This sample Benchmarks Report represents a real-world example of
Your Privacy Management Status Report based on a mature privacy
program in a non-North American organization within the public sector.
Your Monthly Privacy Management Status Report
September 9, 2014
Executive Summary
Privacy management within an organization goes beyond the privacy office; it consists of activities conducted throughout the organization that affect the processing of personal data.
This report compares the status of your organization’s privacy management with the privacy management of 34 other benchmarked organizations based on the aggregated statistics derived from Nymity Benchmarks.
Your organization’s privacy management program* is made up of 107 Implemented** privacy management activities and 7 Planned activities, for a total of 114 privacy management activities. This compares with the Benchmark average of 83.1 Implemented privacy management activities and 16.6 Planned, totalling 99.7 activities within the benchmarked organizations.
Your Privacy Management Activity Status
Implemented
107
93.9%
Planned
7
6.1%
Total
114
Overall Benchmarked Organizations' Status
Implemented
83.1
83.3%
Planned
16.6
16.7%
Total
99.7
Your privacy management program is 94% Implemented compared to the Benchmark average of 83% based on your organization's Planned to Implemented Activity ratio.
Participating Organizations
All participating organizations have a privacy office and are at various stages of implementing a privacy program. Over 90% of the organizations have international operations. At this stage, over 75% of the head offices in participating organizations are located in the USA, with the EU being the second largest represented location. A wide variety of industries are represented in this research study and not one single specific industry represents greater than 10% of the preliminary results. At the time of publishing the preliminary results, a few public-sector/pure health-sector organizations have participated.
Ongoing Research @Nymity
Nymity has initiated a number of research studies to augment the current statistical base. Over time, the plan is to develop statistical segmentation by industry, company size (# of employees), head office location, Safe Harbor, or BCR. If you would like to refer a group of organizations to participate in a benchmark research project, please contact Nymity’s research team at
research@nymity.com.
Note: Nymity Benchmarks are continuously updated with new benchmark data and this report will be emailed to Nymity Benchmarks subscribers with the latest results.
* Privacy management program is defined as the privacy management activities implemented plus the privacy management activities planned in the next 12 months. It does not include the Desired and Not Applicable Privacy Management Activities for your privacy management.
How Your Organization Compares - Top Benchmarked Privacy Management Activities
Your Status as compared to the Top 25 Implemented Privacy Management Activities
You have Implemented 24 of the Top 25 Implemented Privacy Management Activities.Rank (%)
Your Status
Privacy Management Activity
97.23% Implemented - Core Maintain a corporate security policy (protection of physical premises and hard assets) 97.14% Implemented - Core Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) 94.45% Implemented - Core Maintain backup and business continuity plans
91.43% Implemented - Core Maintain an information security policy
88.89% Implemented - Core Maintain procedures to restrict access to personal information (e.g. role-based access, segregation of duties)
88.58% Implemented - Elective Attend/participate in privacy conferences, industry associations, or think-tank events 87.81% Implemented - Core Consult with stakeholders throughout the organization on data privacy matters
87.5% Implemented - Core Maintain a data privacy policy
86.12% Implemented - Core Maintain procedures to update security profile based on system updates and bug fixes 86.11% Implemented - Core Maintain human resource security measures (e.g. pre-screening, performance
appraisals)
83.34% Implemented - Core Maintain a data privacy notice that details the organization’s personal data handling policies
83.34% Implemented - Core Conduct regular testing of data security posture 82.93% Implemented - Core Assign accountability for data privacy at a senior level 82.93% Implemented - Elective Maintain a Code of Conduct
82.85% Implemented - Elective Conduct ongoing research on developments in law 80.49% Implemented - Core Assign responsibility for data privacy
80.49% Implemented - Core Require employees to acknowledge and agree to adhere to the data privacy policies 80% Implemented - Core Maintain an acceptable use of information resources policy
80% Implemented - Core Maintain a core training program for all employees 80% Implemented - Core Maintain procedures to respond to access requests
77.78% Implemented - Core Maintain escalation procedures for serious complaints or complex access requests 77.15% Desired Maintain subscription to compliance reporting service/law firm updates to stay informed
on new developments
77.15% Implemented - Elective Seek legal opinions regarding recent developments in law
77.14% Implemented - Core Provide data privacy notice at all points where personal data is collected 77.14% Implemented - Core Maintain procedures to address complaints
N/A Desired Planned Implemented
Not desired, required, applicable or justified based on privacy risk and business priorities.
