Menu Search
Jump to the content X X
Smashing Conf New York

You know, we use ad-blockers as well. We gotta keep those servers running though. Did you know that we publish useful books and run friendly conferences — crafted for pros like yourself? E.g. our upcoming SmashingConf New York, dedicated to smart front-end techniques and design patterns.

Keeping Your Business And Clients Safe With Digital Policies

Digital workers, especially web designers and developers, need to recognize that policy influences their products online much as it does offline. Whatever the scale of our enterprise — whether a large corporation, small digital agency, software company or personal venture — we must work within this system of legislated regulations (what we simply call “policies”) in order to maintain our compliance with the law.

Every Business Needs Digital Policies Link

Our present regulatory environment is a world of rules we must navigate every day at the workplace, especially if we own a business. Why, then, should we expect the digital world in which we build websites and transact business to be any different? It isn’t — in fact, if anything, the regulatory environment on the web has grown more complex and codified in recent years, with new requirements arising quickly for accessibility (the UK in 20101), cookies (the EU in 20112), online privacy (the US in 20123), the right to be forgotten (the EU in 20144), the exporting of personal citizenship information (Russia in 20155) and so on. Keeping track of global legal requirements is not always easy. Some might even seem illogical to us, like the EU VAT law that affects software companies6, but can pose a serious threat to our businesses.

Adherence to digital policy should be as fundamental as paying taxes for any company or individual that does business online. In my policy work over the past 15 years, I have witnessed that working in the digital space has just as many risks and liabilities as in the analog world. If you do not have and follow digital policies, you are putting your company, clients and income at risk.

Digital Policies Don’t Have To Be Difficult Link

If you are new to this, then the conversations on digital policies might sound very legal and strict. Don’t be afraid, though. We will give you some general hints and resources on how to approach digital policies and provide you with some basic knowledge so that you can discuss digital policies with an attorney, legal department or digital policies consultant.

To help you get started, we will cover:

  • examples of what can go wrong if digital policies are not taken care of,
  • types of digital policies,
  • a digital policy template,
  • how to navigate the constantly changing digital landscape,
  • how to choose the right policies approach.
Policies translate your organization’s risks, business objectives, and applicable laws and regulations into what you should and should never do in the online space.7
Policies translate your organization’s risks, business objectives, and applicable laws and regulations into what you should and should never do in the online space. (Large preview8)

Digital Policies Govern Digital Business Link

Of course, not all companies are dismissive of digital policies. Some, especially small digital agencies and individual web practitioners, simply lack a frame of reference, because such policies fall beyond their day-to-day operational focus.

But, as they say, ignorance of the law is no excuse. Digital policies can directly impact a company’s websites, as well as its social media, mobile platforms, email marketing and online CRM, in setting forth those guidelines that ensure compliance with local, federal and even international laws and regulations. Simply consider the requirement to protect personally identifiable consumer information and the subsequent data-breach lawsuits against Target9, Neiman Marcus10, Adobe11, Sony12 and LinkedIn13 because they didn’t have the proper protections. Or consider what geotargeting information a company can collect14 from users’ mobile devices for advertising purposes and the multimillion dollar fines that are levied against the likes15 of Capital One, Discover, American Express, Chase and GE Capital Retail Bank when there is non-compliance.

Of course, many organizations believe that they already “get” digital policies. After all, they have a link in the footer of their website indicating that they support website accessibility based on W3C policies. They might even have a privacy policy (as another footer link) in place. But this barely scratches the surface — digital policies encompass much more than just footer links on a web page. They should be programmatic guidance that is provided to, and used by, web workers globally.

The Real Risks Link

What happens if you decide to risk it and disregard digital policies altogether? If yours is an organization with a large and multifaceted global presence online, then you obviously present a more compelling target to regulators. In many of these cases, noncompliance can lead to the following:

  • costly fines and legal suits
    2015 saw 45 accessibility-related lawsuits16 alone, including those against the National Basketball Association (NBA), Sprint, JC Penney and Home Depot.
  • blockage of channels of sale
    Belgian-courts have ruled17 that ISPs can be required to block commercial websites that violate copyright laws.
  • shutdown of digital operations
    China shut down18 Apple’s online book and movie services earlier this year for non-compliance with localization and ownership requirements.
  • loss of brand reputation, market share and public credibility
    IKEA dropped its lifestyle website in Russia19 in 2015 over fears the government would consider it a promotion of gay values to minors, only to be met with public backlash and boycotts.

