Because compliance levels vary across organizations and industries, ,some organizations may already have mature data privacy frameworks that only need slight tweaking to fit the requirements of the Data Privacy Act. Others may have instituted information security management systems that comply with international standards that include the protection of personal information. Still, others might not even have begun the process of orienting themselves with the Data Privacy Act or have initiated the compliance process required by the law.
Our Data Privacy Compliance Process starts with evaluating the organization’s degree of compliance and situating the organization in the compliance spectrum. In this regard, we conduct Data Privacy Audits (sometimes referred to as privacy impact assessments or privacy risk assessments). Our audit adopts a process-centric approach that analyzes business methods across the organization, in order to map out the collection and processing of personal information. We also examine the organization’s rules, policies, processes, and third-party contracts that have data privacy implications. We describe the personal information life-cycle relevant to these processes and identify the points at which personal information is collected, assessed, analyzed, stored, transferred, sold, and destroyed.
Our audit also includes a comprehensive look at the organization’s governance processes to see whether they adhere to the requirements of the Data Privacy Act. Some questions we consider are: