Communicate
Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
Governance Policies
Communication policies are established and communicated.
Are communication policies established and communicated?
Communication policies are reviewed and updated.
Are communication policies reviewed and updated regularly?
Data Processing Awareness
Mechanisms (e.g., notices, internal or public reports) to communicate data processing purposes, practices, associated privacy risks, and options to enable individuals' data processing preferences and requests to be established and implemented.
Does the organization have mechanisms (e.g., privacy policy) to communicate the purpose of data processing?
Mechanisms (e.g., notices, internal or public reports) to communicate data processing purposes, practices, associated privacy risks, and options to enable individuals' data processing preferences and requests to be established and implemented.
Is there a data subject request handling process that allows the organization to disclose the purpose of personal data processing?
Mechanisms to obtain feedback from individuals (e.g., surveys or focus groups) about data processing and associated privacy risks are established and implemented.
Is there a channel to report privacy risks?
Mechanisms to obtain feedback from individuals (e.g., surveys or focus groups) about data processing and associated privacy risks are established and implemented.
Does the organization have initiatives that encourage employees to identify privacy risks?
System/product/service design allows for data processing visibility.
Is transparency provided to the data subject during a processing activity?
Records of data disclosure and sharing are maintained and can be accessed for review or transmission/disclosure.
Are all data sharing activities recorded? Are they part of the data inventory?
Data corrections or deletions can be communicated to individuals or organizations (e.g., data sources) in the data processing ecosystem.
Does the process contemplate correction/adjustment throughout the personal data lifecycle?
Data provenance and lineage are maintained and can be accessed for review or transmission/disclosure.
Does the data inventory contemplate the entire lifecycle of personal data, including detailed collection records?
Impacted individuals and organizations are notified about a breach or privacy event.
Is communication to users impacted by a breach provided for in the incident response procedure?
Individuals are provided with mitigation mechanisms (e.g., credit monitoring, consent withdrawal, data alteration or deletion) to deal with the impacts of problematic data actions.
Does the data subject rights process provide for mitigation measures to deal with the impacts of problematic operations?