Data Privacy Assessments – Key Areas

Area 1: Transparency

• When the user information is collected from individuals, are they made aware of the uses for that information?
• Are Individuals made aware of any disclosures of their Personal Information to third parties?
• Have we obtained people’s consent for any secondary uses of their personal data, which might not be obvious to them
• Are our Personal Information-collection practices open, transparent and up-front?

Area 2: Purpose specification

• Are we clear about the purpose (or purposes) for which we keep personal information?
• Are the individuals collecting/handling this information also clear about this purpose?
• Has responsibility been assigned for maintaining a list of all Information sets and the purpose associated with each?
• Have we checked to make sure that all the information we collect is relevant, and not excessive, for our specified purpose?

Area 3: Use and disclosure of information

• Are there defined rules about the use and disclosure of information?
• Are all staffs aware of these rules?
• Are regulatory and country specific Data Privacy rules taken into consideration before the use and disclosure?
• Are the individuals aware of the uses and disclosures of their personal data?
• Whether the consent from the individuals regarding uses and disclosures of their personal information obtained?

Area 4 Personal Information Security 

• Is there a list of security controls in place for each Information set?
• Is someone responsible for the development and review of these controls?
• Are these controls appropriate to the sensitivity of the personal data?
• Are our computers and our databases password-protected, and encrypted if appropriate?

Area 5: Accurateness and Update of Personal Information Stored 

• Do we check our data for accuracy?
• Do we know how much of our personal data is time-sensitive?
• Do we take steps to ensure our Personal Information are kept up-to-date?
• Do Individuals have access/Provisions to update their personal data stored?

 Area 6: Retention time

• Is there a clear statement on information retention period?
• Are regulatory and country specific Data Privacy rules taken into consideration before deciding the retention period?
• Do we regularly purge our databases of data which we no longer need, such as data relating to former customers or staff members?
• Do we have a policy on deleting personal data as soon as the purpose for which we obtained the data has been completed?

Area 7: The Individual Right of Access

• Do Individuals have access/Provisions to update their personal data stored?
• Are there clear procedures in place for dealing with such requests?
• Do these procedures guarantee compliance with the Act’s requirements?

 Area 8: Data Privacy Awareness Training

• Do we have Data Privacy awareness training sessions for employees?
• Do we know about the levels of awareness of data protection in our organisation?
• Is data protection included as part of the training / Induction programme for our staff?

 Area 9: Regulatory Compliance Visibility

• Do we have clear visibility over regulatory requirements and country specific Data Privacy rules?
• Do we have a privacy framework defined for the organisation considering the requirements above?
• Do we have periodic assessments to gauge the Data privacy Compliance Posture and continuous improvement in place

Courtesy: ISO 29100 Standard, DSCI Data Privacy Framework and Data protection – Ireland