Does your organization have a data privacy policy?
Explanation
Reviewers want to see a formal, documented policy that speaks specifically to data privacy rather than general security. A data privacy policy outlines how an organization collects, uses, stores, shares, and protects personal and sensitive information. It defines the organization's commitment to privacy principles, compliance with relevant regulations (like GDPR, CCPA, HIPAA), and the rights of individuals whose data you process.
Why it's being asked in a security assessment:
- Regulatory compliance: Many regulations require organizations to have formal privacy policies
- Risk management: A privacy policy demonstrates that you've thought through how to handle sensitive data
- Transparency: It shows you're transparent with users/customers about data practices
- Governance: It indicates you have governance structures around data handling
How to best answer it:
- Be truthful about whether you have a formal policy document
- If you have one, briefly describe its scope and when it was last updated
- Mention if it's publicly available and where (e.g., website)
- Note any specific regulations it addresses
- If you don't have one but have related policies or are developing one, explain that
Remember that having a policy is just the first step - the assessor may follow up with questions about how the policy is implemented and enforced.
Example Responses
Example Response 1
Yes, our organization maintains a comprehensive data privacy policy that was last updated in March 2023 The policy covers how we collect, process, store, share, and protect personal data in compliance with GDPR, CCPA, and other applicable privacy regulations It defines roles and responsibilities, outlines data subject rights procedures, and includes our data retention schedules The policy is reviewed annually by our legal and compliance teams, and all employees receive training on it during onboarding and annually thereafter Our privacy policy is publicly available on our website at example.com/privacy, and we maintain a more detailed internal version that includes implementation procedures for staff.
Example Response 2
Yes, we implemented our formal data privacy policy in January 2022 as part of our SOC 2 compliance initiative The policy addresses data classification, handling requirements for PII and other sensitive information, consent management, data subject access requests, breach notification procedures, and third-party data sharing protocols Our Chief Privacy Officer is responsible for maintaining this policy, which is reviewed semi-annually and updated as needed While we don't make the full internal policy public, we publish a customer-facing privacy notice that summarizes our practices at our.product.com/legal/privacy.
Example Response 3
No, we currently do not have a formal, standalone data privacy policy We do address some privacy-related matters in our general information security policy and in our employee handbook, but these don't comprehensively cover all aspects of data privacy We recognize this gap in our documentation and have initiated a project to develop a dedicated privacy policy We've engaged a privacy consultant to help us draft this policy, with an expected completion date of Q3 this year In the interim, we follow industry best practices for data protection and comply with privacy regulations on a case-by-case basis.
Context
- Tab
- Organization
- Category
- Documentation
Related questions
- Do you have a well-documented business continuity plan (BCP), with a clear owner, that is tested annually?
- Do you have a well-documented disaster recovery plan (DRP), with a clear owner, that is tested annually?
- Have you undergone a SSAE 18/SOC 2 audit?
- Do you conform with a specific industry standard security framework (e.g., NIST Cybersecurity Framework, CIS Controls, ISO 27001, etc.)?
- Can you provide overall system and/or application architecture diagrams, including a full description of the data flow for all components of the system?
- Do you have a documented, and currently implemented, employee onboarding and offboarding policy?

