Data Privacy Assessment-Key Areas

Data Privacy Assessments – Key Areas

Data Privacy Assessment-Key Areas
Data Privacy Assessment-Key Areas

Area 1: Transparency

  • When the user information is collected from individuals, are they made aware of the uses for that information?
  • Are Individuals made aware of any disclosures of their Personal Information to third parties?
  • Have we obtained people’s consent for any secondary uses of their personal data, which might not be obvious to them
  • Are our Personal Information-collection practices open, transparent and up-front?

Area 2: Purpose specification

  • Are we clear about the purpose (or purposes) for which we keep personal information?
  • Are the individuals collecting/handling this information also clear about this purpose?
  • Has responsibility been assigned for maintaining a list of all Information sets and the purpose associated with each?
  • Have we checked to make sure that all the information we collect is relevant, and not excessive, for our specified purpose?

Area 3: Use and disclosure of information

  • Are there defined rules about the use and disclosure of information?
  • Are all staffs aware of these rules?
  • Are regulatory and country specific Data Privacy rules taken into consideration before the use and disclosure?
  • Are the individuals aware of the uses and disclosures of their personal data?
  • Whether the consent from the individuals regarding uses and disclosures of their personal information obtained?

Area 4 Personal Information Security 

  • Is there a list of security controls in place for each Information set?
  • Is someone responsible for the development and review of these controls?
  • Are these controls appropriate to the sensitivity of the personal data?
  • Are our computers and our databases password-protected, and encrypted if appropriate?

Area 5: Accurateness and Update of Personal Information Stored 

  • Do we check our data for accuracy?
  • Do we know how much of our personal data is time-sensitive?
  • Do we take steps to ensure our Personal Information are kept up-to-date?
  • Do Individuals have access/Provisions to update their personal data stored?

 Area 6: Retention time

  • Is there a clear statement on information retention period?
  • Are regulatory and country specific Data Privacy rules taken into consideration before deciding the retention period?
  • Do we regularly purge our databases of data which we no longer need, such as data relating to former customers or staff members?
  • Do we have a policy on deleting personal data as soon as the purpose for which we obtained the data has been completed?

Area 7: The Individual Right of Access

  • Do Individuals have access/Provisions to update their personal data stored?
  • Are there clear procedures in place for dealing with such requests?
  • Do these procedures guarantee compliance with the Act’s requirements?

 Area 8: Data Privacy Awareness Training

  • Do we have Data Privacy awareness training sessions for employees?
  • Do we know about the levels of awareness of data protection in our organisation?
  • Is data protection included as part of the training / Induction programme for our staff?

 Area 9: Regulatory Compliance Visibility

  • Do we have clear visibility over regulatory requirements and country specific Data Privacy rules?
  • Do we have a privacy framework defined for the organisation considering the requirements above?
  • Do we have periodic assessments to gauge the Data privacy Compliance Posture and continuous improvement in place

Courtesy: ISO 29100 Standard, DSCI Data Privacy Framework and Data protection – Ireland



Deepesh Kumar

An information security Risk management professional backed by knowledge of ITIL, ISO/IEC 27001 & 27002, ISO 22301,ISO 29100,CISSP,PMP,COBIT,CHFI and IS/IT Audits. Working in ANZ as a Security Consultant and CISSP, PMP, CHFI, ISO 27001 LA certified.

Share your comment

%d bloggers like this: