Privacy and Data Protection

Privacy Compliance Program Checklist

Below is a list of the key elements to use as part of a self-assessment of your organization’s privacy program.

Compliance Program Element

Suggested Data Privacy Compliance Program Component

Complete

Standards and procedures

  • Evidence that the organization’s code of conduct reinforces a commitment to safeguarding privacy.

  • Evidence of the organization’s data protection impact assessment program.

  • Evidence that privacy and related policies are examined periodically and take into consideration changes to the privacy risk—and related, broader IT/information security—landscape and wrongdoing perpetuated in the recent history pertaining to that policy.

  • Evidence of privacy breach response policies and protocols.

  • Evidence that departmental policies have been further contextualized to account for specific personal data flows.

  • Evidence that the company has a privacy communication plan that includes distribution of privacy policies.

Governance, oversight, authority

  • Evidence that privacy measures are incorporated into annual organizational goal setting and include appropriate follow-up.

  • Evidence that the annual report to senior leadership and the board on the data privacy compliance program includes the results of the organizational privacy risk assessment and consideration of related information security risks, results of internal audits, and incident trends.

  • Evidence of funding for the privacy program, including people, process, and technology.

Due care in delegation of authority

  • Evidence that privacy professionals demonstrate the right professional qualifications and expert knowledge of the data protection legal and regulatory environment.

  • Evidence of documented privacy roles and responsibilities, including, where applicable, adherence to regulatory requirements such as the General Data Protection Regulation (GDPR) and the role of the data protection officer.

Communication and training

  • Evidence of a privacy-specific learning and awareness plan, updated annually, reflecting the results of the organization’s overall risk profile (e.g., GDPR, California Consumer Privacy Act, Health Insurance Portability and Accountability Act).

  • Evidence of the privacy-specific awareness program or process reflective of its unique organizational risk profile.

  • Evidence of privacy-specific awareness for middle/senior leadership as well as the board or similar senior leadership body.

Auditing, monitoring, and reporting systems

  • Evidence of the organization’s data protection–specific third-party assessment program where the third-party relationship is assessed against the company’s privacy and related information security policies, including, for example, data minimization, privacy by design, and a data protection impact assessment.

  • Evidence that data protection is a core component of the company’s mergers and acquisitions assessment process.

Incentives and discipline

  • Evidence of the organization’s data protection–specific disciplinary and incentive measures, including, for example, consequences for noncompliance with the company’s acceptable use policy or privacy policy. Evidence that these measures apply across all ranks, including senior leadership.

Response to wrongdoing and remediation

  • Evidence that complaint, inquiry, and privacy breach response protocols are consistently followed through a privacy case management system or similar process.

  • Evidence that data privacy inquiries or complaints are addressed consistent with applicable privacy requirements, including timing as well as process (such as subject access rights requests).

  • Evidence that data incidents are addressed consistent with applicable law, such as the GDPR’s 72-hour requirement, including root cause analysis and remedial measures such as control improvements, changes to systems, improvement of the existing data protection impact assessment process, and internal and/or external notifications consistent with applicable law.

Risk assessment and continuous improvement

  • Evidence that the company conducts a periodic (annual at minimum) data privacy risk assessment designed to identify changes to the organization’s inherent privacy risks and responsive measures to prevent, detect, and respond to those risks.

  • Evidence that the company conducts an annual data protection compliance program assessment, which includes testing of program components and results of privacy audits, which inform recommended control enhancements.

  • Evidence that the organization’s data protection impact assessment program includes periodic reassessment of systems and processes.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings