TRUSTe GDPR Readiness Privacy Assessment Sample A b o u t t h e A s s e s s m e n t : T h i s h i g h - l ev ev e l r e ad ad i n e s s a s s e s s m e n t i s d e s i g n e d t o h e l p c o m p a n i e s u n d e r s t an an d t h e c o r e o b l i g a ti ti o n s o f t h e European Union 's General Data Protection Protection Regulation (GDPR), and determine whic h bus iness proc esses they will need to review and implem ent in preparation for the GDPR. This version of the Assessm ent is based on the final version of the GDPR GDPR which was form ally adopted b y Parliament on A pril 14, 2016. 2016. The GDPR is schedu led to take effect in Spring 2018. 2018. Note - This sample con tains one section of the full TRUSTe GDPR Readiness Readiness assessm ent. To access the full 70+ question tem plate, or find out abou t our other privacy assess ment templates, contact you r TRUSTe Representative.
Q#
Question
Possible Responses
Compliant Response
Remediation Recommendation
Section 1 - Transparency R e v i ew ew g e n e r a l a n d s p e c i f i c P r i v a c y N o t i c e s t o e n s u r e t h e f o l l o w i n g i n f o r m a t i o n i s p r o v i d e d t o i n d i v i d u a l s i n a d v a n c e o f c o l l e c t i n g p e r s o n a l i n f o r m a t i o n f r o m them.
A Privacy Notice is a comprehensive, outward-facing statement explaining the organization's privacy policies and practices.
1
Are individuals provided with a Privacy Notice explaining the organization's internal Privacy Policy and practices?
Yes No
Yes
Provide a Privacy Notice prominently and conspicuously on the website, mobile application, or online service. The Privacy Notice should be clearly labeled and placed in an area of the organization's website or service that is easily accessible and intuitive, usually the homepage. The Privacy Notice should be written in plain language so that it is easily understandable by individuals and should explain the organization's policies and procedures around collecting, using, and disclosing individuals' personal information, as well as processes and procedures for requesting access to collected personal information or to submit a privacy-related complaint.
2
Does the Privacy Notice include the identity of and contact information for the controller or the controller's representative, as well as the contact details of the data protection officer (if any)?
Yes No
Yes
Include in the Privacy Notice the identity of and contact information for the controller or the controller's representative, as well as the contact details of the data protection officer (if any).
Q#
Question
Possible Responses
Compliant Response
Remediation Recommendation
Where an individual's personal information is processed based on the individual's consent, explain the types of personal information collected and processed. The types of personal information collected and processed do not need to be included in the notice if processing is based on a legitimate legal interest or the information processed relates to a third party.
3
4
5
Does the Privacy Notice describe the types of personal information, including sensitive information, collected from individuals? Where individuals' personal information is processed based on their consent, explain the types of information collected and processed. Where processing is based on a legitimate legal interest or the information processed relates to a third party, the types of information collected and processed do not need to be explained.
Yes No N/A, this assessment does not relate to information processed based on individuals' consent
Does the Privacy Notice describe the purposes for which collected personal information, including sensitive information, will be used?
Yes No
Does the Privacy Notice describe the circumstances under which personal information is disclosed or shared with third parties, including service providers, and the purpose for those disclosures?
Yes No N/A, we do not share or otherwise disclose individuals' personal information to third parties
Where necessary, explain in the Privacy Notice what types of personal information are collected from or about individuals.
Yes
Yes
In a plain, straightforward manner: Describe how personal information is collected from or about individuals; Describe the types of personal information collected from or about individuals, including sensitive information; If personal information is collected on the organization's website or online service through passive technologies such as cookies or web beacons, clearly describe the collection methods and what personal information is collected through those mechanisms; Be reasonably specific in describing the kind of personal information collected; Explain whether personal information is appended with information obtained from third-party sources, and, if so, the types of information being appended and the purpose for appending collected information; At a minimum, list the categories of personal information the organization collects from individuals.
Explain in the Privacy Notice the purpose for collecting personal information, including sensitive information, from individuals. The Notice should include a description of how personal and/or sensitive information collected from individuals will be used, including whether individuals' personal information will be disclosed to third parties and a description of communications or other contact an individual may receive by providing their personal information. Disclosures of consumer privacy and sharing practices are key in building trust in an organization. An organization's Privacy Notice that explains to individuals and visitors how it uses and shares their personal information helps achieve transparency and build user trust.