Privacy office could anticipate or wish to implement if no resource constraints.
In progress or scheduled to be implemented in the next12 months.
Implemented and are either: Core: Fundamental to privacy management, mandatory; or
Elective: Advanced, optional, or beyond the minimum required
About Nymity and Nymity Benchmarks
Nymity is a global research company specializing in accountability, risk, and compliance privacy solutions for the privacy office. A unique combination of a research and technology company, Nymity’s advanced technology delivers research analysis to organizations in all jurisdictions around the world. Awarded the Gartner Cool Vendor award in Risk Management, Privacy & Compliance and selected as a Global Hot 100 Company by the World Summit on Innovation and Entrepreneurship, Nymity empowers organizations to comply Organizations continuously strive to compare and enhance their privacy program for ongoing effective privacy management. By empowering organizations to statistically baseline and compare their privacy program with others, Nymity Benchmarks provides superior insight into how the privacy management of one organization compares with the privacy management of another. Nymity Benchmarks
is based on the Nymity Privacy Management Accountability Framework™
Your Implemented
Privacy Management Activities Compared to Other Organizations
Your organization, as of September 9, 2014has implemented 107 privacy management activities as compared to an average of 83.1
1. Maintain Governance Structure
Ensure that there are individuals responsible for data privacy, accountable management, and management reporting procedures
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain a privacy strategy
68.29%
14.63%
14.63%
2.44%
Maintain job descriptions for individuals responsible for data
privacy (e.g. data protection officers)
73.17%
7.32%
14.63%
4.88%
Assign accountability for data privacy at a senior level
82.93%
7.32%
9.76%
0%
Allocate resources to adequately implement and support the
privacy program (e.g. budget, personnel)
73.17%
7.32%
19.51%
0%
Assign responsibility for data privacy
80.49%
9.76%
7.32%
2.44%
Conduct regular communication between individuals
accountable and responsible for data privacy
73.17%
9.76%
14.63%
2.44%
Consult with stakeholders throughout the organization on data
privacy matters
87.81%
7.32%
4.88%
0%
Report, on a scheduled basis, on the status of the privacy
program (e.g. board of directors, management board)
53.66%
19.51%
14.63%
12.2%
Maintain a Code of Conduct
82.93%
2.44%
9.76%
4.88%
Maintain a strategy to align activities with legal requirements (e.g. address conflicts, differences in standards, creating rationalized rule sets)
58.54%
14.63%
21.95%
4.88%
Require employees to acknowledge and agree to adhere to the
data privacy policies
80.49%
7.32%
12.2%
0%
2. Maintain Personal Data Inventory
Maintain an inventory of the location of key personal data storage or personal data flows with defined classes of personal data
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain an inventory of key personal data holdings (whatpersonal data is held and where)
41.03%
25.64%
33.33%
0%
Classify personal data holdings by type (e.g. sensitive,
confidential, public)
58.98%
15.38%
23.08%
2.56%
Obtain approval for data processing (where prior approval is
required)
61.54%
2.56%
10.26%
25.64%
Register databases with data protection authority (where
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Use Standard Contractual Clauses as a data transfermechanism
56.41%
0%
7.69%
35.9%
Use Cross-Border Privacy Rules as a data transfer
mechanism
17.94%
0%
20.51%
61.54%
Use the Safe Harbor framework as a data transfer mechanism
51.28%
0%
7.69%
41.03%
Use Data Protection Authority approval as a data transfer
mechanism
28.21%
0%
10.26%
61.54%
Use adequacy or one of the derogations from adequacy (e.g. consent, performance of a contract, public interest) as a data transfer mechanism
56.41%
2.56%
7.69%
33.33%
3. Maintain Data Privacy Policy
Maintain a data privacy policy that meets legal requirements and addresses operational risk
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain a data privacy policy
87.5%
7.5%
5%
0%
Obtain board approval for data privacy policy
61.54%
0%
10.26%
28.21%
Document legal basis for processing personal data
58.97%
2.56%
20.51%
17.95%
4. Embed Data Privacy Into Operations
Maintain operational policies and procedures consistent with the data privacy policy, legal requirements, and operational risk management objectives
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain policies/procedures for collection and use of sensitivepersonal data (including biometric data)
65.79%
10.53%
10.53%
13.16%
Maintain policies/procedures for maintaining data quality
60.52%
7.89%
23.68%
7.89%
*NEW* Maintain policies/procedures to review processing
conducted wholly or partially by automated means
15.63%
3.13%
53.13%
28.13%
Maintain policies/procedures for secondary uses of personal
data
50%
11.11%
30.56%
8.33%
Maintain policies/procedures for secure destruction of personal
data
71.05%
15.79%
10.53%
2.63%
Integrate data privacy into use of cookies and tracking
mechanisms
52.63%
15.79%
26.32%
5.26%
Integrate data privacy into records retention practices
56.76%
16.22%
21.62%
5.41%
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Integrate data privacy into employee background checkpractices
65.79%
10.53%
13.16%
10.53%
Integrate data privacy into social media practices
52.64%
23.68%
18.42%
5.26%
Integrate data privacy into health & safety practices
47.37%
15.79%
18.42%
18.42%
Integrate data privacy into interactions with works councils
42.1%
5.26%
5.26%
47.37%
Integrate data privacy into practices for monitoring employees
60.53%
15.79%
13.16%
10.53%
Integrate data privacy into e-mail monitoring practices
63.16%
13.16%
10.53%
13.16%
Integrate data privacy into use of CCTV/video surveillance
50%
13.16%
15.79%
21.05%
Integrate data privacy into use of geo-location (tracking and or
location) devices
47.37%
10.53%
15.79%
26.32%
Integrate data privacy into delegate access to employees'
company e-mail accounts (e.g. vacation, LOA, termination)
50%
10.53%
18.42%
21.05%
Integrate data privacy into e-discovery practices
47.37%
5.26%
21.05%
26.32%
Integrate data privacy into conducting internal investigations
57.89%
10.53%
21.05%
10.53%
Integrate data privacy into practices for disclosure to and for
law enforcement purposes
57.89%
7.89%
18.42%
15.79%
Integrate data privacy into customer/patient/citizen facing practices (e.g. retail sales, provision of healthcare, tax processing)
57.89%
5.26%
13.16%
23.68%
Integrate data privacy into back office/administrative
procedures (e.g. facilities management)
54.06%
16.22%
27.03%
2.7%
Integrate data privacy into financial operations (e.g. credit,
billing, processing transactions)
71.05%
5.26%
13.16%
10.53%
Integrate data privacy into research practices
34.21%
5.26%
26.32%
34.21%
5. Maintain Training and Awareness Program
Provide ongoing training and awareness to promote compliance with the data privacy policy and to mitigate operational risks
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain a core training program for all employees
80%
11.43%
5.71%
2.86%
Conduct training for newly appointed employees upon
assignment to privacy-sensitive positions
60%
11.43%
20%
8.57%
Conduct regular refresher training to reflect new developments
62.86%
11.43%
22.86%
2.86%
Integrate data privacy into other training programs, such as
HR, security, call centre, retail operations training
65.71%
14.29%
14.29%
5.71%
Measure participation in data privacy training activities (e.g.
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Deliver a privacy newsletter, or incorporate privacy intoexisting corporate communications
40%
17.14%
31.43%
11.43%
Maintain ongoing awareness material (e.g. posters, intranet,
and videos)
40%
14.29%
31.43%
14.29%
Maintain an internal data privacy intranet, privacy blog, or
repository of privacy FAQs and information
58.33%
16.67%
19.44%
5.56%
Provide data privacy information on system logon screens
50%
2.78%
30.56%
16.67%
Conduct one-off, one-time tactical training and communication
dealing with specific, highly-relevant issues/topics
66.67%
11.11%
19.44%
2.78%
Provide ongoing education and training for the Privacy Office
(e.g. conferences, webinars, guest speakers)
72.22%
8.33%
13.89%
5.56%
6. Manage Information Security Risk
Maintain an information security program based on legal requirements and ongoing risk assessments
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain an information security policy
91.43%
2.86%
2.86%
2.86%
Maintain technical security measures (e.g. intrusion detection,
firewalls, monitoring)
97.14%
0%
0%
2.86%
Maintain administrative and technical measures to encrypt personal data in transmission and at rest, including removable media
74.28%
5.71%
17.14%
2.86%
Maintain an acceptable use of information resources policy
80%
11.43%
5.71%
2.86%
Maintain procedures to restrict access to personal information
(e.g. role-based access, segregation of duties)
88.89%
2.78%
2.78%
5.56%
Maintain a corporate security policy (protection of physical
premises and hard assets)
97.23%
0%
0%
2.78%
Maintain human resource security measures (e.g.
pre-screening, performance appraisals)
86.11%
5.56%
5.56%
2.78%
Maintain backup and business continuity plans
94.45%
2.78%
0%
2.78%
Maintain a data-loss prevention strategy
63.89%
16.67%
16.67%
2.78%
Maintain procedures to update security profile based on
system updates and bug fixes
86.12%
5.56%
2.78%
5.56%
Conduct regular testing of data security posture
83.34%
2.78%
11.11%
2.78%
Maintain a security verification
66.67%
8.33%
13.89%
11.11%
7. Manage Third-Party Risk
Maintain contracts and agreements with third-parties and affiliates consistent with the data privacy policy, legal requirements, and operational risk tolerance
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain data privacy requirements for third parties (e.g.,vendors, processors, affiliates)
75%
16.67%
8.33%
0%
Maintain procedures to execute contracts or agreements with
all processors
66.67%
22.22%
8.33%
2.78%
Conduct due diligence around the data privacy and security
posture of potential vendors/processors
72.22%
16.67%
5.56%
5.56%
Maintain procedures to address instances of non-compliance
with contracts and agreements
42.86%
17.14%
34.29%
5.71%
Review long-term contracts for new or evolving data protection
risks
30.55%
19.44%
38.89%
11.11%
8. Maintain Notices
Maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain a data privacy notice that details the organization’spersonal data handling policies
83.34%
2.78%
8.33%
5.56%
Provide data privacy notice at all points where personal data is
collected
77.14%
5.71%
5.71%
11.43%
Provide notice by means of on-location signage, posters
38.89%
5.56%
8.33%
47.22%
Provide notice in all forms, contracts and terms
61.11%
8.33%
11.11%
19.44%
Maintain a data privacy notice for employees (processing of
employee personal data)
52.77%
2.78%
27.78%
16.67%
Provide data privacy education to individuals (e.g. preventing
identity theft)
44.44%
5.56%
30.56%
19.44%
9. Maintain Procedures for Inquiries and Complaints
Maintain effective procedures for interactions with individuals about their personal data
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain procedures to address complaints
77.14%
5.71%
11.43%
5.71%
Maintain procedures to respond to access requests
80%
5.71%
8.57%
5.71%
Maintain procedures to respond to requests to update or revise
personal data
69.44%
8.33%
13.89%
8.33%
Maintain procedures to respond to requests for information
69.45%
8.33%
13.89%
8.33%
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain escalation procedures for serious complaints orcomplex access requests
77.78%
5.56%
11.11%
5.56%
Maintain procedures to investigate root causes of data
protection complaints
69.45%
8.33%
16.67%
5.56%
Maintain metrics for data protection complaints (e.g. number,
root cause)
58.33%
11.11%
25%
5.56%
10. Monitor for New Operational Practices
Monitor organizational practices to identify new processes or material changes to existing processes and ensure the implementation of Privacy by Design principles
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
11. Maintain Data Privacy Breach Management Program
Maintain an effective data privacy incident and breach management program
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain a documented data privacy incident/breach responseprotocol
62.86%
22.86%
11.43%
2.86%
Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol
60%
20%
14.29%
5.71%
Maintain a breach incident log to track nature/type of all
breaches
71.43%
8.57%
14.29%
5.71%
Maintain data privacy incident/breach metrics (e.g. nature of
breach, risk, root cause)
57.14%
17.14%
17.14%
8.57%
Conduct periodic testing of breach protocol and document
findings and changes made
31.43%
17.14%
42.86%
8.57%
Engage a forensic investigation team
54.29%
8.57%
17.14%
20%
Maintain a record preservation protocol to protect relevant log
history
48.57%
14.29%
20%
17.14%
12. Monitor Data Handling Practices
Verify operational practices comply with the data privacy policy and operational policies and procedures
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Conduct ad-hoc audits/assessments based oncomplaints/inquiries/breaches
71.43%
2.86%
17.14%
8.57%
Conduct audits/assessments of the privacy program outside
of the Privacy Office (e.g. Internal Audit)
60%
8.57%
20%
11.43%
Benchmark results of audits/assessments (e.g. comparison to
previous audit, comparison to other business units)
34.29%
11.43%
40%
14.29%
Conduct ad-hoc walk-throughs
42.86%
0%
25.71%
31.43%
Maintain privacy program metrics
45.72%
20%
31.43%
2.86%
13. Track External Criteria
Track new compliance requirements, expectations, and best practices
Status of All Organizations
Your Implemented Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Conduct ongoing research on developments in law
82.85%
0%
11.43%
5.71%
Attend/participate in privacy conferences, industry
associations, or think-tank events
88.58%
2.86%
5.71%
2.86%
