DOCU-06

Does your organization have a data privacy policy?

Explanation

This question is asking whether your organization has a formal, documented policy that specifically addresses data privacy. A data privacy policy outlines how an organization collects, uses, stores, shares, and protects personal and sensitive information. It defines the organization's commitment to privacy principles, compliance with relevant regulations (like GDPR, CCPA, HIPAA), and the rights of individuals whose data you process. Why it's being asked in a security assessment: 1. Regulatory compliance: Many regulations require organizations to have formal privacy policies 2. Risk management: A privacy policy demonstrates that you've thought through how to handle sensitive data 3. Transparency: It shows you're transparent with users/customers about data practices 4. Governance: It indicates you have governance structures around data handling How to best answer it: - Be truthful about whether you have a formal policy document - If you have one, briefly describe its scope and when it was last updated - Mention if it's publicly available and where (e.g., website) - Note any specific regulations it addresses - If you don't have one but have related policies or are developing one, explain that Remember that having a policy is just the first step - the assessor may follow up with questions about how the policy is implemented and enforced.

Example Responses

Example Response 1

Yes, our organization maintains a comprehensive data privacy policy that was last updated in March 2023 The policy covers how we collect, process, store, share, and protect personal data in compliance with GDPR, CCPA, and other applicable privacy regulations It defines roles and responsibilities, outlines data subject rights procedures, and includes our data retention schedules The policy is reviewed annually by our legal and compliance teams, and all employees receive training on it during onboarding and annually thereafter Our privacy policy is publicly available on our website at example.com/privacy, and we maintain a more detailed internal version that includes implementation procedures for staff.

Example Response 2

Yes, we implemented our formal data privacy policy in January 2022 as part of our SOC 2 compliance initiative The policy addresses data classification, handling requirements for PII and other sensitive information, consent management, data subject access requests, breach notification procedures, and third-party data sharing protocols Our Chief Privacy Officer is responsible for maintaining this policy, which is reviewed semi-annually and updated as needed While we don't make the full internal policy public, we publish a customer-facing privacy notice that summarizes our practices at our.product.com/legal/privacy.

Example Response 3

No, we currently do not have a formal, standalone data privacy policy We do address some privacy-related matters in our general information security policy and in our employee handbook, but these don't comprehensively cover all aspects of data privacy We recognize this gap in our documentation and have initiated a project to develop a dedicated privacy policy We've engaged a privacy consultant to help us draft this policy, with an expected completion date of Q3 this year In the interim, we follow industry best practices for data protection and comply with privacy regulations on a case-by-case basis.

Context

Tab
Organization
Category
Documentation

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron