HECVAT Category
Privacy Policies and Procedures
Privacy Policies and Procedures covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Do you have a documented privacy management process?
A documented privacy management process is what reviewers are looking for here, formalizing how your organization handles privacy matters. A privacy management process is a structured approach to handling personal data throughout its lifecycle within your organization.
Are privacy principles designed into the product lifecycle (i.e., privacy-by-design)?
Privacy-by-design is what's being verified here: whether privacy principles are engineered into the product lifecycle from the outset rather than bolted on later. 'Privacy-by-design' is a framework developed by Ann Cavoukian (former Information and Privacy Commissioner of Ontario) that emphasizes proactive rather than reactive measures for protecting privacy.
Will you comply with applicable breach notification laws?
Breach notification compliance is what reviewers want assurance on: whether you will follow the applicable laws requiring affected parties be told when a breach occurs. Breach notification laws exist at various levels (state, federal, international) and typically mandate that organizations inform affected individuals, regulatory bodies, and sometimes the public when personal data has been compromised.
Will you comply with the institution's policies regarding user privacy and data protection?
Alignment with the institution's own rules is the focus, specifically whether you will comply with their policies on user privacy and data protection.
Is your company subject to the laws and regulations of the institution's geographic region?
Jurisdictional reach is the concern, namely whether your company is subject to the laws and regulations of the geographic region where the institution operates.
Do you have a privacy awareness/training program?
Privacy awareness is what's being assessed here, namely whether you run a formal program that trains staff on privacy principles, regulations, and good practice. A privacy awareness/training program is distinct from general security training and focuses specifically on how to properly handle, process, and protect personal and sensitive data.
Is privacy awareness training mandatory for all employees?
Reviewers want assurance that privacy awareness training is mandatory for every employee, not optional or limited to certain teams. Privacy awareness training is distinct from general security training and focuses on topics like handling personal data, understanding privacy regulations (such as GDPR, CCPA, HIPAA), recognizing privacy risks, and following proper procedures for data collection, storage, and sharing.
Is AI privacy and ethics awareness/training required for all employees who work with AI?
AI-specific training is what reviewers want to verify, namely whether privacy and ethics awareness is required for every employee who works with AI systems.
Do you have any decision-making processes that are completely automated (i.e., there is no human involvement)?
Automated decision-making is the focus: this asks whether you operate any decision processes that run entirely without human involvement in reviewing or approving the outcome. Automated decision-making refers to situations where algorithms, AI, or other automated systems make decisions without human oversight that could impact users, customers, or data subjects.
Do you have a documented process for managing automated processing, including validations, monitoring, and data subject requests?
Automated processing governance is the subject: assessors want a documented process covering validations, monitoring, and data subject requests. Automated processing refers to any operations performed on personal data by automated means without human intervention, such as algorithmic decision-making, automated profiling, or batch processing of data.
Do you have a documented policy for sharing information with law enforcement?
Law enforcement requests are the subject: whether you maintain a written policy governing how you respond when police or government investigators ask for information.
Do you share any institutional data with law enforcement without a valid warrant or subpoena?
Lawful disclosure is the concern, specifically whether you ever share institutional data with law enforcement absent a valid warrant or subpoena.
Does your incident response team include a privacy analyst/officer?
Privacy representation in incident response is the focus, specifically whether your incident response team includes a dedicated privacy analyst or officer.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

