencies and individual web practitioners, simply lack a frame of reference, because such policies fall beyond their day-to-day operational focus.
But, as they say, ignorance of the law is no excuse. Digital policies can directly impact a company’s websites, as well as its social media, mobile platforms, email marketing and online CRM, in setting forth those guidelines that ensure compliance with local, federal and even international laws and regulations. Simply consider the requirement to protect personally identifiable consumer information and the subsequent data-breach lawsuits against Target, Neiman Marcus, Adobe, Sony and LinkedIn because they didn’t have the proper protections. Or consider what geotargeting information a company can collect from users’ mobile devices for advertising purposes and the multimillion dollar fines that are levied against the likes of Capital One, Discover, American Express, Chase and GE Capital Retail Bank when there is non-compliance.
Of course, many organizations believe that they already “get” digital policies. After all, they have a link in the footer of their website indicating that they support website accessibility based on W3C policies. They might even have a privacy policy (as another footer link) in place. But this barely scratches the surface — digital policies encompass much more than just footer links on a web page. They should be programmatic guidance that is provided to, and used by, web workers globally.
The Real Risks
What happens if you decide to risk it and disregard digital policies altogether? If yours is an organization with a large and multifaceted global presence online, then you obviously present a more compelling target to regulators. In many of these cases, noncompliance can lead to the following:
- costly fines and legal suits. 2015 saw 45 accessibility-related lawsuits alone, including those against the National Basketball Association (NBA), Sprint, JC Penney and Home Depot.
- blockage of channels of sale Belgian-courts have ruled that ISPs can be required to block commercial websites that violate copyright laws.
- shutdown of digital operations China shut down Apple’s online book and movie services earlier this year for non-compliance with localization and ownership requirements.
- loss of brand reputation, market share and public credibility IKEA dropped its lifestyle website in Russia in 2015 over fears the government would consider it a promotion of gay values to minors, only to be met with public backlash and boycotts.
Even independent content writers and independent and small web shops can suffer consequences, such as a lawsuit or monetary fines, when clients invoke the liability waivers and indemnity clauses that are standard parts of contracts.
A Digital Policy Checklist
While usually small in number (ranging usually from 5 to 40 per organization), these digital policies set a clear direction for do’s and don’ts on a website and related digital channels.
Obviously, every company needs to decide which digital policies deserve their attention — and, conversely, how risk-averse they are with the ones they intend to ignore. Still, from my experience, the following is a good basic list that every company should review:
- accessibility
- branding
- cookies and tracking
- children’s privacy (COPPA)
- copyright and protection, intellectual property and trademarks
- data breach notification (legally required notification to users when security breaches occur and personal information is lost or stolen)
- data encryption and transfer, data localization
- data privacy, and protection of personally identifiable information and health information
- digital records management
- shareholder notification (legal requirement for shareholder or stockholder annual information, including meeting notifications, to be posted on a website or announced in a digital channel)
- language and content localization
- anti-spam laws, including those for email marketing
- appropriate and prohibited content
- digital rights management
- domain names, email addresses and social media accounts (defensive registration to protect a brand, or reservation of a digital asset to ensure that copyrights and trademarks are secured)
- online advertising and promotion
- social media (personal and corporate)
The digital policies your company chooses to adhere to will depend on several variables:
- industry. For example, pharmaceuticals will have different requirements than banks.
- business sector. Sectors include commercial, business-to-business, governmental and not-for-profit.
- location. This includes the geographical location of your website (domain country), as well as the geographical location of the users with which your content is associated. The requirements that drive compliance in website development and management may be extensive, with many permutations possible.
- digital platforms. Web, mobile, CRM and social each has its own unique policy requirements. Compliance can quickly get more complex when you’re operating on a mobile platform that is available in several countries, each of which maintains its own set of policy requirements (privacy, geotargeting and so on).
For a web design agency or a small web development shop, the list will likely be short, mainly focused on policies related to accessibility, cookies and privacy. When you’re working with clients, that list will grow depending on the goal of the website, microsite, social media campaign or mobile application. Data storage and handling, tax collection for e-commerce websites and security policies are likely to be amongst the first ones to consider. Consult quickly with a policy expert or digital lawyer, and address the requirements with the client, because they might not be aware of them.
Later in this article, we will learn who is accountable for making sure that regulatory and legal requirements are identified, that policies are created and disseminated and that compliance is measured. But if you immediately envision pages and pages of legalese when you think about digital policies, you are in good company because, in the past, many policies were written as legal documents that were not easily understood by mere humans, including web workers.
A Digital Policy Template
Good policies tend to be brief statements (two pages maximum) that content creators and editors, web developers and even non-webbies can understand. They should generally contain the following information, written in plain, everyday language:
- name of policy
- policy statement (i.e. what you should always or never do online, stated as fact, not as a guideline or best practice)
- rationale (i.e. an explanation of why you should follow this policy)
- source From where does the policy stem, and on what authority do you invoke the policy?
- related standards Because the policy only states the “what” aspect of compliance, supporting standards should be available to explain how to comply with the policy.
The structure of the policies is important, but where and how the policies are stored is even more crucial. Establish a central repository that is easily accessible by those who have to comply with the policies, make it searchable, and generally consider the policies’ audience as a stakeholder group, applying basic UX principles. In other words, policies should not be stored as a PDF file on a shared drive or be scattered across an organization’s Intranet.
A typical policy statement should be short and to the point. For example, an accessibility policy statement might read as:
"All new and redesigned digital properties — whether web or mobile applications — published by the organization or one of its department after the effective date of this policy must conform to the Web Content Accessibility Guidelines (WCAG) 2.0 Level AA standards. All legacy digital properties published prior to the effective date of this policy must conform to these accessibility standards as they are updated or edited. Instructions on what standards must be implemented are available in the Accessibility Standards section of the Digital Resource Hub. Progress toward achieving and maintaining fully accessible digital properties must be documented in every department’s annual digital status report that is submitted as part of the budget request."
This particular policy should link to related accessibility standards, such as those for:
(The related standards don’t have to be external, such as these ones from the W3C, linked to above. Policies may link to the organization’s internal standards as well.)
The policy should provide an effective date, a date when the policy should be reviewed to determine whether it is still relevant or requires an update, a point of contact (such as a corporate accessibility steward), and a metrics statement, such as the following:
"Use an automated tool to scan digital properties for accessibility compliance, and report on a monthly basis to business owner’s compliance rates. Report accessibility compliance rates to the management sponsor on a quarterly basis."
Knowledge Is Leverage
To minimize risk, digitally facing companies and the agencies and developers that support them must learn to embrace the constant learning curve with global digital policies. External policy changes can be sudden and swift, as with the recent data-localization requirements in Russia or the EU-US Data Transfer Framework. Other entities can develop guidance but leave precise requirements in limbo, as has been the case with the US Food and Drug Administration in finalizing requirements for pharmaceuticals in social media.
Of course, digital policymaking also occurs internally, especially in larger companies. Such policies can result from technology changes, the lessons learned from other digital or web projects, or recent projects or initiatives that have uncovered the need for new or updated practices. Many of the more typical digital policies, such as those for branding, quality and ownership of content, are issued from an organization’s marketing department or from individuals who make up the web operations team.
While we are almost 30 years into the existence of the web, our collective awareness of the risks that come with its use and the policies necessary to curb those risks is still immature. There is no central resource to guide digital workers and agencies through the policy maze, but you can keep on top of many topics if you do a few things:
- Read blog posts by digital policy experts and associations, such as Lainey Feingold, Dechert LLP, SIIA and Hunton & Williams.
- Set your news alerts for key policy topics, such as data breaches, data localization, international data transfers, accessibility and data privacy.
- Zero in on trends via Twitter by following policy commentators such as Andrea Siodmok, Adonis Hoffman and, of course, me, Kristina Podnar.
- Keep an eye on news outlets such as Digital Trends, ComputerWorld and CIO Magazine.
Choosing The Right Digital Policy Approach
Faced with such complexity in compliance, how does a company improve and maintain its digital policy IQ? Organizations that manage policies in a mature manner usually employ a digital policy steward, who would be assigned several responsibilities:
- Identify the current spectrum of digital policies and assess the nuances of their risk potential. For a web design agency or small web business, the greatest risk is likely having its own online presence compromised; so, a focus on data collection, privacy, storage and transfer, and breaches might be most appropriate. If your website only has content, without any transactional support, then perhaps the biggest focus will be on information collected through your analytics software and how you manage that information based on your country of operation. The possible risks and associated policies will grow quickly if the web design agency or small web business performs work for clients — there again, assess risks based on the type of website or digital channel, and focus on policies to mitigate the greatest of risks.
- Monitor how digital policy trends are changing in their market, while communicating with their digital leadership to determine appropriate organizational positions on a specific topic. This means having someone with a legal bent or an appreciation for risk paying attention to what is happening in the industry and what impact such trends might have on the organization. For example, when LinkedIn was recently compromised by the data breach, there was significant focus on having users reset their LinkedIn passwords. Companies that use LinkedIn as an authentication source for users would have reacted quickly if they had someone thinking about the risks associated with single-source authentication and had a policy in place. But, as we saw, companies such as Citrix missed the risk, which led to secondary data breaches.
- Inform internal digital stakeholders, including content creators and developers, while disseminating appropriate policies throughout the organization.
- Work with various subject matter experts and policy authors throughout the organization to define and document appropriate policies.
- Create an internal program for integrating these policies into online operations.
Small digital agencies and individual designers who lack such in-house support should consult with their client’s privacy officer or legal department for insight into potential digital policy issues. And if your team is limited in resources or funding, you can always work with a digital policy consultant to identify the key policies and risks for your organization, attend an industry workshop on digital policies, such as the one offered by The Foundry, or refer to online resources, such as Digital Context Next.
Compliance As A Competitive Advantage
Digital policies should be viewed through not only the lens of risk, but also the lens of opportunity. Companies that align themselves closely with digital policies, which in turn leverage their digital presence (say, through branding), stand to gain a distinct competitive advantage. Consider Intel, which has furthered its brand globally by aggressively stating requirements inside and outside of the organization; or the State Revenue Office of Victoria, which has emphasized accessibility and has achieved AAA compliance with the WCAG; or the Guardian, which has instituted a very simple yet strong online comment-moderation policy, one that has positioned it as a global leader in the space.
In today’s burgeoning digital market, every company stands to lose by avoiding alignment with digital policies. By the same token, you have even more to gain by incorporating those policies into an overall long-range strategic plan for your digital enterprise. By doing so, you will add value by protecting your executives, your organization, your clients and yourself from the types of lawsuits, fines and brand risks raised in this article. By complying, you’ve ensured that your home on the web remains secure.
When creativity is balanced with guidance — the real goal of these policies — then digital workers are freer to innovate and work more efficiently than in other organizations.
Further Reading
- Are We Thinking About Digital All Wrong?
- All You Need To Know About Customer Journey Mapping
- How To Make Yourself Redundant
- How To Spark A UX Revolution