Copyright 2014 Nymity Inc. All Rights Reserved.

This sample Benchmarks Report represents a real-world example of

Your Privacy Management Status Report based on a mature privacy

program in a non-North American organization within the public sector.

Your Monthly Privacy Management Status Report

September 9, 2014

Executive Summary

Privacy management within an organization goes beyond the privacy office; it consists of activities conducted throughout the organization that affect the processing of personal data.

This report compares the status of your organization’s privacy management with the privacy management of 34 other benchmarked organizations based on the aggregated statistics derived from Nymity Benchmarks.

Your organization’s privacy management program* is made up of 107 Implemented** privacy management activities and 7 Planned activities, for a total of 114 privacy management activities. This compares with the Benchmark average of 83.1 Implemented privacy management activities and 16.6 Planned, totalling 99.7 activities within the benchmarked organizations.

Your Privacy Management Activity Status

Implemented

107

93.9%

Planned

7

6.1%

Total

114

Overall Benchmarked Organizations' Status

Implemented

83.1

83.3%

Planned

16.6

16.7%

Total

99.7

Your privacy management program is 94% Implemented compared to the Benchmark average of 83% based on your organization's Planned to Implemented Activity ratio.

Participating Organizations

All participating organizations have a privacy office and are at various stages of implementing a privacy program. Over 90% of the organizations have international operations. At this stage, over 75% of the head offices in participating organizations are located in the USA, with the EU being the second largest represented location. A wide variety of industries are represented in this research study and not one single specific industry represents greater than 10% of the preliminary results. At the time of publishing the preliminary results, a few public-sector/pure health-sector organizations have participated.

Ongoing Research @Nymity

Nymity has initiated a number of research studies to augment the current statistical base. Over time, the plan is to develop statistical segmentation by industry, company size (# of employees), head office location, Safe Harbor, or BCR. If you would like to refer a group of organizations to participate in a benchmark research project, please contact Nymity’s research team at

research@nymity.com.

Note: Nymity Benchmarks are continuously updated with new benchmark data and this report will be emailed to Nymity Benchmarks subscribers with the latest results.

* Privacy management program is defined as the privacy management activities implemented plus the privacy management activities planned in the next 12 months. It does not include the Desired and Not Applicable Privacy Management Activities for your privacy management.

How Your Organization Compares - Top Benchmarked Privacy Management Activities

Your Status as compared to the Top 25 Implemented Privacy Management Activities

You have Implemented 24 of the Top 25 Implemented Privacy Management Activities.

Rank (%)

Your Status

Privacy Management Activity

97.23% Implemented - Core Maintain a corporate security policy (protection of physical premises and hard assets) 97.14% Implemented - Core Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) 94.45% Implemented - Core Maintain backup and business continuity plans

91.43% Implemented - Core Maintain an information security policy

88.89% Implemented - Core Maintain procedures to restrict access to personal information (e.g. role-based access, segregation of duties)

88.58% Implemented - Elective Attend/participate in privacy conferences, industry associations, or think-tank events 87.81% Implemented - Core Consult with stakeholders throughout the organization on data privacy matters

87.5% Implemented - Core Maintain a data privacy policy

86.12% Implemented - Core Maintain procedures to update security profile based on system updates and bug fixes 86.11% Implemented - Core Maintain human resource security measures (e.g. pre-screening, performance

appraisals)

83.34% Implemented - Core Maintain a data privacy notice that details the organization’s personal data handling policies

83.34% Implemented - Core Conduct regular testing of data security posture 82.93% Implemented - Core Assign accountability for data privacy at a senior level 82.93% Implemented - Elective Maintain a Code of Conduct

82.85% Implemented - Elective Conduct ongoing research on developments in law 80.49% Implemented - Core Assign responsibility for data privacy

80.49% Implemented - Core Require employees to acknowledge and agree to adhere to the data privacy policies 80% Implemented - Core Maintain an acceptable use of information resources policy

80% Implemented - Core Maintain a core training program for all employees 80% Implemented - Core Maintain procedures to respond to access requests

77.78% Implemented - Core Maintain escalation procedures for serious complaints or complex access requests 77.15% Desired Maintain subscription to compliance reporting service/law firm updates to stay informed

on new developments

77.15% Implemented - Elective Seek legal opinions regarding recent developments in law

77.14% Implemented - Core Provide data privacy notice at all points where personal data is collected 77.14% Implemented - Core Maintain procedures to address complaints

N/A Desired Planned Implemented

Not desired, required, applicable or justified based on privacy risk and business priorities.

