Privacy compliance means being able to provide attestation and demonstrate policies and controls on-demand to auditors
In the GDPR legislation text, the term compliance appears 36 times but does not provide a definition of the term. For privacy, compliance means meeting the rules, regulations, requirements, requests, guidelines, and laws related to how companies collect, process, manage and share personal information. Organizations have various policies that dictate these requirements, which reflect their regulatory landscape and ethical guidelines. Compliance readiness is the current state of a company in meeting the policies and guidelines of the organization.
What are some typical privacy compliance concerns?
- Do we know where all our personal and sensitive data resides?
- Do we have clear consent guidelines and obvious and simple customer controls?
- Do we have the processes in place to process and respond to DSARs?
- Are our customers’ data adequately protected?
- Do we have strict policies on how customer data can be used and shared?
- Can we provide attestation and demonstrate our policies and controls on-demand to auditors?
- Are our employees continuously trained on their responsibilities in the handling of customer data?
- Are our employees continuously trained on how to avoid the unintentional use, transfer or exposure of customer data?
How do companies track or measure their compliance readiness?
- Ensure the companies has a continuous data inventory of personal data and monitor risk.
- Establish and monitor processes for obtaining consent.
- Monitor DSAR requests for completeness and timeliness of response.
- Conduct internal audits of practices, policies and controls.
- Implement a recurring employee training program on privacy responsibilities.
- Ensure that security practices, controls, and preventions are regularly tested for effectiveness.