PCOM-02

Use this area to share information about your privacy practices that will assist those who are assessing your company data privacy program.*

Explanation

This question is asking you to provide additional information about your organization's privacy practices that might not be covered by other HECVAT questions. It's essentially an open-ended opportunity to share details about your privacy program that demonstrate your commitment to protecting personal data. Why it's being asked: Privacy assessors need a comprehensive understanding of your privacy practices to evaluate whether your solution appropriately protects sensitive information. This question allows you to highlight privacy strengths, explain unique approaches, or address potential concerns that might arise during the assessment. The question is important because privacy compliance is increasingly critical due to regulations like GDPR, CCPA, HIPAA, and others. Higher education institutions must ensure their vendors handle personal data responsibly and in compliance with applicable laws. To best answer this question: 1. Provide an overview of your privacy program's key components 2. Highlight any privacy frameworks or standards you follow 3. Describe privacy-by-design practices in your development process 4. Mention any privacy certifications or assessments you've completed 5. Explain how you handle data subject rights requests 6. Describe your approach to data minimization and retention 7. Include information about privacy training for employees 8. Mention any privacy-enhancing technologies you implement

Guidance

Share any additional details that would help data privacy analysts assess your solution.

Example Responses

Example Response 1

Our privacy program is built on the principles of transparency, purpose limitation, and data minimization We maintain a comprehensive privacy policy that clearly explains what data we collect, how we use it, and with whom we share it Our privacy team, led by our Chief Privacy Officer, conducts Privacy Impact Assessments (PIAs) for all new features and products We follow a privacy-by-design approach, incorporating privacy considerations from the earliest stages of development Our solution has been certified under ISO 27701 for privacy information management, and we complete annual SOC 2 Type II audits that include privacy criteria We maintain a data inventory that tracks all personal data flows and have implemented automated processes to handle data subject access requests within 30 days All employees complete mandatory privacy training annually, with role-specific training for those handling sensitive data We employ encryption for data in transit and at rest, and use pseudonymization techniques where appropriate to enhance privacy protections.

Example Response 2

Our organization takes a risk-based approach to privacy, focusing resources on protecting the most sensitive data elements We've implemented a comprehensive Data Protection Impact Assessment (DPIA) process that evaluates privacy risks for all new data processing activities Our privacy program is aligned with NIST Privacy Framework and we've mapped our controls to both GDPR and CCPA requirements to ensure compliance across jurisdictions We employ data loss prevention (DLP) tools to prevent unauthorized transmission of sensitive information and have implemented strict access controls based on the principle of least privilege Our data retention policies ensure we only keep personal data as long as necessary for the stated purpose, after which it is securely deleted or anonymized We conduct quarterly privacy reviews of our systems and third-party integrations to identify and remediate potential privacy risks Additionally, we've implemented a privacy preference center that allows individuals to easily exercise their rights regarding their personal data, including access, correction, deletion, and portability requests.

Example Response 3

We are currently in the process of developing a formal privacy program While we do have a privacy policy posted on our website, we have not yet implemented a comprehensive privacy management framework We handle privacy requests on a case-by-case basis rather than through a formalized process Our development team considers privacy requirements during implementation, but we do not yet have a documented privacy-by-design methodology We recognize this as an area for improvement and have engaged a privacy consultant to help us develop a more structured approach Over the next six months, we plan to implement a formal privacy impact assessment process, develop data inventories, and establish clear procedures for handling data subject requests We are also planning to provide privacy training to all employees by the end of the year In the meantime, we do encrypt sensitive data and implement access controls to limit exposure of personal information to only those employees who need it to perform their job functions.

Context

Tab
Privacy
Category
General Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron