Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
A. Description of the Processing [Name of Enterprise Here] [Sample answers for fictional ABC Corporation]
(Article 35(7)(a)) Enter answers to questions / prompts in column A.
1. Nature, scope, context and purposes of the processing A network application used to monitor employee activities within ABC Corporation's physical and
(Recital 90): network facilities to ensure safety and compliance with legal and policy requirements
Data reflects:
1) employee activities around work stations
2) employee network activities (login/logout, applications used, associated
2. List of in-scope personal data items: dates/times/durations/locations, etc.)
2) internet activities (sites visited/duration of visits/IP addresses/dates/times/locations, etc.) made
through the company's network
3) phone calls (incoming/outgoing phone numbers/dates/times/durations/locations, etc.)
Data controllers: management whose job responsibilities require such data; IT support personnel
Data processors:
3. Recipients of personal data items (if not applicable, indicate * contracted physical safety/security vendor ACME Co.
N/A):
* contracted managed systems security vendor ABC Net Security
* contracted phone systems vendor XYZ Telco
The application was created in-house by company IT personnel. The application imports data from
three different vendors:
* Physical safety/security data, video, audio and photo files from vendor ACME Co. are collected
through an API from the ACME cloud-based system.
* Company systems-activity data are generated internally, via tools used by company IT personnel.
This data is combined with data collected through an API from systems-security vendor ABC Net
5. Functional description of the processing operation: Security.
* Company IT personnel created API to import data from contracted phone systems vendor XYZ
Telco.
* All data is then accessible through the company IT application, hosted within the company
network.
* Access to data files via the company application is based on minimum necessary privileges justified
by job responsibilities.
A. Description of the Processing [Name of Enterprise Here] [Sample answers for fictional ABC Corporation]
(Article 35(7)(a)) Enter answers to questions / prompts in column A.
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
Reference descriptions for A-D answers * Summary of risk and privacy harm mitigation actions planned.
A: Yes, we've completely addressed all points and are managing. Associated risks are sufficiently mitigated, or accepted and approved by management. *There
Additional
are noinformation to benefit
gaps with respect supervisory
to GDPR authorities, auditors
requirements.
B: We've mostly addressed the points but still have a few actions outstanding; then we plan to manage. A few risks remain to be mitigated or accepted; and/or
and/or management
there are a fewregarding each
gaps with privacy
respect principle
to GDPR result.
requirements.
C: We completed a few activities to address the points; but many remain to be addressed. Then we will manage. Most risks have not been mitigated, and/or most GDPR requirements are not satisfied.
D: We have not done anything to address the points. No risks have been explicitly addressed nor accepted.
NA: This does not apply to us.
SAMPLE ENTRY 1) Do you have documented and A We have the following safeguards in place: We have the following harm prevention controls in place: 1. Choice & Consent Summary
(For illustration enforced privacy and security * Documented policies and procedures detail how the data
only, using * Documented policies and procedures for the facility, can and cannot be used. a. Maturity & Risk Levels
policies (and supporting procedures) internet use and phone use monitoring. * Controls do not allow data to be shared to others without
sample data in to provide choices, where obtaining authorization for such sharing.
worksheet A.) appropriate, to data subjects # of Level A answers: 1
* Training for the policies and procedures. * Data is irreversibly deleted upon reaching the end of the
# of Level B answers:
regarding use of their personal data? retention date or legal requirement, whichever arrives first.
* Technology has been implemented within the surveillance * We have cyber liability insurance to cover personal data # of Level C answers: 1
1. Choice & systems to give notice to those within our facilities of the breaches. # of Level D answers:
Consent Is consent obtained before using # of NA answers: 1
surveilling activities. At the entrance to our facilities we give * We have documented and implemented breach response
personal information for specific notification that if the individual does not want to be plans in place.
purposes, as required by GDPR? surveilled they should not enter the facilities. b. Summary of Risk Levels, Risk Mitigation Plan & Compliance Corrective
Planned actions: Action Plan:
See GDPR Art. 6(1) * For the types of monitoring and surveillance implemented, None at this time.
no consent is necessary for entering the facilities or for * Technology has not yet been implemented to manage consents fully. The
monitoring network use to access the internet, as confirmed new privacy manager will be responsible for accomplishing this soon after he
with GDPR supervisory authorities. Personnel understand
starts working in this position (4 weeks from the date of this DPIA report).
these are conditions of employment.
