PRIVACY PROGRAM MANAGEMENT

ONLINE TRAINING TRANSCRIPT

MODULE 4: PRIVACY OPERATIONAL LIFE CYCLE—
ASSESS: DATA ASSESSMENTS

Introduction

Module introduction

You cannot build and maintain a successful privacy program without a comprehensive view of the data
your organization stores and processes. Data assessments can help you inventory, manage and track
personal information, as well as determine the impact that organizational systems and processes will have
on privacy. They can help organizations identify privacy risks to individuals in advance and address them
at the beginning of any project that involves the processing of personal data.

In module 4, we will examine different functions of data inventories and data assessments, and
considerations when assessing vendor risk.

Data inventory and mapping

Learning objectives

• Recognize functions of data inventory/data mapping

• Identify strategies for creating a data inventory/data map

• Outline reasons for and steps involved in creating a gap analysis of applicable privacy requirements

Data inventory and mapping: Definition

A data inventory, or data map, is a complete record of all the personal information your organization
stores, uses and processes. It can be used:

• As a precursor to regulatory compliance and risk analysis

• To assess data, systems and processes
• To inform data assessments, priorities, data life cycle management and data classification

Creating a data map should involve:

• Understanding how applicable laws and regulations define personal information

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 2

• Determining what personal information the organization collects and uses

• Documenting where the information is stored, including third-party systems that house it, and
where, geographically, the servers are located
• Mapping the flow of the information: where it goes from point of collection throughout the
organization and externally to vendors or other third parties
• Determining how long the information is retained and in what formats, including whether it is
“structured” (saved in relational databases) or “unstructured” (not saved in a relational database)
• Assigning categories to the information and risk levels to those categories
• Creating a record of the authority of organizational systems that process the personal information

Data inventory and mapping: Getting started

Mary is responsible for creating a comprehensive inventory of all the personal information One Earth
Medical processes. To accomplish this, Mary will need to determine:

• Who should create the data inventory

• Which departments hold and use personal information
• What questions should be asked

Click on each question to learn more about Mary’s choices.

Who should create the data inventory?

Creating and maintaining a data inventory may be the responsibility of the privacy function, IT
function or both; often, the budget for this undertaking is shared across these departments

Which departments hold and use personal information?

This question may be answered through an internal audit or with the help of an outside consultancy

What questions should be asked?

Questions can be used to determine the data assets of an organization. They should be specific to
the organization’s line of business and may be organized around the data life cycle—collection, use,
storage, archiving and destruction. Internal policies and procedures, laws, regulations and
standards may also be used to compose the questions. For example, Article 30 of the GDPR asks
for a register of “process activities.”

From an expert: Data inventories

Janelle Hsia, CIPP/E, CIPP/US, CIPM, CIPT, President, Privacy SWAN Consulting

And when I look at data inventory, I put it in a couple of different buckets, and I tackle one bucket at a
time. And the bucket that you tackle is really going to depend on what’s important for your organization.
Is your organization concerned about internal data—the data about your employees? Is that where you’re
going to look first, from a data inventory perspective? Or are you concerned about your customer-facing
data—sales and marketing? And then if that’s the case, that’s where you’re going to start, with sales and
marketing. Or if you are a SaaS provider and you’re in the business of working on behalf of other people
and you’re worried about that customer data, maybe that’s where you start doing data inventory, is in
your production and test and deployment systems.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 3

And there’s two different ways that you can do data inventory—two common ways of doing data
inventory. The first is by business processes. And that’s the GDPR Article 30—that’s the roadblock. And
most organizations—if this is your, the first time you’re doing that, I don’t find most of them starting
there. I find them starting with some sort of asset inventory. So they go to IT, and they ask IT, “What are
all the systems that we use?” And then you can go through those systems and map them. Again, “Is that
an HR system, is that a production system, is that a sales/marketing?” Kind of figure out where you’re
going to start and go through all of those assets from your IT department.

Any time I’ve done an asset inventory or a data mapping exercise, I may be given 50 or 100 products that
they use, and I can guarantee I will almost always double that number. And the reason for that is because
I will also go to finance. And when I go to finance, I ask them, “So, this is the list of approved software.
What’s not on this list that you’re paying for?” And, so, then they send—hand me another list of vendors
that aren’t on this list. And I can tell you if you’re paying somebody, they probably have your personal
data, even if it’s an accountant or a consultant like myself. And are they on your inventory? Have you
done an analysis of the type of data you’re sharing with them? So, go to finance and ask them what’s on—
who are they paying, and then look at the data that you’re sharing with them.