Even independent content writers and independent and small web shops can suffer consequences, such as a lawsuit20 or monetary fines21, when clients invoke the liability waivers and indemnity clauses that are standard parts of contracts.

The higher the profile of your website or digital property (including its visibility to consumers) and the more countries the digital property targets, the higher the risks and need for associated digital policies.
The higher the profile of your website or digital property (including its visibility to consumers) and the more countries the digital property targets, the higher the risks and need for associated digital policies.

A Digital Policy Checklist Link

While usually small in number (ranging usually from 5 to 40 per organization), these digital policies set a clear direction for do’s and don’ts on a website and related digital channels.

Obviously, every company needs to decide which digital policies deserve their attention — and, conversely, how risk-averse they are with the ones they intend to ignore. Still, from my experience, the following is a good basic list that every company should review:

  • accessibility
  • branding
  • cookies and tracking
  • children’s privacy (COPPA)
  • copyright and protection, intellectual property and trademarks
  • data breach notification (legally required notification to users when security breaches occur and personal information is lost or stolen)
  • data encryption and transfer, data localization
  • data privacy, and protection of personally identifiable information and health information
  • digital records management
  • shareholder notification (legal requirement for shareholder or stockholder annual information, including meeting notifications, to be posted on a website or announced in a digital channel)
  • language and content localization
  • anti-spam laws, including those for email marketing
  • appropriate and prohibited content
  • digital rights management
  • domain names, email addresses and social media accounts (defensive registration to protect a brand, or reservation of a digital asset to ensure that copyrights and trademarks are secured)
  • online advertising and promotion
  • social media (personal and corporate)

The digital policies your company chooses to adhere to will depend on several variables:

  • industry
    For example, pharmaceuticals will have different requirements than banks.
  • business sector
    Sectors include commercial, business-to-business, governmental and not-for-profit.
  • location
    This includes the geographical location of your website (domain country), as well as the geographical location of the users with which your content is associated. The requirements that drive compliance in website development and management may be extensive, with many permutations possible.
  • digital platforms
    Web, mobile, CRM and social each has its own unique policy requirements. Compliance can quickly get more complex when you’re operating on a mobile platform that is available in several countries, each of which maintains its own set of policy requirements (privacy, geotargeting and so on).

For a web design agency or a small web development shop, the list will likely be short, mainly focused on policies related to accessibility, cookies and privacy. When you’re working with clients, that list will grow depending on the goal of the website, microsite, social media campaign or mobile application. Data storage and handling, tax collection for e-commerce websites and security policies are likely to be amongst the first ones to consider. Consult quickly with a policy expert or digital lawyer, and address the requirements with the client, because they might not be aware of them.

Later in this article, we will learn who is accountable for making sure that regulatory and legal requirements are identified, that policies are created and disseminated and that compliance is measured. But if you immediately envision pages and pages of legalese when you think about digital policies, you are in good company because, in the past, many policies were written as legal documents that were not easily understood by mere humans, including web workers.

A Digital Policy Template Link

Good policies tend to be brief statements (two pages maximum) that content creators and editors, web developers and even non-webbies can understand. They should generally contain the following information, written in plain, everyday language:

  1. name of policy
  2. policy statement
    (i.e. what you should always or never do online, stated as fact, not as a guideline or best practice)
  3. rationale
    (i.e. an explanation of why you should follow this policy)
  4. source
    From where does the policy stem, and on what authority do you invoke the policy?
  5. related standards
    Because the policy only states the “what” aspect of compliance, supporting standards should be available to explain how to comply with the policy.

