Key ares to focus on during Data privacy Posture assessments
Area 1:
Transparency
·
When
user information is collected from individuals, are they made aware of the uses
for that information?
·
Are
Individuals made aware of any disclosures of their Personal Information to
third parties?
·
Have
we obtained people's consent for any secondary uses of their personal data,
which might not be obvious to them
·
Are
our Personal Information-collection practices open, transparent and up-front?
Area 2: Purpose specification
·
Are we
clear about the purpose (or purposes) for which we keep personal information?
·
Are the
individuals collecting/handling this information also clear about this purpose?
·
Has
responsibility been assigned for maintaining a list of all Information sets and
the purpose associated with each?
·
Have we
checked to make sure that all the information we collect is relevant, and not
excessive, for our specified purpose?
Area 3: Use and disclosure of
information
· Are there defined rules about the
use and disclosure of information?
·
Are all
staffs aware of these rules?
·
Are
regulatory and country specific Data Privacy rules taken into consideration
before the use and disclosure?
·
Are the
individuals aware of the uses and disclosures of their personal data?
·
Whether
the consent from the individuals regarding uses and disclosures of their
personal information obtained?
Area 4 Personal Information Security
· Is there a list of security controls in place for
each Information set?
·
Is
someone responsible for the development and review of these controls?
·
Are these
controls appropriate to the sensitivity of the personal data?
·
Are our
computers and our databases password-protected, and encrypted if appropriate?
Area 5: Accurateness and Update of
Personal Information Stored
· Do we check our data for
accuracy?
·
Do we
know how much of our personal data is time-sensitive?
·
Do we
take steps to ensure our Personal Information are kept up-to-date?
·
Do Individuals
have access/Provisions to update their personal data stored?
Area 6: Retention time
· Is there a clear statement on
information retention period?
·
Are
regulatory and country specific Data Privacy rules taken into consideration
before deciding the retention period?
·
Do we
regularly purge our databases of data which we no longer need, such as data
relating to former customers or staff members?
·
Do we
have a policy on deleting personal data as soon as the purpose for which we
obtained the data has been completed?
Area 7: The Individual Right of Access
· Do Individuals have
access/Provisions to update their personal data stored?
·
Are there
clear procedures in place for dealing with such requests?
·
Do these
procedures guarantee compliance with the Act's requirements?
Area 8: Data
Privacy Awareness Training
·
Do we
have Data Privacy awareness training sessions for employees?
·
Do we
know about the levels of awareness of data protection in our organisation?
·
Is data
protection included as part of the training / Induction program?
Area 9: Regulatory
Compliance Visibility
·
Do we
have clear visibility over regulatory requirements and country specific Data
Privacy rules?
·
Do we
have a privacy framework defined for the organisation considering the
requirements above?
·
Do we
have periodic assessments to gauge the Data privacy Compliance Posture and
continuous improvement in place
Courtesy :
ISO 29100 Standard , DSCI Data Privacy Framework ,GDPR and Data protection - Ireland