The other one is shadow IT. So, shadow IT is IT that the business doesn’t know an employee is using.
These are where we get our free products and services from, and there is a lot of data sharing that’s going
into these free products and services. So, finance and shadow IT are two of the biggest places that you
need to go look for when you do the data inventory and data mapping.

The benefits of data inventory and data mapping are you may actually find out that you have more than
one license of, say, Salesforce or of Survey Monkey or whoever your current survey tool is. And so, you
can usually reduce costs by doing a data inventory or a data mapping because you can actually maybe get
a better deal because you now know that you have multiple licenses or multiple, you know, licenses of a
particular product.

So, the other thing is you’ll get an authoritative source. You’ll know exactly where that data is and exactly
where it should live so that you never have to be worried, “Is that an email address? Is that the right
email address? Where do I store my email? Where’s the right email address?” It also is going to help with
your incident response planning, because if and when something bad happens, if you’ve done a good data
inventory, you’ll know exactly what data is in the system that was compromised and you’ll know is it
critical, sensitive data or is it not. Because if it’s critical, sensitive data, there’s a different level of urgency
in an incident. And then, of course, it will also help you with your data subject access requests. You have
to do a data inventory or a mapping before you get to any kind of data subject access request policy.

Data inventory and mapping: Asking questions (1)

When building a data inventory, you will need to learn all you can about the personal information your
organization holds—as well as the systems or repositories in which the data is stored.

You may want to organize your intake questions around the data life cycle considering the collection,
usage, storage, archiving and destruction of personal information.

Brainstorm intake questions for building a data inventory around these stages in the data life cycle:
collection, usage and storage. Then, click “Submit” to compare your questions with Mary’s.

Mary’s List

Collection

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 4

• How is it formatted (e.g., structured/unstructured)?

• Does it have special protection by law?
• What is the intended purpose of processing?
• What type of information is it?

Usage

• How often?
• For what purpose?
• Is it identifiable?
• In what format?

Storage

• For how long is data kept?

• Where is it housed geographically (i.e., server location?)
• From where is it accessed?
• Where and how does it flow?
• How is the data secured?

Asking questions (2)

Once the data inventory has been completed and documented, the information can be used to address
incidents and standard risk assessments. The inventory process helps set organizational priorities for
privacy initiatives by providing data locations, use, storage and access, allowing the privacy team to
justify priorities and understand the scope of data usage in the organization.

Data inventory and mapping: Using tools and staying updated

When building your data inventory, select the tool that will enable your organization to update it most
easily. Some privacy professionals begin with a questionnaire and have follow-up meetings with
departments. In other cases, vendor tools may be used (see the IAPP Privacy Tech Vendor Report).
Options may include spreadsheets, a GRC (or governance, risk management and compliance) software
system, an internally developed system or another product. Tracing the flow of personal information
throughout the organization may be best captured visually in a flow diagram.

Remember that changes within the organization may trigger the need to update data inventories.
Updating data inventories is often a manual process involving multiple departments. Click each
department name below to reveal an example of an event that may prompt a data mapping update.

Procurement
Contracts with a new vendor
Legal
Acquires a new subsidiary
Product development
Launches a new product
Marketing
Implements a new email marketing software
HR

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 5

Launches a health program that requires employees to track their diet and exercise

Gap analysis (1)

In addition to creating a data inventory, you may want to conduct a gap analysis to determine privacy
compliance efforts that exist, areas that need improvement and areas where additional controls must be
developed. Consider international, local and industry-specific standards and laws, then identify any gaps
between their requirements and your organization’s current compliance efforts. While not necessary, some
organizations choose a privacy compliance tool.

Click on the image of the spreadsheet to reveal an example of gap analysis content.

Regulation
or law ID Requirement Rule Domain Conclusion

HIPAA 164.308 Security Management Security Policies and No gaps

(a)(1)(i)(C) Process – Sanction policy. rule procedures
Apply appropriate sanctions
against workforce members
who fail to comply with the
security policies and
procedures of the covered
entity or business associate.

GDPR Article 28, Data processor agreements: Contractual Data Gap exists with
Section 3 “Processing by a processor requirement management processor
shall be governed by a Smith & Jones
contract or other legal act Insurance; no
under Union or Member State agreement in
law, that is binding on the place
processor with regard to the
controller and that sets out
the subject matter and
duration of the processing,
the nature and purpose of
the processing, the type of
personal data and categories
of data subjects and the
obligations and rights of the
controller.”

Gap analysis (2)

Laws can overlap, so be sure to involve your legal team in the process. For instance, an organization
subject to both the CCPA and the GDPR must consider the differences in each law’s definition of
“processing.” The CCPA defines processing as occurring only once collected information is acted upon
further, while the GDPR considers processing to be any action performed on a data subject’s data,
including collection.

Summary

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 6

• A data inventory, or data map, is a complete record of all the personal information your
organization stores, uses and processes.
• Data inventories can be used as a precursor to regulatory compliance and risk analysis; to
assess data, systems and processes; and to inform data assessments, priorities, data life
cycle management and data classification. It should demonstrate data flows and classification,
create a record of the authority of systems processing personal information and analyze data
types/uses.
• To create a comprehensive inventory of all personal information being processed, an organization
should determine who creates the data inventory, which departments hold/use personal
information, and what questions should be asked.
• Intake questions may be organized around the data life cycle, considering the collection, usage,
storage, archiving and destruction of personal information.
• Conducting a gap analysis helps determine what compliance efforts are in place, areas that need
improvement, and where additional controls must be developed. It involves identifying gaps
between standards and laws an organization is subject to and the organization’s current
compliance efforts. Many laws overlap, so be sure to involve your legal team in the process.

Assessments and impact assessments

Learning objectives

• Analyze purposes and methods for conducting privacy assessments

• Define PIAs/DPIAs

• Determine triggers for conducting PIAs/DPIAs

• Outline components of DPIAs

• Define TIAs and LIAs

• Identify the role of attestations

Privacy assessment: Measuring compliance

A privacy assessment measures an organization’s compliance with laws, regulations, adopted standards
and internal policies and procedures in: education and awareness; monitoring and responding to the
regulatory environment; data, systems and process assessments; risk assessments; incident response;
contracts; remediation; and program assurance, including audits.

A privacy assessment is not to be confused with a privacy impact assessment, or PIA. A privacy
assessment measures how closely an organization’s practices align with its legal obligations and stated
practices.

Click on the question marks to learn more about conducting a privacy assessment.

What?

• Measures an organization’s compliance with laws, regulations, adopted standards and internal
policies/procedures

When?

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 7

• On a regular basis
• Ad hoc due to a privacy or security event
• At the request of an enforcement authority

By whom?

• Internal audit function

• Data protection officer
• Business function (self-assessment)
• External, third party

How?

• Subjective standards (e.g., employee interviews)

• Objective standards (e.g., information system logs)

Then what?

• Document results for management sign-off

• Analyze results to improve and remediate program
• Monitor changes on ongoing basis

What is a PIA?

A privacy impact assessment, or PIA, is an analysis that specifically assesses the privacy risks associated
with processing personal information in relation to a project, product or service.

Requirements around PIAs may be mandated by industry, organizational policy, and laws and regulations.

PIAs can help facilitate privacy by design, which is the concept of building privacy directly into technology,
systems and practices in the design phase. It helps ensure privacy is considered from the outset, and not
as an afterthought. Privacy by design will be covered in greater detail in module 5.

When should a PIA be conducted?

A PIA should be conducted:

• Prior to deployment of a project, product or service that involves the collection of personal
information
• When there are new or revised industry standards, organizational policies, or laws and regulations
• When the organization makes changes to methods in which personal information is handled that
create new privacy risks

From the list, check the events that may trigger the need for a PIA.

Conversion of information from anonymous to identifiable format

Conversion of records from paper-based to electronic format
Significant merging, matching and manipulation of multiple databases containing personal
information
Application of user-authentication technology to a publicly accessible system
System management changes involving significant new uses and/or application of new technologies

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 8

Incorporating personal information obtained from commercial or public sources into existing
databases
Significant new interagency exchanges or uses of personal information
Alteration of a business process resulting in significant new collection, use and disclosure of
personal information
Alteration of the character of personal information due to the addition of qualitatively new types
Implementation of projects using third-party service providers

All answers are correct. As shown here, many different circumstances may trigger the need for a PIA.

From an expert: Privacy impact assessments (PIAs)

Adam Higgins, CIPP/E, CIPM, CIPT, FIP

A few of the fundamental aspects to consider when creating a privacy impact assessment starts with the
data subjects whose personal data you are processing. If you are in an industry like manufacturing, where
the majority of the personal data that your company processes relates to employees, the scope of your
PIA will be quite different from a company that operates in the retail industry and is primarily focused on
respecting the rights of consumers. Another key area when creating a privacy impact assessment is to
identify the stakeholders that are going to be involved not only as reviewers and approvers but also from
a consultation and inform perspective. Creating a RACI chart is a great way of determining the workflow
associated with your PIA so that you are including the stakeholders that need to be involved from an
approval standpoint and also respecting existing processes that may exist for groups in security,
compliance or legal. A RACI chart defines the parties that are responsible, accountable, consulted and
informed. So, in my experience, the privacy team is the responsible and accountable party for the privacy
impact assessment, and they may be working in consultation with legal, compliance and security, and
there may be other groups that need to be informed, such as HR, if you are working on a PIA that relates
to employee personal data.

There are two ways that I have approached privacy impact assessments. The first was aligned to the
Generally Accepted Privacy Principles and included questions that align to each of the ten principles within
the GAPP. So, we covered things like management, notice, choice, consent, etc. The second way that I’ve
conducted privacy impact assessments, and the way that I prefer, is to follow the data through the data
life cycle and to ask questions that will identify who the data is coming from, where it comes from, how
it’s shared internally and externally, what are the purposes that you are using it for, and how long you
retain and dispose of the data.

The “must dos” for a PIA are to really tailor the questions to your business. Oftentimes people purchase
external tools and assume that it’s a “plug and play” for a PIA, and the reality is that each company uses
their own terminology and acronyms, and if you don’t modify the questions so that they are palatable by
the end users that are going to be completing the PIA form you’ll have a larger headache to deal with than
if you weren’t doing a PIA to begin with.

Another item to consider when developing a privacy impact assessment is really looking at the return on
investment from using a third-party tool versus creating a workflow in-house. If you are working in a
company where you anticipate a handful of PIAs every month or every quarter a tool may not be the best
route for you, and there are plenty of templates and guides published online that will help you create a
PIA that’s applicable to your business that does not require you to invest in a third-party solution.

The biggest challenge for me in creating a PIA is clearly identifying the roles and responsibilities for the
groups involved. I think privacy is one of the only areas in a business that touches all stakeholders and
can influence different aspects of a business’ operations and with that, everyone wants to be involved.
And so being able to clearly define who is a decision maker when it comes to a particular data processing
activity can be challenging, but it’s important that when you look at the scope of a PIA, you’re really

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 9

looking only at the privacy risks and handing the legal, security, compliance and other risks to the
appropriate groups to render decisions based on their area of expertise.

DPIAs

Data protection impact assessments, or DPIAs, have specific triggers and requirements under some
countries’ laws, such as the GDPR and the LGPD (Brazil’s General Data Protection law, Lei Geral de
Proteção de Dados). The use of new technologies, whose consequences and risks are less understood,
may increase the likelihood that a DPIA should be conducted.

A DPIA has two main values:

• To help incorporate privacy considerations into organizational planning

• To help demonstrate compliance with the law

Click on the tabs to learn more.

When is a DPIA required?

Under the GDPR:

• If the processing is “likely to result in a high risk to the rights and freedoms of natural persons”
(Article 35). The nature, scope, context, purpose, type of processing and use of new technologies
should also be considered. Article 35 provides examples that require a DPIA.
• See the Article 29 Working Party’s “Guidelines on Data Protection Impact Assessment (DPIA),”
accessible here.

Under the LGPD:

• If the processing of personal data may trigger risks to civil liberties and fundamental rights of the
data subjects (Article 5, XVII).
• There are two cases in which the LGPD expressly recommends that the controller create a DPIA:
when the processing of personal data is based on a legitimate interest or involves sensitive data. In
these instances, controllers may be asked to provide a DPIA at any time.

What should a DPIA include?

• A description of the processing, including its purpose and, where applicable, the legitimate interest
being pursued.
• The necessity of the processing, its proportionality and the risks that it poses to data subjects.
• Measures to address the risks identified.

When must the supervisory authority be contacted?

• Prior to processing when the DPIA indicates a high risk to data subjects that are not mitigated. In
addition to the DPIA, this communication should include:
o Responsibilities of the controllers and processors
o Purposes and means of the processing
o Measures and safeguards
o Contact details of the DPO

Components of a DPIA

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 10

Components of a DPIA may differ, depending on applicable requirements, line of business and so on. The
UK Information Commissioner's Office (ICO) published a publicly available template for recording the
process and outcomes of a DPIA. It is meant as a complement to the ICO's DPIA guidance and the Criteria
for an acceptable DPIA in European guidelines on DPIAs.
(https://iapp.org/media/pdf/resource_center/dpia-template-v04-post-comms-review-20180308.pdf).

Click on the template to explore sections of the ICO’s DPIA template.

• Identify the need for a DPIA

• Describe the processing of personal information, including its nature, scope, context and purposes
• Consider what consultation you may need
• Assess necessity and proportionality
• Identify and assess risks
• Identify measures to mitigate risks
• Sign off and record outcomes

TIAs and LIAs

A transfer impact assessment, or TIA, is a new assessment to ensure an adequate level of data protection
in a third country. TIAs consider the sufficiency of foreign protections on a case-by-case basis when data
is transferred using standard contractual clauses (SCCs), binding corporate rules (BCRs) or other EU-
approved data transfer mechanisms. Click the link for examples of a TIA template.

https://iapp.org/resources/article/transfer-impact-assessment-templates/

A legitimate interests assessment, or LIA, is a form of risk assessment and should be conducted when
your personal data processing is based on legitimate interest. LIAs include identifying the legitimate
interest and conducting necessity and balancing tests. An LIA demonstrates accountability and the
lawfulness of your processing while confirming your compliance to the supervisory authority.

https://ico.org.uk/media/for-organisations/forms/2258435/gdpr-guidance-legitimate-interests-sample-lia-
template.docx

Assessment in practice

In addition to identifying areas of noncompliance, assessments may determine other privacy risks.

Eric works for a financial institution that digitally stores all client records and destroys paper copies.

He has discovered that, when working with a client, saving the record to his desktop makes accessing
information easier and quicker.

A conversation with Eric’s team leader during their annual privacy assessment uncovers this practice that
is both noncompliant with the company’s privacy policy and puts personal information at risk of a breach.

What are the privacy implications of this shortcut? Select all that apply.

Greater risk of a data breach

Organization retains data for longer than it should
Data minimization principle is ignored
Eric loses his job for violating corporate policy
The data cannot be incorporated into a PIA because no one else knows about it/can access it

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 11

The client’s “right to be forgotten” cannot be enforced fully

All are correct except for Eric losing his job—while it may be a risk, it is not a privacy implication.

Attestation: A form of self-assessment

Attestation is a tool for ensuring functions outside the privacy team are held accountable for privacy-
related responsibilities. Once you have determined the privacy responsibilities of each department, you
may use this document to craft questions related to each responsibility. The designated department is
required to answer the questions and, potentially, provide evidence.

Attestation questions should be specific and easy to answer, usually with yes or no responses.

Task: Classify data

Owner: IT

Questions: Has the NIST 800-60 classification system been reviewed to ensure understanding of
each category? Has each type of data within the information system been mapped to a category?
Have data types that cannot be easily categorized been flagged, analyzed and classified by the
CISO?

Evidence: Spreadsheet with data inventory, categories and classifications

Physical assessments: Identify operational risk

Risk assessments should evaluate the physical environment. The assessment of physical controls
implemented is key because many security incidents are due to theft or loss of equipment, or hard-copy
records being lost, stolen, or incorrectly stored or disposed of. Physical and environmental security
protects an organization’s data, electronic equipment and personnel.

Click on each area of the photo that could pose a potential security risk. When you have finished, take a
moment to brainstorm prevention strategies for each.

An employee’s unlocked computer

An employee’s monitor in an open-concept work environment, viewable by individuals who may not
have authorization to access the information being displayed

A document containing customer financial information left on the printer

An unlocked shredder bin

Employee performance review documents that are not stored in a secure location

An unlocked cabinet that contains sensitive customer information

A former employment candidate’s résumé that has not been securely filed or destroyed