* For the phone calls we give notice and obtain consent. Position/person(s)/team assigned: Chris Jones, Privacy officer
* Identification verification is obtained where necessary. c. Summary of Privacy Harm Risks & Harm Risk Mitigation Plan:
* Data is retained according to the information given in the * Technology has not yet been implemented to fully manage the consents.
Introduction. The new privacy manager will be responsible for accomplishing this soon
after he starts working in this position (4 weeks from the date of this DPIA
Planned actions: report).
None at this time.
Position/person(s)/team assigned: Chris Jones, Privacy officer
2) Are consents (once obtained) C We have the following safeguards in place: We have the following harm prevention controls in place:
* Documented policies and procedures for obtaining * Documented policies and procedures detail how the data d. Additional Information: The new privacy manager will be choosing a new
appropriately documented and
consents. can and cannot be used. system to automate the management of consents more effectively.
maintained? * Training for the policies and procedures. * Controls do not allow data to be shared to others without
* Technology not yet been implemented to fully manage the obtaining authorization for such sharing. We have hired a privacy manager to oversee the consents management.
Can consents be easily provided consents. The new privacy manager will be responsible for * Data is irreversibly deleted upon reaching the end of the That person will start in four weeks from the date on this DPIA. He will be
upon request by data subjects and/or accomplishing this. retention date or legal requirement, whichever arrives first. responsible for ensuring all requirements for question 2 are accomplished.
appropriate authorities?
Planned actions: Planned actions:
Overall, most risk is being sufficiantly mitigated and appropriately accepted
Implement technology to fully manage the consents. None at this time.
See GDPR Art. 7(1), Art. 7(2) where applicable; all GDPR requirements are being met for this Choice and
3) If the enterprise collects NA: We do not allow children within our facilities or to NA NA Consent Privacy Principle.
information from children younger use our networks.
than 16 years of age, have you
created and documented policies and
implemented processes to collect
parental consent as required by the
GDPR?
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
1. Choice & 1) Do you have documented and * Summary
1. Choice &ofConsent
risk and privacy
Summary harm mitigation actions planned.
Consent enforced privacy and security * Additional information to benefit supervisory authorities, auditors
policies (and supporting procedures) and/or
a. management
Maturity regarding each privacy principle result.
& Risk Levels
to provide choices, where
appropriate, to data subjects # of Level A answers:
regarding use of their personal data? # of Level B answers:
# of Level C answers:
2) Are consents
Is consent (once
obtained obtained)
before using # of Level D answers:
appropriately documented
personal information and
for specific # of NA answers:
maintained?
purposes, as required by GDPR?
b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
Can
See consents
GDPR Art.be 6(1)
easily verified upon Corrective Action Plan:
request by data subjects and/or
appropriate authorities? Position/person(s)/team assigned:
See GDPR Art. 7(1), Art. 7(2) c. Summary of Privacy Harm Risks & Harm Risk Mitigation
3) If the enterprise collects Plan:
information from children younger
than 16 years of age, have you Position/person(s)/team assigned:
created and documented policies and
implemented processes to collect d. Additional Information:
parental consent as required by the
GDPR?
d. Additional Information:
See
5) GDPR
Have youArt. 10
determined and
documented situations to which the
right to object does not apply, and
implemented appropriate supporting
procedures?
Position/person(s)/team assigned:
Copyright 2017 ISACA Page 5 of 27
c. Summary of Privacy Harm Risks & Harm Risk Mitigation
Plan:
GDPR Data Protection Impact Assessment (DPIA) Tool
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
3. Personal to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions 3. Personal Information & Sensitive Information Life Cycle
Privacy
Information Impact Assessment below. For "NA", provide an explanation. Summary
Summarize findings for the privacy principle associated with
and Sensitive (DPIA) &
Principle See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Information Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks. a. Maturity & Risk Levels
Life Cycle A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps # of Level A answers:
If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. # oftotals
These Level B indicate
will answers: the compliance and maturity level of
satisfied. planned, please explain briefly. # of Level
associated C answers:
activities in your privacy management program.
D: Nothing has been done. # of Level D answers:
* Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. # ofupon the
(based NA answers),
answers:along with any additional applicable
description or information.
2) Do you have documented and b. Summary
* Summary of of
riskRisk
and Levels, Risk Mitigation
privacy harm Plan &planned.
mitigation actions Compliance
enforced privacy and security Corrective Action Plan:
* Additional information to benefit supervisory authorities, auditors
policies (and supporting procedures) and/or management regarding each privacy principle result.
to decide whether or not special Position/person(s)/team assigned:
categories of personal data, or
personal data related to criminal c. Summary of Privacy Harm Risks & Harm Risk Mitigation
convictions/offences, have been used Plan:
beyond the original purposes for
which they were collected? Position/person(s)/team assigned:
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
6) Do you have documented and * Summary of risk and privacy harm mitigation actions planned.
enforced privacy and security * Additional information to benefit supervisory authorities, auditors
policies (and supporting procedures) and/or management regarding each privacy principle result.
to perform reviews, when necessary,
that determine whether processing is
performed in accordance with the
data protection impact assessment,
whenever the risk represented by
processing operations changes?
Position/person(s)/team assigned:
d. Additional Information:
See
5) DoGDPR Art.documented
you have 13(3), Art. and
14(4)
enforced privacy and security
policies (and supporting procedures
and processes) to inform data
subjects of the safeguards applied
when personal data are transferred
to a third country or to an
international organization?
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
6. Individual 1) Do you have documented and * Summary
6. Individual of risk and privacy
Participation harm mitigation actions planned.
Summary
Participation enforced privacy and security * Additional information to benefit supervisory authorities, auditors
a. Maturity & Risk Levels
and/or management regarding each privacy principle result.
policies (and supporting procedures
and easy-to-use processes) that # of Level A answers:
allow data subjects to withdraw # of Level B answers:
consent to use their associated # of Level C answers:
personal data at any time (including # of Level D answers:
# of NA answers:
personal data used in partnership
with other controllers), as long as the b. Summary of Risk Levels, Risk Mitigation Plan & Compliance Corrective
withdrawal does not result in legal Action Plan:
violations about which you have
informed the data subjects? Position/person(s)/team assigned:
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
3) Do you have documented and * Summary of risk and privacy harm mitigation actions planned.
enforced privacy and security * Additional information to benefit supervisory authorities, auditors
policies (and supporting procedures and/or management regarding each privacy principle result.
and easy-to-use processes) to allow a
data subject whose identity has been
verified to obtain confirmation
regarding whether or not personal
data are being processed (including
personal data used in partnership
with other controllers), and when
that is the case, to provide the data
subject access to the associated
personal data, including information
concerning the purposes; categories;
recipients; retention periods; rights
for deletion and registering
complaints; ability to restrict
personal data processing where
feasible and legal, with notices when
the restrictions are lifted; and data
source details where possible, in
compliance with GDPR requirements?
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
6) Do you have documented and * Summary of risk and privacy harm mitigation actions planned.
enforced privacy and security * Additional information to benefit supervisory authorities, auditors
policies (and supporting procedures and/or management regarding each privacy principle result.
and easy-to-use processes) to enable
data subjects to contact the data
protection officer for any issue
related to processing of their
personal data or to the exercise of
their rights under GDPR?
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
4) Do you have documented and * Summary of risk and privacy harm mitigation actions planned.
enforced privacy and security * Additional information to benefit supervisory authorities, auditors
policies (and supporting procedures) and/or management regarding each privacy principle result.
to ensure that:
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
6) Do you have documented and * Summary of risk and privacy harm mitigation actions planned.
enforced privacy and security * Additional information to benefit supervisory authorities, auditors
policies (and supporting procedures) and/or management regarding each privacy principle result.
for the enterprise to designate in
writing:
a) such controls as
pseudonymization and/or encryption;
b) such procedures to establish
confidentiality, integrity, availability
and resilience of processing systems
and services, data backup and
recovery;
3) Do you and
have documented and
enforced privacy and security
policies (and supporting procedures)
to obtain authorization, when
applicable, from the competent
supervisory authority for appropriate
safeguards for personal data, by
means of:
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
9. Monitoring, 1) Do you have documented and * Summary
9. of risk
Monitoring, and privacy
Measuring & harm mitigation
Reporting actions planned.
