Creating a strong privacy policy is one thing; making it user-friendly and able to keep pace with changing  technology is quite another. Speakers at Compliance Week's May 21 panel “Crafting Effective Privacy Policies” shared their suggestions for making policies manageable.

The panel included Allen Brandt, director of corporate counsel, data privacy, and security and chief privacy official for the Graduate Management Admission Council (GMAC), which administers the GMAT business school exam; Gretchen Herault, vice president of compliance and fraud prevention and deputy chief privacy officer at employment website Monster; and Jim Byrne, chief privacy officer of Lockheed Martin. Melissa Aguilar, a researcher at The Conference Board, moderated the discussion.

A few years ago, Brandt realized GMAC's policies were growing exponentially. Rules about items test-takers could bring to test centers, for example, swelled as policymakers listed more and more prohibited items.

“I got enamored with this concept of plain language,” Brandt said.

He streamlined the policy so it stated simply what test-takers can bring to the test. He also studied how people used GMAC's privacy policy: seeking specific information. Accordingly, he created five video segments, each featuring an employee discussing one aspect of the policy. After six months, Brandt said, 93 percent of users went straight to the videos instead of text.

With business in 110 countries, Brandt also faced local regulators, many of whom wanted their own individual policies. He began to push back on those requests, allowing separate sections for local laws only when necessary.

Monster also maintains a huge amount of sensitive information. Job-seekers' resumes alone contain millions of email addresses hackers would love to capture. Knowing customers are concerned about their data, Monster offers its privacy policy in multiple formats: short and long forms, FAQs, help text with clickable sections providing additional detail.

Monster also works hard to anticipate new uses of customers' information. With forward-thinking developers and a drive to stay ahead of competitors, Herault said, “We have tried to future-proof our privacy policy as much as possible.”

“[Developers are] coming up with all kinds of interesting ideas, some of which have some concerns from a privacy perspective, so we try to work very closely with them to anticipate any new uses of the data we have already collected so we can make sure it's covered under existing policy,” Herault said. “Rolling out a policy takes a long time, so the last thing we want to do is notify users of a change.”

Monster, like other companies, also wrestles with evolving technology¾mobile devices, social media, behavioral advertising¾where laws are still catching up.

“It's up to the privacy group to come up with the standard our company is going to meet…to ensure we're in compliance when the law is developed,” Herault said.

To craft a privacy policy that is useful as well as robust, such practical concerns may be just as important as the content itself.