The structure of the policies is important, but where and how the policies are stored is even more crucial. Establish a central repository that is easily accessible by those who have to comply with the policies, make it searchable, and generally consider the policies’ audience as a stakeholder group, applying basic UX principles. In other words, policies should not be stored as a PDF file on a shared drive or be scattered across an organization’s Intranet.

A typical policy statement should be short and to the point. For example, an accessibility policy statement might read as:

All new and redesigned digital properties — whether web or mobile applications — published by the organization or one of its department after the effective date of this policy must conform to the Web Content Accessibility Guidelines (WCAG) 2.0 Level AA standards. All legacy digital properties published prior to the effective date of this policy must conform to these accessibility standards as they are updated or edited. Instructions on what standards must be implemented are available in the Accessibility Standards section of the Digital Resource Hub. Progress toward achieving and maintaining fully accessible digital properties must be documented in every department’s annual digital status report that is submitted as part of the budget request.

This particular policy should link to related accessibility standards, such as those for:

(The related standards don’t have to be external, such as these ones from the W3C, linked to above. Policies may link to the organization’s internal standards as well.)

Sometimes we can link to an existing standard, for instance WCAG 2.0. But very often related standards already exist within the organization.26
Sometimes we can link to an existing standard, for instance WCAG 2.0. But very often related standards already exist within the organization. (Large preview27)

The policy should provide an effective date, a date when the policy should be reviewed to determine whether it is still relevant or requires an update, a point of contact (such as a corporate accessibility steward), and a metrics statement, such as the following:

Use an automated tool to scan digital properties for accessibility compliance, and report on a monthly basis to business owner’s compliance rates. Report accessibility compliance rates to the management sponsor on a quarterly basis.

Knowledge Is Leverage Link

To minimize risk, digitally facing companies and the agencies and developers that support them must learn to embrace the constant learning curve with global digital policies. External policy changes can be sudden and swift, as with the recent data-localization requirements in Russia28 or the EU-US Data Transfer Framework29. Other entities can develop guidance but leave precise requirements in limbo, as has been the case with the US Food and Drug Administration in finalizing requirements for pharmaceuticals in social media30.

Of course, digital policymaking also occurs internally, especially in larger companies. Such policies can result from technology changes, the lessons learned from other digital or web projects, or recent projects or initiatives that have uncovered the need for new or updated practices. Many of the more typical digital policies, such as those for branding, quality and ownership of content, are issued from an organization’s marketing department or from individuals who make up the web operations team.

While we are almost 30 years into the existence of the web, our collective awareness of the risks that come with its use and the policies necessary to curb those risks is still immature. There is no central resource to guide digital workers and agencies through the policy maze, but you can keep on top of many topics if you do a few things:

Choosing The Right Digital Policy Approach Link

Faced with such complexity in compliance, how does a company improve and maintain its digital policy IQ? Organizations that manage policies in a mature manner usually employ a digital policy steward, who would be assigned several responsibilities:

  • Identify the current spectrum of digital policies and assess the nuances of their risk potential. For a web design agency or small web business, the greatest risk is likely having its own online presence compromised; so, a focus on data collection, privacy, storage and transfer, and breaches might be most appropriate. If your website only has content, without any transactional support, then perhaps the biggest focus will be on information collected through your analytics software and how you manage that information based on your country of operation. The possible risks and associated policies will grow quickly if the web design agency or small web business performs work for clients — there again, assess risks based on the type of website or digital channel, and focus on policies to mitigate the greatest of risks.
  • Monitor how digital policy trends are changing in their market, while communicating with their digital leadership to determine appropriate organizational positions on a specific topic. This means having someone with a legal bent or an appreciation for risk paying attention to what is happening in the industry and what impact such trends might have on the organization. For example, when LinkedIn was recently compromised by the data breach, there was significant focus on having users reset their LinkedIn passwords. Companies that use LinkedIn as an authentication source for users would have reacted quickly if they had someone thinking about the risks associated with single-source authentication and had a policy in place. But, as we saw, companies such as Citrix missed the risk, which led to secondary data breaches.
  • Inform internal digital stakeholders, including content creators and developers, while disseminating appropriate policies throughout the organization.
  • Work with various subject matter experts and policy authors throughout the organization to define and document appropriate policies.
  • Create an internal program for integrating these policies into online operations.