Summary

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 12

• A privacy assessment measures an organization’s compliance with laws, regulations, adopted

standards and internal policies/procedures. It may involve the use of subjective standards (such as
employee interviews) and/or objective standards (such as information system logs).
• A privacy impact assessment, or PIA, is an analysis that assesses privacy risks associated with
processing personal information in relation to a project, product or service. Requirements around PIAs
may be mandated by industry, organizational policy, and laws and regulations.
• Triggers for conducting a PIA include preparing for the deployment of a project, product or service
that involves the collection of personal information; new or revised industry standards, organizational
policies, or laws and regulations; and organizational changes to methods in which personal information
is handled.
• A data protection privacy impact assessment, or DPIA, has specific triggers and requirements
under the GDPR and LGPD. DPIAs are intended to help incorporate privacy considerations into
organizational planning and demonstrate GDPR compliance.
• Triggers for conducting DPIAs include processing that is “likely to result in a high risk to the rights
and freedoms of natural persons” (GDPR Article 35) and the use of new technologies.
• DPIAs should include: a description of the processing, including its purpose, and including, where
applicable, the legitimate interest being pursued; the necessity of the processing, its proportionality
and the risks that it poses to data subjects; and measures to address the risks identified.
• Attestation is a self-assessment tool for ensuring functions outside the privacy team are held
accountable for privacy-related responsibilities. Once the privacy responsibilities of each department
are documented, the departments may be asked specific questions about each responsibility.

Checkpoints for mergers, acquisitions and divestitures

Learning objective

• Determine the processes that mergers, acquisitions and divestitures should evaluate

Mergers, acquisitions and divestitures: Privacy checkpoints

Mergers, acquisitions and divestitures serve as key junctures for assessing privacy risks. These processes
should include a privacy checkpoint that evaluates:

• Applicable new compliance requirements

• Existing client agreements
• New resources, technologies and processes (to bring them into alignment)
• Standards and sectoral-specific laws
• Comprehensive laws and regulations

If a merger or acquisition means that you must transfer data to another controller, you need to:

• Ensure you consider the data sharing as part of the due diligence you carry out
• Establish what data you are transferring and document the data sharing
• Identify the purposes for which the data was originally obtained
• Establish your lawful basis for sharing the data

It can be difficult to manage shared data immediately after a change in organizational structure. It is
particularly important in this period to consider the governance and accountability requirements. In
particular, you must:

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 13

• Check that the data records are accurate and up to date

• Ensure you document what you do with the data
• Adhere to a consistent retention policy for all records
• Ensure appropriate security is in place

Divestitures should include a privacy check to ensure no unauthorized information—including personal

information—remains on the organization’s infrastructure.

Summary

• Mergers, acquisitions and divestitures should include a privacy checkpoint that evaluates new
compliance requirements; existing client agreements; new resources, technologies and processes; and
applicable laws and standards.

Assessing vendors

Learning objectives

• Develop a set of criteria to prioritize privacy considerations for vendor assessment

• Identify methods for assessing vendor risk

• Determine focus points related to assessing cloud computing vendors

Vendors: Assessing risk

Vendor assessment is the evaluation of a vendor for privacy and information security policies, access
controls, where the personal information will be held, and who has access to it. Risk assessment should be
extended to all areas of the business, including procurement. The same assessment process should be
followed every time the organization considers using a new vendor.

Click on each heading to learn more about risks when working with vendors.

Common risks of working with vendors

• Scope creep
• Process/quality standards
• Data breaches
• Oversight
• Laws and regulations

Vendor assessment

• Evaluates privacy/information security policies, access controls, where personal information will be
held and who has access
• Involves all relevant internal/external stakeholders: internal audit, information security, physical
security and regulators
• Same assessment process followed with each potential new vendor
• Methods: Privacy/security questionnaires, privacy impact assessments, checklists

Considerations

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 14

• Type of data being outsourced

• Location of data
• Implications of cloud computing strategies
• Legal compliance
• Records retention
• Contractual requirements and review processes
• Minimum standards for safeguarding information

Requirements under specific laws:

GDPR – Article 28

• Due diligence before working with vendor

• Data processor agreements
• Controller right to audit processor

PIPL (Personal Information Protection Law), China – Article 55

• Entities that process personal information must carry out prior personal information PIAs and retain
processing records for at least three years, including “entrusting vendors to process personal
information,” for certain processing activities, such as processing sensitive personal information or
transferring personal information overseas

Vendors: Using checklists to assess

Privacy or security questionnaires, privacy impact assessments and other checklists can be used to assess
vendor risk.

You can use checklists to assess vendors on the following criteria. Click and drag the terms to complete
the sentences correctly.

