It’s Risky Out There without Digital Policies

by Kristina Podnar

Almost every day, somebody makes headlines for a digital misstep: a data breach, an inappropriate comment on social media, online content that cannot be used by individuals with disabilities, etc.

If you’re like a lot of business leaders, you may think, “We would never do that.” But unless you’re a one-person business, your good intentions aren’t enough to prevent someone else in your company from making an embarrassing — and potentially costly — mistake. The only way to accomplish that is to have a sound digital policy program — guidance that spells out exactly what your company’s employees can do, must do and must never do online.

What should a company’s digital policies cover?

The last time I tried to answer that question, I ended up writing a book. But to put it simply, a business’s need for digital policies depends on things like the size of the business, whether it operates internationally or only in the United States, the business sector, etc.

However, there are some policies that are not optional; they apply to everyone. A few such policies are:

  • Accessibility
  • Security
  • Privacy
  • Regulatory/Compliance

Let’s start with accessibility and take a look at what a basic digital policy might look like.

Courts have ruled that the Americans with Disabilities Act applies to digital spaces as well as to physical ones. That means that a business’s website, apps, etc., must be usable by people with vision, hearing or other challenges.

First, the website should include a statement that expresses the business’s commitment to accessibility and provides contact information for people who experience difficulties while the business is working toward that goal.

Actually achieving accessibility means making some specific changes to the site’s current digital properties, as outlined in the sample policy below:

Sample policy: “Our company is committed to making our digital properties accessible to everyone. To achieve that goal, all of our digital content must meet these minimum guidelines:

  • All videos will include captioning.
  • All images will include descriptive alt-tags.
  • All content will be navigable by someone using only a

That’s a basic accessibility policy. But how does a business make sure that the employee creating a new blog post or email copy knows and follows the rules?

Ideally, businesses want to make it easy to follow the rules; they try to avoid complex processes that make employees’ jobs harder. For very small businesses, putting sticky notes on employees’ monitors might do the job just fine. For my larger clients, I recommend taking advantage of technology to incorporate policy compliance into the content creation process. One option, for example, is configuring the content management system to include a checklist that content creators must complete before they can press “Submit”:

  • Does this piece of content require an accessibility statement? (A blog post on an existing page may not, for example.) If so, have it been included?
  • If this piece of content includes video, has captioning been provided?
  • If this piece of content includes images, have descriptive alt-tags been added?
  • Once the employee confirms that all those requirements have been met, the content can be submitted.
  • Now, let’s move on to some other areas. Instead of giving a sample policy for each, I’m going to suggest some specific things to consider when developing those digital policies.

Where it comes to security, the list of things to consider is almost endless, but here are some of the most important:

  • How often users must update their login information
  • How quickly updates and patches must be implemented
  • Criteria for resolving requests to access sensitive data
  • The physical location of servers as well as security measures preventing unauthorized persons from accessing that site
  • How often data will be backed up and where those backups
    will be stored
  • How long different types of data will be retained and
    when/if they will be deleted
  • Rules regarding the use of personal devices (For example,
    can employees use personal USB drives with company computers?)
  • How potential partners will be vetted for security risks and how security requirements will be incorporated into contracts
  • How breaches will be handled (mitigation, notification, operational recovery, etc.) And that’s just scratching the surface!

Data is the fuel that drives business success. From cookies to third-party trackers and website beacons, businesses depend on the data they collect to decide what to sell, who to sell it to, and where to reach them.

However, consumers are expressing increased concern about their loss of privacy. Governments around the world are responding with privacy legislation like the EU’s General Data Protection Act and, in the U.S., the California Consumer Privacy Act.

Those changes are having a profound effect on the way businesses engage their customers. For example, it used to be considered a best practice for a business to use gated content to collect email address and then add them to its marketing lists. Today, that’s risky business. Complying with privacy laws while identifying the target market — not to mention meeting consumers’ demand for personalization — is a huge challenge.

  • As for digital policies addressing privacy, they should cover things like:
  • What types of data the business will collect (Hint: There should be a
    clear business need for each.)
  • How the business will obtain consumer consent when needed, as well
    as how it will maintain proof of that consent
  • How employees must handle sensitive data (For example, can an
    employee send a screenshot of a consumer’s purchase history to
    another employee?)
  • How that data will be protected and what the business will do if it is
    compromised during a breach
    Again, that is only a sampling!

It’s even harder for regulated businesses like healthcare. It’s an incredibly innovative industry, with some providers now using things like apps and video consultations not only to streamline healthcare, but to make it more personal and more individualized. But that involves sending extremely sensitive personal information through cyberspace. I think one of the biggest challenges for healthcare innovators over the next few years will be figuring out how to do that without violating any privacy regulations.

Companies that operate internationally have the additional challenge of meeting multiple sets of laws. For example, the U.S. is one of the few countries that allows pharmaceutical companies to advertise directly to consumers. So businesses in that industry have to decide how to handle that issue on their websites. Some do it by asking visitors to provide their location, and that information determines the content that will be displayed.

Other regulatory issues for a business to consider when developing digital policies include:

  • How to stay up to date on regulations in all countries where it operates
  • How to make decisions regarding the risk versus opportunity of bringing the company into compliance with a particular country’s laws (Will it come into compliance, take the risk of remaining noncompliant, stop doing business in that country, etc.?)
  • What steps to take to prevent front-line digital workers from unintentionally violating regulations

Digital policies are as much a part of running a business as procurement, payroll, etc.

Some things are just part of doing business, and digital policies are no different. I encourage everyone to look at it this way: Any company that wants to stay in business should grow accustomed to balancing risks with opportunities. Developing digital policies means applying that same type of analysis to digital activities.

No business is too small to need digital policies, and the bigger the business is, the more complex the policies become. Managing all the various aspects of digital — some of which I can almost guarantee you’ve never even thought of — is like trying to untangle the world’s largest hairball, and it’s just going to keep getting bigger as technology evolves. 

Kristina Podnar is a digital policy innovator. The principal of NativeTrust Consulting, LLC, she has worked for more than two decades with some of the most high-profile companies in the world and has helped them see policies as opportunities to free the organization from uncertainty, risk and internal chaos. Podnar’s approach brings in marketing, human resources, IT, legal, compliance, security and procurement to create digital policies and practices that comply with regulations, unlock opportunity, strengthen the brand and liberate employees.


The author of The Power of Digital Policy: A practical guide to minimizing risk and maximizing opportunity for your organization, Podnar has a Bachelor of Arts in international studies, an MBA in international business from the Dominican University of California and is certified as both a Change Management Practitioner (APMG International) and a Project Management Professional (Project Management Institute).

Speak Your Mind

In Business Dailies

Sign up for a complimentary year of In Business Dailies with a bonus Digital Subscription of In Business Magazine delivered to your inbox each month!

  • Get the day’s Top Stories
  • Relevant In-depth Articles
  • Daily Offers
  • Coming Events