HECVAT Category
Data Privacy
Data Privacy covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Have you performed a Data Privacy Impact Assesssment for the solution/project?
A Data Privacy Impact Assessment (DPIA) is a structured process to identify and minimize privacy risks in projects that involve personal data processing. This question is asking whether your organization has conducted a formal assessment of how your solution or project might impact individuals' privacy rights.
Do you provide an end-user privacy notice about privacy policies and procedures that identify the purpose(s) for which personal information is collected, used, retained, and disclosed?
This question is asking whether your organization provides a clear privacy notice to end-users that explains how you collect, use, store, and share their personal information.
Do you describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information?
This question is asking whether your organization provides clear information to individuals about how their personal information will be collected, used, and shared, and whether you obtain their consent before doing so.
Do you collect personal information only for the purpose(s) identified in the agreement with an institution or, if there is none, the purpose(s) identified in the privacy notice?
This question is asking whether your organization limits its collection of personal information to only what is necessary for the specific purposes that have been formally agreed upon with the institution or disclosed in your privacy notice.
Do you have a documented list of personal data your service maintains?
This question is asking whether your organization maintains a documented inventory of all personal data that your service collects, processes, or stores. Personal data (also called personally identifiable information or PII) includes any information that can identify an individual, such as names, email addresses, phone numbers, IP addresses, location data, financial information, health information, etc.
Do you retain personal information for only as long as necessary to fulfill the stated purpose(s) or as required by law or regulation and thereafter appropriately dispose of such information?
This question is asking about your data retention policies and practices for personal information. It's specifically concerned with whether you:
Do you provide individuals with access to their personal information for review and update (i.e., data subject rights)?
This question is asking whether your organization has mechanisms in place that allow individuals (data subjects) to access, review, and update their personal information that you collect and store. This is a fundamental data privacy right often referred to as 'data subject rights' or 'individual rights'.
Do you disclose personal information to third parties only for the purpose(s) identified in the privacy notice or with the implicit or explicit consent of the individual?
This question is asking whether your organization limits the disclosure of personal information to third parties only to situations where:
Do you protect personal information against unauthorized access (both physical and logical)?
This question is asking whether your organization has implemented measures to protect personal information (PI) from unauthorized access, both physically (e.g., facility access controls) and logically (e.g., system access controls).
Do you maintain accurate, complete, and relevant personal information for the purposes identified in the privacy notice?
This question is asking whether your organization maintains personal information in a way that aligns with data minimization and accuracy principles, which are core to privacy regulations like GDPR and CCPA.
Do you have procedures to address privacy-related noncompliance complaints and disputes?
This question is asking whether your organization has established procedures for handling complaints and disputes related to privacy violations or non-compliance with privacy policies and regulations.
Do you "anonymize," "de-identify," or otherwise mask personal data?
This question is asking whether your organization takes steps to protect personal data by removing or obscuring identifying information.
Do you or your subprocessors use or disclose "anonymized," "de-identified," or otherwise masked data for any purpose other than those identified in the agreement with an institution (e.g., sharing with ad networks or data brokers, marketing, creation of profiles, analytics unrelated to services provided to institution)?
This question is asking whether your organization or any subprocessors (third parties you work with) use data that has been stripped of identifying information ('anonymized' or 'de-identified') for purposes beyond what was explicitly agreed upon with the institution.
Do you certify stop-processing requests, including any data that is processed by a third party on your behalf?
This question is asking whether your organization has a formal process to honor 'stop-processing requests' from individuals regarding their personal data, including when that data is handled by third parties working on your behalf.
Do you have a process to review code for ethical considerations?
This question is asking whether your organization has a formal process to review code for ethical considerations before it is deployed or released. Ethical code review goes beyond just checking for security vulnerabilities or bugs - it examines whether the code's functionality, algorithms, data handling, and decision-making processes align with ethical principles and values.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