• Hiring
• Policies
• Termination
• Monitoring & auditing
• Data inventory/map
• Notice
• Procurement process
• Enforcement
• Contract
• Framework
• Privacy risks
• Training
• …are identified, assessed, mitigated and addressed in the contract
• Processing activities align with the privacy…
• There is a consistent…
• Relevant teams have had … to handle vendor privacy issues
• Relevant personal information is included in the…
• All privacy and security requirements are addressed in the…
• …are consistently followed by all departments
• There is ongoing…
• There is a process for…

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 15

Assessing cloud computing vendors

Any technology that is new to an organization should require an assessment. Assessing cloud computing
vendors before procuring them can be challenging, not only because of the complexity of their services,
but also because clients of cloud computing services may not be able to negotiate the contractual terms of
use of the cloud services. Furthermore, inspecting their premises is difficult for various logistical reasons.

The Cloud Industry Forum indicates several areas to focus on during a selection assessment of a cloud
service provider:

1. Certifications and standards: Providers that comply with recognized standards and quality
frameworks demonstrate an adherence to industry best practices and standards.

2. Technologies: Ensure the provider’s platform and preferred technologies align with your current
environment, workloads and management preferences.

3. Service roadmap: How does the provider plan to continue innovating and growing, and does its
road map fit your needs in the long term?

4. Data management: The location where your data will reside and the local laws it is subject to
may be a key part of the selection process. If you have specific requirements, look for providers
that give you choice and control regarding the jurisdiction in which your data is stored, processed
and managed.

5. Information security: Ensure user access and activity is auditable and get clarity on security
roles and responsibilities.

6. Subcontractors and service dependencies: Uncover any service dependencies and partnerships
involved in the provision of the cloud services. You should also look to understand limitations of
liability and service disruption policies related to these subcomponents.

7. Data policies and protection: Assess a provider’s security policies and data management policies,
particularly those related to data privacy regulations. Ensure there are enough guarantees around
data access, data location and jurisdiction, confidentiality, and usage or ownership rights.

Summary

• Vendor assessment is the evaluation of a vendor for privacy and information security policies, access
controls, where the personal information will be held, and who has access to it.
• Privacy or security questionnaires, privacy impact assessments and other checklists can be used to
assess vendor risk.
• Any technology that is new to an organization, even those that are ubiquitous elsewhere, requires
an assessment.
• Assessing cloud computing vendors before procuring them can be challenging. Specific areas to
focus on during a selection assessment of a cloud service provider include certifications and
standards, technologies, service road map, data management, information security, subcontractors
and service dependencies, and data policies and protection.

Quiz

1. Which of the following is a common function of a data inventory? Select all that apply.

Assesses data, systems and processes

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 16

Informs data assessments

Informs data classification

Measures compliance with laws, regulations, standards and internal policies

2. Which of the following elements may be found in a data inventory? Select all that apply.

Data flows

Classification of data

Record of authority of organizational systems

Types and uses of data

3. True or false? Data inventories are almost always created and maintained by the legal function within
an organization.

True

False

4. Which of the following is a potential tool for keeping a data inventory up to date? Select all that apply.

A privacy impact assessment

GRC software

Spreadsheets and manual processes

An internally developed system

5. Which of the following is an assessment that measures how closely an organization’s practices align
with its legal obligations and stated practices?

Privacy assessment

Privacy impact assessment

Data protection impact assessment

Physical assessment

6. True or false? A privacy impact assessment can help facilitate privacy by design.

True

False

7. Ideally, when should a PIA be conducted? Select all that apply.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 17

Prior to deployment of a project, product or service that involves the collection of personal
information

Directly following the deployment of a project, product or service to ensure that privacy
considerations have been addressed

When there are new or revised industry standards, organizational policies, or laws and regulations

When the organization makes changes to methods in which personal information is handled that
create new privacy risks

8. Which of the following are methods for assessing vendors? Select all that apply.

Privacy and security questionnaires

Privacy impact assessments

Checklists

Audits

Closing slide

You have completed Module 4: Privacy operational life cycle—Assess: Data assessments.

Quiz answers

1. All answers are correct except Measures compliance with laws, regulations, standards and internal
policies.
2. All answers are correct.
3. False.
4. All answers are correct except A privacy impact assessment.
5. Privacy assessment.
6. True.
7. All answers are correct except Directly following the deployment of a project, product or service to
ensure that privacy considerations have been addressed.
8. All answers are correct except Audits.

*Quiz questions are intended to help reinforce key topics covered in the module. They are not meant to
represent actual certification exam questions.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.