Small digital agencies and individual designers who lack such in-house support should consult with their client’s privacy officer or legal department for insight into potential digital policy issues. And if your team is limited in resources or funding, you can always work with a digital policy consultant to identify the key policies and risks for your organization, attend an industry workshop on digital policies, such as the one offered by The Foundry41, or refer to online resources, such as Digital Context Next42.

Determine policies that apply.43
Determine policies that apply. (Large preview44)

Compliance As A Competitive Advantage Link

Digital policies should be viewed through not only the lens of risk, but also the lens of opportunity. Companies that align themselves closely with digital policies, which in turn leverage their digital presence (say, through branding), stand to gain a distinct competitive advantage. Consider Intel45, which has furthered its brand globally by aggressively stating requirements inside and outside of the organization; or the State Revenue Office of Victoria46, which has emphasized accessibility and has achieved AAA compliance with the WCAG; or the Guardian47, which has instituted a very simple yet strong online comment-moderation policy, one that has positioned it as a global leader in the space.

In today’s burgeoning digital market, every company stands to lose by avoiding alignment with digital policies. By the same token, you have even more to gain by incorporating those policies into an overall long-range strategic plan for your digital enterprise. By doing so, you will add value by protecting your executives, your organization, your clients and yourself from the types of lawsuits, fines and brand risks raised in this article. By complying, you’ve ensured that your home on the web remains secure.

When creativity is balanced with guidance — the real goal of these policies — then digital workers are freer to innovate and work more efficiently than in other organizations.

(md, il, al)

Footnotes Link

  1. 1 https://www.gov.uk/rights-disabled-person/overview
  2. 2 http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm
  3. 3 https://www.ftc.gov/news-events/press-releases/2012/03/ftc-issues-final-commission-report-protecting-consumer-privacy
  4. 4 http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf
  5. 5 http://www.bna.com/russias-2016-data-n57982066291/
  6. 6 https://rachelandrew.co.uk/archives/2014/10/13/the-horrible-implications-of-the-eu-vat-place-of-supply-change/
  7. 7 https://www.smashingmagazine.com/wp-content/uploads/2016/07/digital-policies-ecosystem-large-opt.png
  8. 8 https://www.smashingmagazine.com/wp-content/uploads/2016/07/digital-policies-ecosystem-large-opt.png
  9. 9 http://www.bna.com/target-data-breach-n57982072561/
  10. 10 http://www.bankinfosecurity.com/new-neiman-marcus-breach-authentication-must-change-a-8843
  11. 11 http://searchsecurity.techtarget.com/news/4500257937/Lessons-learned-from-the-Adobe-data-breach
  12. 12 http://www.pressherald.com/2016/04/06/settlement-approved-in-sony-pictures-data-breach/
  13. 13 http://www.computerworld.com/article/3077478/security/linkedin-s-disturbing-breach-notice.html
  14. 14 https://www.networkadvertising.org/mobile/NAI_Mobile_Application_Code.pdf
  15. 15 http://www.thesearchmonitor.com/the-cfpb-card-act-and-importance-of-credit-card-monitoring/
  16. 16 http://www.fredlaw.com/internet_technology_trademark__advertising_alerts/2015/12/28/1091/lawsuits_rise_blind_plaintiffs_sue_additional_retailers_for_website_accessibilityada_claims/
  17. 17 http://www.lexology.com/library/detail.aspx?g=1f8a7c6b-02a1-4695-ae46-4ccd980f2174
  18. 18 http://www.bbc.com/news/technology-36110425
  19. 19 http://www.theguardian.com/world/2015/mar/13/ikea-drops-lifestyle-website-russia-gay-propaganda-fears
  20. 20 http://www.poynter.org/2015/indemnity-clauses-leave-freelancers-open-to-lawsuits/341233/
  21. 21 http://www.law360.com/articles/614158/travelers-blames-web-designer-in-bank-website-data-breach
  22. 22 http://www.w3.org/TR/WCAG20-TECHS/H37.html
  23. 23 http://www.w3.org/TR/UNDERSTANDING-WCAG20/navigation-mechanisms-refs.html
  24. 24 http://www.w3.org/TR/UNDERSTANDING-WCAG20/media-equiv.html
  25. 25 http://www.w3.org/WAI/ER/tools/
  26. 26 https://www.smashingmagazine.com/wp-content/uploads/2016/07/WCAG-guidelines-large-opt.png
  27. 27 https://www.smashingmagazine.com/wp-content/uploads/2016/07/WCAG-guidelines-large-opt.png
  28. 28 http://www.bna.com/russias-2016-data-n57982066291/
  29. 29 http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision-annex-2_en.pdf
  30. 30 http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM401087.pdf
  31. 31 http://www.lflegal.com
  32. 32 http://www.crunchedcredit.com
  33. 33 http://www.siia.net/blog
  34. 34 https://www.huntonprivacyblog.com
  35. 35 https://twitter.com/AndreaSiodmok
  36. 36 https://twitter.com/adonishoffman
  37. 37 https://twitter.com/kpodnar
  38. 38 http://www.digitaltrends.com
  39. 39 http://www.computerworld.com/article/3077478/security/linkedin-s-disturbing-breach-notice.html
  40. 40 http://www.cio.com
  41. 41 http://www.ilpfoundry.us/#what
  42. 42 https://digitalcontentnext.org/public-policy/
  43. 43 https://www.smashingmagazine.com/wp-content/uploads/2016/07/lists-large-opt.jpg
  44. 44 https://www.smashingmagazine.com/wp-content/uploads/2016/07/lists-large-opt.jpg
  45. 45 http://www.intel.com/content/www/us/en/trademarks/trademarks.html
  46. 46 http://www.sro.vic.gov.au
  47. 47 https://www.theguardian.com/technology/2016/apr/12/the-dark-side-of-guardian-comments