Privacy office could anticipate or wish to implement if no resource constraints.

In progress or scheduled to be implemented in the next12 months.

Implemented and are either: Core: Fundamental to privacy management, mandatory; or

Elective: Advanced, optional, or beyond the minimum required

About Nymity and Nymity Benchmarks

Nymity is a global research company specializing in accountability, risk, and compliance privacy solutions for the privacy office. A unique combination of a research and technology company, Nymity’s advanced technology delivers research analysis to organizations in all jurisdictions around the world. Awarded the Gartner Cool Vendor award in Risk Management, Privacy & Compliance and selected as a Global Hot 100 Company by the World Summit on Innovation and Entrepreneurship, Nymity empowers organizations to comply Organizations continuously strive to compare and enhance their privacy program for ongoing effective privacy management. By empowering organizations to statistically baseline and compare their privacy program with others, Nymity Benchmarks provides superior insight into how the privacy management of one organization compares with the privacy management of another. Nymity Benchmarks

is based on the Nymity Privacy Management Accountability Framework™

Your Implemented

Privacy Management Activities Compared to Other Organizations

Your organization, as of September 9, 2014has implemented 107 privacy management activities as compared to an average of 83.1

1. Maintain Governance Structure

Ensure that there are individuals responsible for data privacy, accountable management, and management reporting procedures

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain a privacy strategy

68.29%

14.63%

14.63%

2.44%

Maintain job descriptions for individuals responsible for data

privacy (e.g. data protection officers)

73.17%

7.32%

14.63%

4.88%

Assign accountability for data privacy at a senior level

82.93%

7.32%

9.76%

0%

Allocate resources to adequately implement and support the

privacy program (e.g. budget, personnel)

73.17%

7.32%

19.51%

0%

Assign responsibility for data privacy

80.49%

9.76%

7.32%

2.44%

Conduct regular communication between individuals

accountable and responsible for data privacy

73.17%

9.76%

14.63%

2.44%

Consult with stakeholders throughout the organization on data

privacy matters

87.81%

7.32%

4.88%

0%

Report, on a scheduled basis, on the status of the privacy

program (e.g. board of directors, management board)

53.66%

19.51%

14.63%

12.2%

Maintain a Code of Conduct

82.93%

2.44%

9.76%

4.88%

Maintain a strategy to align activities with legal requirements (e.g. address conflicts, differences in standards, creating rationalized rule sets)

58.54%

14.63%

21.95%

4.88%

Require employees to acknowledge and agree to adhere to the

data privacy policies

80.49%

7.32%

12.2%

0%

2. Maintain Personal Data Inventory

Maintain an inventory of the location of key personal data storage or personal data flows with defined classes of personal data

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain an inventory of key personal data holdings (what

personal data is held and where)

41.03%

25.64%

33.33%

0%

Classify personal data holdings by type (e.g. sensitive,

confidential, public)

58.98%

15.38%

23.08%

2.56%

Obtain approval for data processing (where prior approval is

required)

61.54%

2.56%

10.26%

25.64%

Register databases with data protection authority (where

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Use Standard Contractual Clauses as a data transfer

mechanism

56.41%

0%

7.69%

35.9%

Use Cross-Border Privacy Rules as a data transfer

mechanism

17.94%

0%

20.51%

61.54%

Use the Safe Harbor framework as a data transfer mechanism

51.28%

0%

7.69%

41.03%

Use Data Protection Authority approval as a data transfer

mechanism

28.21%

0%

10.26%

61.54%

Use adequacy or one of the derogations from adequacy (e.g. consent, performance of a contract, public interest) as a data transfer mechanism

56.41%

2.56%

7.69%

33.33%

3. Maintain Data Privacy Policy

Maintain a data privacy policy that meets legal requirements and addresses operational risk

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain a data privacy policy

87.5%

7.5%

5%

0%

Obtain board approval for data privacy policy

61.54%

0%

10.26%

28.21%

Document legal basis for processing personal data

58.97%

2.56%

20.51%

17.95%

4. Embed Data Privacy Into Operations

Maintain operational policies and procedures consistent with the data privacy policy, legal requirements, and operational risk management objectives

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain policies/procedures for collection and use of sensitive

personal data (including biometric data)

65.79%

10.53%

10.53%

13.16%

Maintain policies/procedures for maintaining data quality

60.52%

7.89%

23.68%

7.89%

*NEW* Maintain policies/procedures to review processing

conducted wholly or partially by automated means

15.63%

3.13%

53.13%

28.13%

Maintain policies/procedures for secondary uses of personal

data

50%

11.11%

30.56%

8.33%

Maintain policies/procedures for secure destruction of personal

data

71.05%

15.79%

10.53%

2.63%

Integrate data privacy into use of cookies and tracking

mechanisms

52.63%

15.79%

26.32%

5.26%

Integrate data privacy into records retention practices

56.76%

16.22%

21.62%

5.41%

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Integrate data privacy into employee background check

practices

65.79%

10.53%

13.16%

10.53%

Integrate data privacy into social media practices

52.64%

23.68%

18.42%

5.26%

Integrate data privacy into health & safety practices

47.37%

15.79%

18.42%

18.42%

Integrate data privacy into interactions with works councils

42.1%

5.26%

5.26%

47.37%

Integrate data privacy into practices for monitoring employees

60.53%

15.79%

13.16%

10.53%

Integrate data privacy into e-mail monitoring practices

63.16%

13.16%

10.53%

13.16%

Integrate data privacy into use of CCTV/video surveillance

50%

13.16%

15.79%

21.05%

Integrate data privacy into use of geo-location (tracking and or

location) devices

47.37%

10.53%

15.79%

26.32%

Integrate data privacy into delegate access to employees'

company e-mail accounts (e.g. vacation, LOA, termination)

50%

10.53%

18.42%

21.05%

Integrate data privacy into e-discovery practices

47.37%

5.26%

21.05%

26.32%

Integrate data privacy into conducting internal investigations

57.89%

10.53%

21.05%

10.53%

Integrate data privacy into practices for disclosure to and for

law enforcement purposes

57.89%

7.89%

18.42%

15.79%

Integrate data privacy into customer/patient/citizen facing practices (e.g. retail sales, provision of healthcare, tax processing)

57.89%

5.26%

13.16%

23.68%

Integrate data privacy into back office/administrative

procedures (e.g. facilities management)

54.06%

16.22%

27.03%

2.7%

Integrate data privacy into financial operations (e.g. credit,

billing, processing transactions)

71.05%

5.26%

13.16%

10.53%

Integrate data privacy into research practices

34.21%

5.26%

26.32%

34.21%

5. Maintain Training and Awareness Program

Provide ongoing training and awareness to promote compliance with the data privacy policy and to mitigate operational risks

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain a core training program for all employees

80%

11.43%

5.71%

2.86%

Conduct training for newly appointed employees upon

assignment to privacy-sensitive positions

60%

11.43%

20%

8.57%

Conduct regular refresher training to reflect new developments

62.86%

11.43%

22.86%

2.86%

Integrate data privacy into other training programs, such as

HR, security, call centre, retail operations training

65.71%

14.29%

14.29%

5.71%

Measure participation in data privacy training activities (e.g.

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Deliver a privacy newsletter, or incorporate privacy into

existing corporate communications

40%

17.14%

31.43%

11.43%

Maintain ongoing awareness material (e.g. posters, intranet,

and videos)

40%

14.29%

31.43%

14.29%

Maintain an internal data privacy intranet, privacy blog, or

repository of privacy FAQs and information

58.33%

16.67%

19.44%

5.56%

Provide data privacy information on system logon screens

50%

2.78%

30.56%

16.67%

Conduct one-off, one-time tactical training and communication

dealing with specific, highly-relevant issues/topics

66.67%

11.11%

19.44%

2.78%

Provide ongoing education and training for the Privacy Office

(e.g. conferences, webinars, guest speakers)

72.22%

8.33%

13.89%

5.56%

6. Manage Information Security Risk

Maintain an information security program based on legal requirements and ongoing risk assessments

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain an information security policy

91.43%

2.86%

2.86%

2.86%

Maintain technical security measures (e.g. intrusion detection,

firewalls, monitoring)

97.14%

0%

0%

2.86%

Maintain administrative and technical measures to encrypt personal data in transmission and at rest, including removable media

74.28%

5.71%

17.14%

2.86%

Maintain an acceptable use of information resources policy

80%

11.43%

5.71%

2.86%

Maintain procedures to restrict access to personal information

(e.g. role-based access, segregation of duties)

88.89%

2.78%

2.78%

5.56%

Maintain a corporate security policy (protection of physical

premises and hard assets)

97.23%

0%

0%

2.78%

Maintain human resource security measures (e.g.

pre-screening, performance appraisals)

86.11%

5.56%

5.56%

2.78%

Maintain backup and business continuity plans

94.45%

2.78%

0%

2.78%

Maintain a data-loss prevention strategy

63.89%

16.67%

16.67%

2.78%

Maintain procedures to update security profile based on

system updates and bug fixes

86.12%

5.56%

2.78%

5.56%

Conduct regular testing of data security posture

83.34%

2.78%

11.11%

2.78%

Maintain a security verification

66.67%

8.33%

13.89%

11.11%

7. Manage Third-Party Risk

Maintain contracts and agreements with third-parties and affiliates consistent with the data privacy policy, legal requirements, and operational risk tolerance

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain data privacy requirements for third parties (e.g.,

vendors, processors, affiliates)

75%

16.67%

8.33%

0%

Maintain procedures to execute contracts or agreements with

all processors

66.67%

22.22%

8.33%

2.78%

Conduct due diligence around the data privacy and security

posture of potential vendors/processors

72.22%

16.67%

5.56%

5.56%

Maintain procedures to address instances of non-compliance

with contracts and agreements

42.86%

17.14%

34.29%

5.71%

Review long-term contracts for new or evolving data protection

risks

30.55%

19.44%

38.89%

11.11%

8. Maintain Notices

Maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain a data privacy notice that details the organization’s

personal data handling policies

83.34%

2.78%

8.33%

5.56%

Provide data privacy notice at all points where personal data is

collected

77.14%

5.71%

5.71%

11.43%

Provide notice by means of on-location signage, posters

38.89%

5.56%

8.33%

47.22%

Provide notice in all forms, contracts and terms

61.11%

8.33%

11.11%

19.44%

Maintain a data privacy notice for employees (processing of

employee personal data)

52.77%

2.78%

27.78%

16.67%

Provide data privacy education to individuals (e.g. preventing

identity theft)

44.44%

5.56%

30.56%

19.44%

9. Maintain Procedures for Inquiries and Complaints

Maintain effective procedures for interactions with individuals about their personal data

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain procedures to address complaints

77.14%

5.71%

11.43%

5.71%

Maintain procedures to respond to access requests

80%

5.71%

8.57%

5.71%

Maintain procedures to respond to requests to update or revise

personal data

69.44%

8.33%

13.89%

8.33%

Maintain procedures to respond to requests for information

69.45%

8.33%

13.89%

8.33%

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain escalation procedures for serious complaints or

complex access requests

77.78%

5.56%

11.11%

5.56%

Maintain procedures to investigate root causes of data

protection complaints

69.45%

8.33%

16.67%

5.56%

Maintain metrics for data protection complaints (e.g. number,

root cause)

58.33%

11.11%

25%

5.56%

10. Monitor for New Operational Practices

Monitor organizational practices to identify new processes or material changes to existing processes and ensure the implementation of Privacy by Design principles

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

11. Maintain Data Privacy Breach Management Program

Maintain an effective data privacy incident and breach management program

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain a documented data privacy incident/breach response

protocol

62.86%

22.86%

11.43%

2.86%

Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol

60%

20%

14.29%

5.71%

Maintain a breach incident log to track nature/type of all

breaches

71.43%

8.57%

14.29%

5.71%

Maintain data privacy incident/breach metrics (e.g. nature of

breach, risk, root cause)

57.14%

17.14%

17.14%

8.57%

Conduct periodic testing of breach protocol and document

findings and changes made

31.43%

17.14%

42.86%

8.57%

Engage a forensic investigation team

54.29%

8.57%

17.14%

20%

Maintain a record preservation protocol to protect relevant log

history

48.57%

14.29%

20%

17.14%

12. Monitor Data Handling Practices

Verify operational practices comply with the data privacy policy and operational policies and procedures

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Conduct ad-hoc audits/assessments based on

complaints/inquiries/breaches

71.43%

2.86%

17.14%

8.57%

Conduct audits/assessments of the privacy program outside

of the Privacy Office (e.g. Internal Audit)

60%

8.57%

20%

11.43%

Benchmark results of audits/assessments (e.g. comparison to

previous audit, comparison to other business units)

34.29%

11.43%

40%

14.29%

Conduct ad-hoc walk-throughs

42.86%

0%

25.71%

31.43%

Maintain privacy program metrics

45.72%

20%

31.43%

2.86%

13. Track External Criteria

Track new compliance requirements, expectations, and best practices

Status of All Organizations

Your Implemented Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Conduct ongoing research on developments in law

82.85%

0%

11.43%

5.71%

Attend/participate in privacy conferences, industry

associations, or think-tank events

88.58%

2.86%

5.71%

2.86%

Record/report on the tracking of new Rule Sources or

amendments to Rule Sources

60%

0%

22.86%

17.14%

Seek legal opinions regarding recent developments in law

77.15%

0%

8.57%

14.29%

Document that new requirements have been implemented (also document where a decision is made to not implement any changes, including reason)

Your Planned

Privacy Management Activities Compared to Other Organizations

Your organization, as of September 9, 2014has planned 7 privacy management activities as compared to an average of 16.6

1. Maintain Governance Structure

Ensure that there are individuals responsible for data privacy, accountable management, and management reporting procedures

Status of All Organizations

Your Planned Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

2. Maintain Personal Data Inventory

Maintain an inventory of the location of key personal data storage or personal data flows with defined classes of personal data

Status of All Organizations

Your Planned Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

3. Maintain Data Privacy Policy

Maintain a data privacy policy that meets legal requirements and addresses operational risk

Status of All Organizations

Your Planned Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

4. Embed Data Privacy Into Operations

Maintain operational policies and procedures consistent with the data privacy policy, legal requirements, and operational risk management objectives

Status of All Organizations

Your Planned Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

5. Maintain Training and Awareness Program

Provide ongoing training and awareness to promote compliance with the data privacy policy and to mitigate operational risks

Status of All Organizations

Your Planned Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

6. Manage Information Security Risk

Status of All Organizations

Your Planned Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

7. Manage Third-Party Risk

Maintain contracts and agreements with third-parties and affiliates consistent with the data privacy policy, legal requirements, and operational risk tolerance

Status of All Organizations

Your Planned Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

8. Maintain Notices

Maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance

Status of All Organizations

Your Planned Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

9. Maintain Procedures for Inquiries and Complaints

Maintain effective procedures for interactions with individuals about their personal data

Status of All Organizations

Your Planned Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

10. Monitor for New Operational Practices

Monitor organizational practices to identify new processes or material changes to existing processes and ensure the implementation of Privacy by Design principles

Status of All Organizations

Your Planned Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain a Privacy by Design framework for all system and

product development

37.15%

17.14%

42.86%

2.86%

Maintain PIA guidelines and templates

48.57%

20%

25.71%

5.71%

Conduct PIAs for new programs, systems, processes

57.14%

20%

17.14%

5.71%

Maintain a procedure to address data protection issues

identified during PIAs

42.85%

22.86%

25.71%

8.57%

Maintain a product sign-off procedure that involves the

Privacy Office

34.28%

20%

31.43%

14.29%

Maintain a product life cycle process to address privacy impacts of changes to existing programs, systems, or processes

25.71%

22.86%

42.86%

8.57%

Maintain metrics for PIAs (e.g. number completed, turnaround

11. Maintain Data Privacy Breach Management Program

Maintain an effective data privacy incident and breach management program

Status of All Organizations

Your Planned Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

12. Monitor Data Handling Practices

Verify operational practices comply with the data privacy policy and operational policies and procedures

Status of All Organizations

Your Planned Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

13. Track External Criteria

Track new compliance requirements, expectations, and best practices

Status of All Organizations

Your Desired

Privacy Management Activities Compared to Other Organizations

Your organization, as of September 9, 2014has desired 25 privacy management activities as compared to an average of 29.7

1. Maintain Governance Structure

Ensure that there are individuals responsible for data privacy, accountable management, and management reporting procedures

Status of All Organizations

Your Desired Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Conduct a Privacy Risk Assessment

66.66%

19.05%

14.29%

0%

Maintain a privacy program charter/mission statement

65.85%

9.76%

21.95%

2.44%

Integrate data privacy into business risk

assessments/reporting

51.22%

12.2%

36.59%

0%

Maintain ethics guidelines

75.61%

2.44%

17.07%

4.88%

2. Maintain Personal Data Inventory

Maintain an inventory of the location of key personal data storage or personal data flows with defined classes of personal data

Status of All Organizations

Your Desired Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain flow charts for key data flows (e.g. between

systems, between processes, between countries)

23.08%

23.08%

53.85%

0%

Maintain documentation for all cross-border data flows (e.g. country, mechanism used as a basis for the transfer such as Safe Harbor, model clauses, binding corporate rules, or approvals from data protection authorities)

41.02%

7.69%

30.77%

20.51%

3. Maintain Data Privacy Policy

Maintain a data privacy policy that meets legal requirements and addresses operational risk

Status of All Organizations

Your Desired Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain a separate employee data privacy policy

58.98%

7.69%

20.51%

12.82%

Document guiding principles for consent

53.85%

10.26%

20.51%

15.38%

4. Embed Data Privacy Into Operations

Maintain operational policies and procedures consistent with the data privacy policy, legal requirements, and operational risk management objectives

Status of All Organizations

Your Desired Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain policies/procedures for

pseudonymization/anonymization of personal data

26.32%

13.16%

42.11%

18.42%

Maintain policies/procedures for collecting consent preferences

52.63%

10.53%

23.68%

13.16%

5. Maintain Training and Awareness Program

Provide ongoing training and awareness to promote compliance with the data privacy policy and to mitigate operational risks

Status of All Organizations

Your Desired Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Conduct data privacy training needs analysis by position/job

responsibilities

34.29%

25.71%

34.29%

5.71%

Maintain a second level training program reflecting job specific

content

40%

14.29%

40%

5.71%

Require completion of data privacy training as part of

performance reviews

20%

2.86%

57.14%

20%

Hold an annual data privacy day/week

30.56%

13.89%

33.33%

22.22%

Measure comprehension of data privacy concepts using

exams

44.44%

8.33%

22.22%

25%

Maintain certification for individuals responsible for data

privacy, including continuing professional education

61.11%

5.56%

22.22%

11.11%

6. Manage Information Security Risk

Maintain an information security program based on legal requirements and ongoing risk assessments

Status of All Organizations

Your Desired Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Conduct a security risk assessment which considers data

privacy risk

65.71%

14.29%

17.14%

2.86%

7. Manage Third-Party Risk

Maintain contracts and agreements with third-parties and affiliates consistent with the data privacy policy, legal requirements, and operational risk tolerance

Status of All Organizations

Your Desired Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain a vendor data privacy risk assessment process

41.67%

22.22%

30.56%

5.56%

Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment

8. Maintain Notices

Maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance

Status of All Organizations

Your Desired Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain a privacy Seal or Trustmark to increase customer

trust

16.66%

2.78%

33.33%

47.22%

9. Maintain Procedures for Inquiries and Complaints

Maintain effective procedures for interactions with individuals about their personal data

Status of All Organizations

Your Desired Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

10. Monitor for New Operational Practices

Monitor organizational practices to identify new processes or material changes to existing processes and ensure the implementation of Privacy by Design principles

Status of All Organizations

Your Desired Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

11. Maintain Data Privacy Breach Management Program

Maintain an effective data privacy incident and breach management program

Status of All Organizations

Your Desired Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Obtain data privacy breach insurance coverage

32.35%

5.88%

23.53%

38.24%

12. Monitor Data Handling Practices

Verify operational practices comply with the data privacy policy and operational policies and procedures

Status of All Organizations

Your Desired Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Conduct assessments through use of an accountability agent

or third-party verification

20%

5.71%

51.43%

22.86%

13. Track External Criteria

Status of All Organizations

Your Desired Privacy Management Activities

Implemented (%)

Planned (%)

Desired (%)

N/A (%)

Maintain subscription to compliance reporting service/law firm

updates to stay informed on new developments

77.15%

2.86%

17.14%

2.86%

Maintain records or evidence that alerts are read and actions are taken (e.g. read daily and forwarded to key individuals as required)

31.42%

2.86%

28.57%

37.14%

Review or participate in studies related to best practices in