PCHG-01

Does your change management process include privacy review and approval?

Explanation

This question is asking whether your organization's change management process includes a specific step for reviewing and approving changes from a privacy perspective. Change management is the process that governs how modifications to systems, applications, or infrastructure are proposed, evaluated, approved, implemented, and reviewed. The question is specifically concerned with whether privacy considerations are formally integrated into this process. Why this matters in a security assessment: 1. Privacy regulations (like GDPR, CCPA, HIPAA) require organizations to protect personal data 2. Changes to systems might inadvertently create privacy risks if not properly reviewed 3. A formal privacy review ensures that data collection, processing, storage, and sharing practices remain compliant with regulations and organizational policies 4. It demonstrates a mature approach to both security and privacy governance A good answer should describe: - Who conducts privacy reviews (e.g., Privacy Officer, Legal team, dedicated committee) - At what stage(s) of the change process privacy reviews occur - What the privacy review evaluates (e.g., data flows, consent mechanisms, retention policies) - How privacy approval is documented - How privacy-related concerns might block or modify a proposed change This question helps assessors understand if your organization treats privacy as a fundamental requirement rather than an afterthought.

Guidance

The change management process minimizes disruption and maximizes benefits and should contain a privacy review process.

Example Responses

Example Response 1

Yes, our change management process includes mandatory privacy review and approval All proposed changes are submitted through our change management system, which automatically routes changes involving customer data or authentication systems to our Privacy Office The Privacy Office evaluates each change for compliance with applicable regulations, privacy impact, data minimization principles, and alignment with our privacy policies They document their assessment in the change ticket, including any required modifications or compensating controls No change involving personal data can proceed to implementation without explicit Privacy Office approval, which is recorded in the change management system We also conduct quarterly audits of implemented changes to verify that privacy requirements were properly addressed.

Example Response 2

Yes, privacy review is integrated into our change management process We use a risk-based approach where our Change Advisory Board (CAB) includes a designated Privacy Champion who evaluates all changes for potential privacy implications Changes that involve personal data collection, processing, or storage trigger a formal Privacy Impact Assessment (PIA), conducted by our legal and compliance team The PIA evaluates regulatory compliance, data protection measures, user consent mechanisms, and data lifecycle considerations Results are documented in our change management tool, and any privacy concerns must be remediated before the change can be approved For major system changes, our Data Protection Officer provides final sign-off, ensuring executive visibility into privacy decisions.

Example Response 3

No, our current change management process does not include a formal privacy review and approval step While we do have a technical security review for all changes, we recognize this is a gap in our process Currently, privacy considerations are addressed informally by development teams and product managers, but we lack standardized criteria and documentation for privacy reviews We are planning to implement a formal privacy review component in our change management process in the next quarter, which will include designating privacy reviewers, establishing review criteria based on relevant regulations, and adding privacy approval as a required gate in our change workflow In the interim, our security team is providing basic privacy guidance during their reviews.

Context

Tab
Privacy
Category
Privacy Change Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron