1. Know precisely where you are now. The first step in devising an effective and comprehensive privacy policy is reviewing what privacy parameters may already be in place. Check out what sort of data you collect, how it's gathered, where and how it's stored, and other elements pertaining to personal information. Do you use cookies, for example, for those who visit your Web site? Find out who in your company is gathering private information, and who all has access to it, says Mark Merkow, author of "The E-Privacy Imperative: Protect Your Customers' Internet Privacy and Ensure Your Company's Survival in the Electronic Age." "Who controls it and is it shared or disclosed to third parties in any way?"

2. Determine upfront what statutes may apply. What you put into your privacy policy may not be exclusively up to you. As the public's concern over privacy has grown, so have the number of formal government regulations dictating what elements certain privacy policies have to contain. If, for instance, your business deals in health care, you likely are required to comply with The Health Insurance Portability and Accountability Act of 1996 (HIPAA). See this site for more details. Likewise, if you're involved in financial matters, the Gramm-Leach-Bliley Act may mandate certain financial privacy requirements (do a search on the Federal Trade Commission site for more information). "Given the growing concern about privacy in America, there are more and more statutory requirements that define what certain privacy policies have to have in them," says David Simon, founder and president of WeComply, a Mt. Kisco, N.Y., company that offers employee training on privacy issues.

3. Give your customer specifics on how you will use their information. Tackle those issues that you're not obligated to mention " but are in your best interest to raise. As Harold Krent, dean and professor at the Chicago-Kent College of Law puts it, "There's certain information that it's strategically important to relay." Although privacy policies will differ significantly from one business to the next, here's a brief checklist of issues you should take into consideration:

4. Get an attorney or privacy specialist, if necessary, to draft or review your policy. Once you have a sense of what you want to include " and what you legally must include " in a privacy policy, start putting something on paper. You can try drawing up a privacy policy yourself " if you opt for this, it's prudent to have an attorney or an expert on privacy matters review it for potential holes. Likewise, you can hand off the task to a lawyer or privacy specialist. Additionally, don't forget the Internet for guidance on policy matters. For instance, TRUSTe and the Better Business Bureau offer useful guidelines of what sort of content you may wish to consider for your privacy policy.

5. Don't overlook employees in your privacy policy. For many, privacy policies are exclusive to clients and customers. But it may be just as critical to have written parameters on how you use personal information about your employees. Some companies choose to build employee privacy parameters into the same document that covers customers. However, if the issues are distinct enough " for instance, pertaining to guidelines specified under HIPAA " it may be more prudent to have an employee-specific privacy policy. Get advice here from an attorney or privacy specialist.

6. Appoint an employee to oversee privacy on an ongoing basis. Privacy isn't an issue of fluttering relevance. It's here to stay. And that, in turn, mandates ongoing attention on your part. If yours is a relatively modestly staffed company, that may mean adding privacy to an employee's existing regimen of responsibilities. But, if resources allow it, consider a privacy point person " one whose job is exclusive to looking after privacy issues. "A lot of companies now have chief privacy officers," notes Merkow. "But, no matter how you approach it, it's important to have someone looking after privacy matters."

7. Walk the talk. One final element to an effective privacy policy supersedes the paper on which it's written. If and when you have a privacy policy in place, move heaven and earth to make certain that you and any and all employees follow it to the letter. Again, an employee earmarked for privacy issues can make this task easier. But, even if it's a matter of holding weekly meetings to hammer home the importance of adhering to privacy policies, don't assume that a privacy statement breathes on its own. "It's also important to remember that it's more than an issue of legal compliance," says Simon. "Poor privacy practices can do serious harm to your reputation."