Identify
Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
Inventory and Mapping
Systems/products/services that process data are inventoried.
Does the organization have a personal data inventory?
Systems/products/services that process data are inventoried.
Does the organization have an inventory of systems used by business processes existing in the personal data map?
Owners or operators (e.g., the organization or third parties, such as service providers, partners, customers, and developers) and their roles with respect to systems/products/services and components (e.g., internal or external) that process data are inventoried.
Does the organization's data inventory list the third parties (suppliers or service providers) involved?
Owners or operators (e.g., the organization or third parties, such as service providers, partners, customers, and developers) and their roles with respect to systems/products/services and components (e.g., internal or external) that process data are inventoried.
Is the role of third parties (suppliers or service providers) as a processing agent described in the process?
Categories of individuals (e.g., customers, employees or prospective employees, consumers) whose data are being processed are inventoried.
Does the personal data inventory identify who the data subjects involved in the processes are? (e.g., customers, employees, third parties).
All actions performed with personal data by personal data processing activities are inventoried.
Does the data inventory contemplate their actions or activities, i.e., is there a description of the data processing?
Are the purposes of the personal data processing activities identified?
Does the data inventory contemplate the purposes of the personal data processing activities?
Data elements in data actions are inventoried.
Is there an inventory with all data involved in the processing? (e.g., ID, SSN, Driver's License)
Data elements in data actions are inventoried.
Does the organization's data inventory have all categories of data used by the processes? (e.g., Name; Official Documents, Personal Information)
The data processing environment is identified (e.g., geographic location, internal, cloud, third parties).
Does the data inventory have the geographic location where the processing activities are performed?
The data processing environment is identified (e.g., geographic location, internal, cloud, third parties).
Does the data inventory have the geographic location of the storage site of the systems involved?
Data processing is mapped, illustrating data actions and associated data elements for systems/products/services, including components; roles of component owners/operators; and interactions of individuals or third parties with the systems/products/services.
Does the inventory of personal data processing activities contemplate all actions performed with personal data? Does it contemplate the entire lifecycle of personal data?
Business Environment
The organization's role in the data processing ecosystem is identified and communicated.
Is the organization's role in the data processing ecosystem (controller, processor, or third party) identified and communicated?
Privacy priorities are established and aligned with the organization's mission and objectives.
Are the organization's privacy priorities aligned with its mission and objectives?
Risk tolerance is determined and clearly expressed.
Are the organization's privacy risk tolerance levels determined and clearly expressed?
Risk Assessment
A privacy risk assessment methodology is established.
Does the organization have a methodology for assessing privacy risks?
Privacy risks to individuals are identified and documented.
Are privacy risks to individuals identified and documented?
Privacy risks are prioritized.
Are privacy risks prioritized based on their impact on individuals and the organization?
Responses to privacy risks are identified and prioritized.
Are responses to privacy risks identified and prioritized?
Data Processing Ecosystem Risk Management
Contracts with third parties are reviewed to ensure they meet the organization's privacy requirements.
Are third-party data processing contracts reviewed to ensure privacy requirements are met?
Third-party compliance with privacy requirements is monitored.
Does the organization monitor third-party compliance with privacy requirements?