Record/report on the tracking of new Rule Sources or
amendments to Rule Sources
60%
0%
22.86%
17.14%
Seek legal opinions regarding recent developments in law
77.15%
0%
8.57%
14.29%
Document that new requirements have been implemented (also document where a decision is made to not implement any changes, including reason)
Your Planned
Privacy Management Activities Compared to Other Organizations
Your organization, as of September 9, 2014has planned 7 privacy management activities as compared to an average of 16.6
1. Maintain Governance Structure
Ensure that there are individuals responsible for data privacy, accountable management, and management reporting procedures
Status of All Organizations
Your Planned Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
2. Maintain Personal Data Inventory
Maintain an inventory of the location of key personal data storage or personal data flows with defined classes of personal data
Status of All Organizations
Your Planned Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
3. Maintain Data Privacy Policy
Maintain a data privacy policy that meets legal requirements and addresses operational risk
Status of All Organizations
Your Planned Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
4. Embed Data Privacy Into Operations
Maintain operational policies and procedures consistent with the data privacy policy, legal requirements, and operational risk management objectives
Status of All Organizations
Your Planned Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
5. Maintain Training and Awareness Program
Provide ongoing training and awareness to promote compliance with the data privacy policy and to mitigate operational risks
Status of All Organizations
Your Planned Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
6. Manage Information Security Risk
Status of All Organizations
Your Planned Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
7. Manage Third-Party Risk
Maintain contracts and agreements with third-parties and affiliates consistent with the data privacy policy, legal requirements, and operational risk tolerance
Status of All Organizations
Your Planned Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
8. Maintain Notices
Maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance
Status of All Organizations
Your Planned Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
9. Maintain Procedures for Inquiries and Complaints
Maintain effective procedures for interactions with individuals about their personal data
Status of All Organizations
Your Planned Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
10. Monitor for New Operational Practices
Monitor organizational practices to identify new processes or material changes to existing processes and ensure the implementation of Privacy by Design principles
Status of All Organizations
Your Planned Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain a Privacy by Design framework for all system andproduct development
37.15%
17.14%
42.86%
2.86%
Maintain PIA guidelines and templates
48.57%
20%
25.71%
5.71%
Conduct PIAs for new programs, systems, processes
57.14%
20%
17.14%
5.71%
Maintain a procedure to address data protection issues
identified during PIAs
42.85%
22.86%
25.71%
8.57%
Maintain a product sign-off procedure that involves the
Privacy Office
34.28%
20%
31.43%
14.29%
Maintain a product life cycle process to address privacy impacts of changes to existing programs, systems, or processes
25.71%
22.86%
42.86%
8.57%
Maintain metrics for PIAs (e.g. number completed, turnaround
11. Maintain Data Privacy Breach Management Program
Maintain an effective data privacy incident and breach management program
Status of All Organizations
Your Planned Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
12. Monitor Data Handling Practices
Verify operational practices comply with the data privacy policy and operational policies and procedures
Status of All Organizations
Your Planned Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
13. Track External Criteria
Track new compliance requirements, expectations, and best practices
Status of All Organizations
Your Desired
Privacy Management Activities Compared to Other Organizations
Your organization, as of September 9, 2014has desired 25 privacy management activities as compared to an average of 29.7
1. Maintain Governance Structure
Ensure that there are individuals responsible for data privacy, accountable management, and management reporting procedures
Status of All Organizations
Your Desired Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Conduct a Privacy Risk Assessment
66.66%
19.05%
14.29%
0%
Maintain a privacy program charter/mission statement
65.85%
9.76%
21.95%
2.44%
Integrate data privacy into business risk
assessments/reporting
51.22%
12.2%
36.59%
0%
Maintain ethics guidelines
75.61%
2.44%
17.07%
4.88%
2. Maintain Personal Data Inventory
Maintain an inventory of the location of key personal data storage or personal data flows with defined classes of personal data
Status of All Organizations
Your Desired Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain flow charts for key data flows (e.g. betweensystems, between processes, between countries)
23.08%
23.08%
53.85%
0%
Maintain documentation for all cross-border data flows (e.g. country, mechanism used as a basis for the transfer such as Safe Harbor, model clauses, binding corporate rules, or approvals from data protection authorities)
41.02%
7.69%
30.77%
20.51%
3. Maintain Data Privacy Policy
Maintain a data privacy policy that meets legal requirements and addresses operational risk
Status of All Organizations
Your Desired Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain a separate employee data privacy policy
58.98%
7.69%
20.51%
12.82%
Document guiding principles for consent
53.85%
10.26%
20.51%
15.38%
4. Embed Data Privacy Into Operations
Maintain operational policies and procedures consistent with the data privacy policy, legal requirements, and operational risk management objectives
Status of All Organizations
Your Desired Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain policies/procedures forpseudonymization/anonymization of personal data
26.32%
13.16%
42.11%
18.42%
Maintain policies/procedures for collecting consent preferences
52.63%
10.53%
23.68%
13.16%
5. Maintain Training and Awareness Program
Provide ongoing training and awareness to promote compliance with the data privacy policy and to mitigate operational risks
Status of All Organizations
Your Desired Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Conduct data privacy training needs analysis by position/jobresponsibilities
34.29%
25.71%
34.29%
5.71%
Maintain a second level training program reflecting job specific
content
40%
14.29%
40%
5.71%
Require completion of data privacy training as part of
performance reviews
20%
2.86%
57.14%
20%
Hold an annual data privacy day/week
30.56%
13.89%
33.33%
22.22%
Measure comprehension of data privacy concepts using
exams
44.44%
8.33%
22.22%
25%
Maintain certification for individuals responsible for data
privacy, including continuing professional education
61.11%
5.56%
22.22%
11.11%
6. Manage Information Security Risk
Maintain an information security program based on legal requirements and ongoing risk assessments
Status of All Organizations
Your Desired Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Conduct a security risk assessment which considers dataprivacy risk
65.71%
14.29%
17.14%
2.86%
7. Manage Third-Party Risk
Maintain contracts and agreements with third-parties and affiliates consistent with the data privacy policy, legal requirements, and operational risk tolerance
Status of All Organizations
Your Desired Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain a vendor data privacy risk assessment process
41.67%
22.22%
30.56%
5.56%
Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment
8. Maintain Notices
Maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance
Status of All Organizations
Your Desired Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain a privacy Seal or Trustmark to increase customertrust
16.66%
2.78%
33.33%
47.22%
9. Maintain Procedures for Inquiries and Complaints
Maintain effective procedures for interactions with individuals about their personal data
Status of All Organizations
Your Desired Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
10. Monitor for New Operational Practices
Monitor organizational practices to identify new processes or material changes to existing processes and ensure the implementation of Privacy by Design principles
Status of All Organizations
Your Desired Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
11. Maintain Data Privacy Breach Management Program
Maintain an effective data privacy incident and breach management program
Status of All Organizations
Your Desired Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Obtain data privacy breach insurance coverage
32.35%
5.88%
23.53%
38.24%
12. Monitor Data Handling Practices
Verify operational practices comply with the data privacy policy and operational policies and procedures
Status of All Organizations
Your Desired Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Conduct assessments through use of an accountability agentor third-party verification
20%
5.71%
51.43%
22.86%
13. Track External Criteria
Status of All Organizations
Your Desired Privacy Management Activities
Implemented (%)
Planned (%)
Desired (%)
N/A (%)
Maintain subscription to compliance reporting service/law firmupdates to stay informed on new developments
77.15%
2.86%
17.14%
2.86%
Maintain records or evidence that alerts are read and actions are taken (e.g. read daily and forwarded to key individuals as required)
31.42%
2.86%
28.57%
37.14%
Review or participate in studies related to best practices in