Have you had any violations of your internal privacy policies or violations of applicable privacy law in the past 36 months?
Explanation
A track record on privacy is what's being examined here, namely whether you have had any breaches of internal privacy policies or applicable privacy laws in the past 36 months.
Why it's being asked:
- To assess your organization's track record in protecting personal data
- To evaluate potential risk to the assessing organization if they share data with you
- To understand if you have a history of non-compliance that might indicate systemic issues
- To determine if you've had recent incidents that might still pose ongoing risks
The 36-month timeframe is significant because it's long enough to establish a pattern of behavior but recent enough to be relevant to current operations. Privacy violations can include data breaches, improper data sharing, failure to obtain proper consent, inadequate security measures for personal data, or non-compliance with data subject rights requests.
How to best answer:
- Be honest and transparent about any violations
- If violations occurred, briefly explain the nature of the incident, remediation steps taken, and measures implemented to prevent recurrence
- If no violations occurred, a simple statement confirming this is sufficient
- If you're unsure, consult with your legal and privacy teams before responding
Remember that many organizations have experienced some form of privacy incident, and what matters most is how you responded and what you learned from it.
Example Responses
Example Response 1
No, we have not experienced any violations of our internal privacy policies or applicable privacy laws in the past 36 months Our organization maintains a robust privacy compliance program that includes regular audits, employee training, and continuous monitoring We conduct quarterly privacy impact assessments and have implemented technical controls to enforce our privacy policies All potential privacy incidents are thoroughly investigated by our privacy team, and none have resulted in policy or legal violations during this period.
Example Response 2
Yes, we experienced one violation of applicable privacy law 24 months ago In January 2022, we discovered that one of our marketing systems was collecting geolocation data without proper consent notifications as required by GDPR The issue affected approximately 5,000 European users over a 2-week period Upon discovery, we immediately disabled the geolocation feature, notified affected users, deleted the improperly collected data, and self-reported to the relevant data protection authority We were issued a warning but no financial penalty Following this incident, we implemented a more rigorous privacy review process for all new features and conducted additional privacy training for our development and marketing teams We have had no subsequent violations.
Example Response 3
We are unable to definitively confirm whether any violations of privacy policies or laws have occurred in the past 36 months Our company was acquired 18 months ago, and the previous management did not maintain comprehensive privacy compliance records Since the acquisition, we have implemented a formal privacy program with clear policies, regular audits, and staff training We have not identified any violations during our tenure, but cannot speak with certainty about the entire 36-month period We are currently conducting a retrospective privacy assessment to identify any potential historical issues and will remediate any findings accordingly.
Context
- Tab
- Privacy
- Category
- General Privacy
Related questions
- Does your solution process FERPA-related data?
- Does your solution process GDPR-related or PIPL-related data?
- Does your solution process personal data regulated by state law(s) (e.g., CCPA)?
- Does your solution process user-provided data that may contain regulated information?
- Web Link to Product/Service Privacy Notice
- Have you had a personal data breach in the past three years that involved reporting to a governmental agency, notice to individuals (including voluntary notice), or notice to another organization or institution?

