PRIV-02—Privacy Program Review
>Control Description
On an annual basis, Organization performs a review of privacy practices to ensure the following:
• consent is obtained for users whose personal information (PI) is managed by Organization
• PI inventory integrity and accuracy
• data access request response template is understandable
• standard agreement templates are up-to-date
• requests to delete, access or update PI are processed accurately and within a timeframe consistent with Organization policy
• compliance with Organization's privacy commitments
• known privacy issues are remediated
• opt-in and opt-out compliance with applicable law
• Organization privacy documentation and practices are relevant to applicable law
• compliance with relevant industry Codes of Conduct (e.g., EDAA)
• if applicable, joint controller responsibilities are clearly defined and communicated to both data controllers and the data subject
Theme
Process
Type
Preventive
Policy/Standard
Privacy Policy>Implementation Guidance
1. Ensure that the organization has established a privacy program. 2. Ensure that the program is reviewed on at least an annual basis. 3. Ensure that the privacy program contains controls regarding consent, data access requests, modification requests, SLAs, privacy issues, roles and responsibilities. 4. Ensure that agreement templates are reviewed and updated.
>Testing Procedure
1. Collect and inspect the organization's annual privacy review. 2. Validated that the annual privacy review covers all components.
>Audit Artifacts
E-PRIV-02
>Framework Mappings
Cross-framework mappings provided by Adobe CCF Open Source under Creative Commons License.
Ask AI
Configure your API key to use AI features.