No
The Privacy Notice should: Explain whether and when an individuals' personal information may be disclosed to third parties; Explain practices regarding the sharing of personal information with other entities, including affiliates and marketing partners; Explain the purposes for disclosing indviduals' personal information.
Q#
Question
6
Does the Privacy Notice include a description of the categories or types of third parties to whom personal information is disclosed or shared?
7
Are individuals informed that their personal information will be transferred to a third country or international organization and whether there is a legitimate transfer mechanism in place? Common transfer mechanisms include an adequacy decision by the Commission regarding the recipient of the transfer, Binding Corporate Rules, Model Contract Clauses, an approved Code of Conduct, or approved certification mechanism.
8
Does the Privacy Notice describe the method for individuals to exercise choice and update their preferences regarding how their personal information will be used, including whether and to whom it is disclosed?
Possible Responses Yes No N/A, we do not share or otherwise disclose individuals' personal information to third parties
Yes No
Yes No
Compliant Response
Remediation Recommendation
No
At a minimum, list the different types or categories of companies with whom individuals' personal information will be shared in the Privacy Notice. Whenever possible, provide a link to the Privacy Notices of third parties with whom individuals' personal information will be shared.
Yes
Inform individuals that their personal information will be transferred to a third country or international organization and explain whether there is a legitimate transfer mechanism regarding the recipient of that transfer, such as an adequacy decision by the Commission regarding the recipient of the transfer, Binding Corporate Rules, Model Contract Clauses, an approved Code of Conduct, or approved certification mechanism.
Yes
The Privacy Notice should describe choices available to individuals about how their personal information is used, including any choice programs whereby an individual may indicate preferences about whether their personal information is disclosed to third parties and preferences regarding the frequency, subject matter, and/or format of communications.
Q#
Question
Possible Responses
Compliant Response
Remediation Recommendation
A Privacy Notice is "conspicuous" when it is easily recognizable and accessible. Below are some additional recommendations on how to make the Privacy Notice easily accessible and distinguishable through an online service.
9
Is the Privacy Notice easily accessible at the time the individual first interacts with the product or service (e.g., accessible via website homepage or app store listing)?
Yes No
Yes
Websites: Make the link conspicuous by using type that is larger than the surrounding text, set in a contrasting color, or use symbols that call attention to it; Put a conspicuous link to the Privacy Notice on the homepage and all pages that collect personal information from individuals; Format the Privacy Notice so that it can be printed as a separate document. Mobile apps: Provide a link to the Privacy Notice from the application’s app store listing, so that the Notice is accessible prior to downloading and installing an application; Provide a link to the Privacy Notice from within the application. Typically, a Privacy Notice can be found when accessing the app's settings.
10
Is the Privacy Notice easily distinguishable from other information (e.g., Terms of Service) the organization provides?
Typically a Privacy Notice is made available through an organization's online service(s). Some organizations also make their privacy notices in printed form. Yes No
Yes
The Privacy Notice needs to be easily distinguishable from other types of notices the organization provides (e.g., Terms of Service). For example, a link to the Privacy Notice should contain the word “Privacy". The Privacy Notice should be drafted in a clear and understandable format, using plain language so it is easily understood by individuals. To ensure readability, the Privacy Notice should:
11
Is the Privacy Notice written in plain language so that it is easily understood by individuals?
Yes No
Yes
Use plain, straightforward language, avoiding technical or legal jargon; Use short sentences; Use the active voice; Use titles and headers to identify key parts of the Notice; Use a format that makes the Notice readable, including on smaller screens (such as on a mobile device; Utilize a layered notice format to highlight the most relevant privacy practices; Use graphics or icons to help individuals easily find information on specific privacy practices and privacy settings.
Q#
Question
Possible Responses
Compliant Response
Remediation Recommendation
Yes
The Privacy Notice should appear in the language(s) in which the organization conducts business. For example, if the organization's services support English, French, and German, the Privacy Notice should be available in those languages. Where seeking consent from individuals to process their personal information within the Privacy Notice, ensure that the request is set out from the rest of the text of the Privacy Notice and is conspicuous and distinguishable from the rest of the Notice. For instance, set the text in bold, capital letters, or a contrasting or highlighted color to draw attention to that portion of the Notice.
12
Is the Privacy Notice available in all languages in which business is conducted?
Yes No
13
If the organization seeks consent from individuals for the processing of their personal information within its Privacy Notice, is the request for consent conspicuous and set out from the rest of the text of the Privacy Notice (e.g., bold, highlighted, etc.)?
Yes No N/A, we do not seek consent from individuals within our Privacy Notice
Yes or N/A
14
Is there an immediately visible, clearly labeled, and accessible notice regarding the use of cookies and other passive technologies?
Yes No
Yes
Provide a conspicuous and immediately accessible Cookie Notice on the website or online service if cookies or other passive collection technologies are used.
15
Yes In the event that individuals are not informed in No advance of processing activities, are individuals N/A, notice is provided specific information about how their provided prior or at information is processed within a reasonable time the time of after the information has been collected and personal before the information is processed? information collection
Yes
Provide individuals with specific information about their information processing within a reasonable time after collecting the information from them, not to exceed one month, or at the time of the first communication with the individual. Ensure that this information is communicated to individuals before their information is processed.
Section 2 - Collection and Purpose Limitation Minimize the collection and use of information. Collect only information which is necessary or relevant to the purpose for collection. Use information only for the purposes or in the manners outlined in the Privacy Notice or for wh ich the individual has otherwise cons ented. Section 3 - Consent Obtain consent from individuals for the collection or processing of their personal information. Section 4 - Quality S t e p s s h o u l d b e t a k e n t o e n s u r e t h a t t h e i n f o r m a t i o n c o l l e c t e d f r o m a n d h e l d a b o u t i n d i v i d u a l s i s u p - t o - d a t e, e, c o m p l e t e , a n d a c c u r a t e. e. S e c t i o n 5 - P r i v a c y P r o g r a m M a n ag ag e m e n t P u t i n p l a c e a p r i v a c y p r o g r a m t h a t d o c u m e n t s t h e o r g a n i z a t i o n ' s p r i v a c y p o l i c i e s a n d p r o c e d u r e s . R ev ev i e w t h e p r i v a c y p r o g r a m a t r e g u l a r , p l a n n e d i n t e r v al al s t o verify that the policies and protoco l therein are still complete and relevant to your organization . Ensure that relevant parties (e.g., (e.g., employ ees, subproces sors) are required to indicate in writin g their agreement to the policies that apply to them . Section 6 - Security for Privacy I m p l e m e n t r e a s o n a b l e t ec ec h n i c a l , a d m i n i s t r a t i v e , an an d p h y s i c a l s e c u r i t y m e a s u r e s t o s a f e g u a r d i n d i v i d u a l s ' p e r s o n a l i n f o r m a t i o n .
Q#
Question
Possible Responses
Compliant Response
Remediation Recommendation
Section 7 - Data Breach Readiness and Resp onse O r g a n i z at i o n s s h o u l d h a v e a d o c u m e n t e d i n c i d e n t r e s p o n s e p l a n w i t h p r o c e d u r e s a n d t e m p l a t e s t o n o t i f y i n d i v i d u a l s a n d s u p e r v i s o r y a u t h o r i t i e s . Section 8 - Individ ual Rights T h i s s e c t i o n c o v e r s s e v e r al r i g h t s b e l o n g i n g t o t h e i n d i v i d u a l l a i d o u t i n G D P R : a c c e s s , d at a p o r t a b i l i t y , er a s u r e , an d t h e r i g h t t o o b j e c t t o c e r t a i n t y p e s o f processing.
Tired of managing assessments in a spreadsheet? Schedule a demo of TRUSTe Assessment Manager, an online / interactive system that streamlines the process of conducing and managing privacy assesments and PIAs.
TRUSTe Assessment Manager Visit TRUSTe Website Comprehensive Library of Assessment Templates - GDPR, Vendor Risk, Breach Preparation, PIAs, etc. Automated Gap Analysis Remediation Guidance Executive Dashboard Centralized, On-Demand Reporting SaaS Technology (No downloads, IT, custom coding) Flexible, usage based pricing options
TRUSTe also offers privacy consulting on a wide range of topics. For more information, call 888-878-7830 or visit www.truste.com