↑ Back to top Tweet itShare on Facebook

Kristina is a management consultant specializing in digital policy and standards. She regularly works with multinationals, government, and not-for-profit organizations to solve their digital governance and IT transformation challenges. Kristina runs digital governance workshops helping in-house teams implement digital policies and standards and achieve worry-free publishing.

  1. 1

    Krinal Mehta

    July 14, 2016 11:05 am

    Hey Kristina, thanks for sharing the checklist. I was wondering though if the level of the company decides what level of policies they need. For e.g. Could there be a more specific checklist for fintech startups? Thanks for the checklist, truly appreciate it!

    0
    • 2

      Kristina Podnar

      July 14, 2016 1:47 pm

      Hi Krinal, glad you found the checklist helpful. The list provides policies to consider, but yes, a more specific checklist will be applicable to fintech startups (or any other vertical), and will vary amongst fintechs based on geographical areas where you have a digital footprint. The maturity of the org (startup vs. mid-level vs. multinational) will also influence the list of policies that you should have in place. Point being is to consider your vertical, areas of operations, tolerance for risk and build/customize the checklist to suit your needs. The checklist should also change over time for your org, as you grow and evolve.

      0
    • 3

      Kristina Podnar

      July 14, 2016 1:50 pm

      Hi Krinal, glad you found the checklist helpful. The list provides policies to consider, but yes, a more specific checklist will be applicable to fintech startups (or any other vertical), and will vary amongst fintechs based on geographical areas where you have a digital footprint. The maturity of the org (startup vs. mid-level vs. multinational) will also influence the list of policies that you should have in place. Point being is to consider your vertical, areas of operations, tolerance for risk and build/customize the checklist to suit your needs. The checklist should also change over time for your org, as you grow and evolve.

      0
  2. 4

    I have been browsing online more than 3 hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. In my opinion, if all website owners and bloggers made good content as you did, the web will be much more useful than ever before.

    1
  3. 5

    3d-architectural-rendering.com

    July 18, 2016 8:07 am

    All good points. I also recommend getting risk management related business insurance and review your existing liability policies.

    2

↑ Back to top