Summary
Measuring and enforced policies (and supporting * Additional information to benefit supervisory authorities, auditors
Reporting procedures) that specify what reports and/or
a. management
Maturity regarding each privacy principle result.
& Risk Levels
and/or tasks are the responsibility of
the data protection officer, including: # of Level A answers:
# of Level B answers:
a) monitoring compliance (including # of Level C answers:
compliance of data processors with # of Level D answers:
requirements); # of NA answers:
b) training staff;
c) ensuring performance of privacy- b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
compliance audits; Corrective Action Plan:
d) ensuring performance of DPIAs;
e) cooperating with data protection Position/person(s)/team assigned:
authorities; and
f) providing additional reports and c. Summary of Privacy Harm Risks & Harm Risk Mitigation
monitoring, as appropriate? Plan:
d. Additional Information:
2) Do you have documented and
enforced policies (and supporting
procedures) to provide reports for
data subjects (at specified times;
upon their request as appropriate;
and reflecting all components
required by GDPR), including:
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
3) Do you have documented and * Summary of risk and privacy harm mitigation actions planned.
enforced policies (and supporting * Additional information to benefit supervisory authorities, auditors
procedures) that will trigger data and/or management regarding each privacy principle result.
protection impact assessments
(DPIAs) in accordance with the GDPR,
generally in the following situations:
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
5) Do you have documented and * Summary of risk and privacy harm mitigation actions planned.
enforced policies (and supporting * Additional information to benefit supervisory authorities, auditors
procedures) to provide appropriate and/or management regarding each privacy principle result.
supervisory authorities with contact
information for the data protection
officer and reports regarding
breaches of personal data security,
reflecting all components required by
the GDPR?
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
7) Do you have documented and * Summary of risk and privacy harm mitigation actions planned.
enforced policies (and supporting * Additional information to benefit supervisory authorities, auditors
procedures) that specify the written and/or management regarding each privacy principle result.
reports required of your processors,
including:
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
Provide descriptions, comments * Summary of risk and privacy harm mitigation actions planned.
and additional information for * Additional information to benefit supervisory authorities, auditors
each associated column, as and/or management regarding each privacy principle result.
appropriate.
10. Preventing 1) Do you have documented data 10. Preventing Harm Summary
Harm subject harm-prevention policies
(and supporting procedures) that a. Maturity & Risk Levels
specify how to determine whether
personal data processing (including # of Level A answers:
processing for purposes other than # of Level B answers:
that for which the personal data was # of Level C answers:
initially collected) is lawful because: # of Level D answers:
# of NA answers:
a) the associated data subject
provided explicit consent; b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
b) it is necessary to fulfill the Corrective Action Plan:
contract with the data subject;
c) it is necessary for legal Position/person(s)/team assigned:
compliance;
d) it is necessary to protect vital c. Summary of Privacy Harm Risks & Harm Risk Mitigation
interests of the data subject or other Plan:
natural persons;
e) it is necessary for public interest Position/person(s)/team assigned:
or exercising official authority; or
f) it is necessary to support d. Additional Information:
legitimate interests of your
enterprise that do not infringe upon
the data subject’s rights?
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
3) Do you have documented data * Summary of risk and privacy harm mitigation actions planned.
subject harm-prevention policies * Additional information to benefit supervisory authorities, auditors
(and supporting procedures) that and/or management regarding each privacy principle result.
specify the rights of data subjects to
request removal of their personal
data from automated processing and
profiling in situations that could
result in adverse legal effects or
harms to them, and also to specify
the actions (and associated contact
methods) your enterprise can take to
obtain the views of data subjects (or
their legal representatives) about the
intended processing?
See
6) DoGDPR Art.documented
you have 15(4), Art. data
20(4)
subject harm-prevention policies
(and supporting procedures) to
provide technical and organizational
measures that ensure respect for the
principle of data minimization, as
detailed within GDPR, whenever
personal data are used for:
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
Provide descriptions, comments * Summary of risk and privacy harm mitigation actions planned.
and additional information for * Additional information to benefit supervisory authorities, auditors
each associated column, as and/or management regarding each privacy principle result.
appropriate.
11. Third- 1) Do you have documented third- 11.Third-party/Vendor Management Summary
party/Vendor party / vendor management policies
Management (and supporting procedures) to a. Maturity & Risk Levels
ensure that your enterprise will not
use processors unless: # of Level A answers:
# of Level B answers:
a) they provide sufficient guarantees # of Level C answers:
and verified proof that they have # of Level D answers:
implemented appropriate technical # of NA answers:
and organizational (physical and
administrative) measures and b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
controls that meet GDPR Corrective Action Plan:
requirements and support data
subject rights; Position/person(s)/team assigned:
b) the data protection officer or
equivalent provides written c. Summary of Privacy Harm Risks & Harm Risk Mitigation
authorization to use the processor; Plan:
and
c) that the processor contractually Position/person(s)/team assigned:
agrees to notify your organization
whenever adding or removing other d. Additional Information:
processors?
2) Do you have documented third-
party / vendor management policies
(and supporting procedures) to
specify the type of documented
contract (in hard copy and/or digital
form), or other legal act under union
or member-state law, binding on the
processor with regard to your
enterprise, that set out:
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
3) Do you have documented third- * Summary of risk and privacy harm mitigation actions planned.
party / vendor management policies * Additional information to benefit supervisory authorities, auditors
and supporting procedures that and/or management regarding each privacy principle result.
detail the actions that processors
must take in the event they engage
other processors to carry out specific
processing activities that are part of
the activities your organization had
contracted the processor to perform,
and ensure such subcontracting
includes the same requirements that
the processor agreed to within the
contract they have with your
organization, including the
verification of the proof of
implementation and existence of
those requirements, in addition to
proof of compliance with any
involved code of conduct and
certification requirements, and
makes clear the processor working
directly with your organization
remains fully liable for the
performance of all obligations?
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
12. Breach 1) Do you have documented personal * Summary
12. Breachof risk and privacy
Management harm mitigation actions planned.
Summary
Management data breach policies (and supporting * Additional information to benefit supervisory authorities, auditors
procedures) that include and/or
a. management
Maturity regarding each privacy principle result.
& Risk Levels
requirements for:
# of Level A answers:
a) notifying appropriate supervisory # of Level B answers:
authorities of the breach in a timely # of Level C answers:
manner, and with reasons provided # of Level D answers:
for any delays; # of NA answers:
b) notifying data subjects of high risk
breaches (as defined by GDPR) no b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
later than 72 hours after discovery of Corrective Action Plan:
a breach, if it is determined
(following documented procedures Position/person(s)/team assigned:
for performing harm risk analysis)
that the personal data breach will c. Summary of Privacy Harm Risks & Harm Risk Mitigation
result in privacy harm to the Plan:
associated data subjects; and
c) including all items necessary Position/person(s)/team assigned:
within the notice as required by
GDPR? d. Additional Information:
Position/person(s)/team assigned:
d. Additional Information:
Position/person(s)/team assigned:
d. Additional Information:
See
3) DoGDPR Art.documented
you have 49(1) and
enforced personal data transfer
policies (and supporting procedures)
that include steps to follow for
transferring personal data to a third
country or to an international
organization only after certain
conditions have been validated in
accordance with all onward-transfer
requirements within the GDPR,
including: adequacy, international
agreement, verified existence of
appropriate safeguards, enforceable
data subject rights, and available
effective legal remedies?
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
4) Do you have documented and * Summary of risk and privacy harm mitigation actions planned.
enforced personal data policies (and * Additional information to benefit supervisory authorities, auditors
supporting procedures) to support and/or management regarding each privacy principle result.
lawful processing that: