Because compliance levels vary across organizations and industries, ,some organizations may already have mature data privacy frameworks that only need slight tweaking to fit the requirements of the Data Privacy Act.  Others may have instituted information security management systems that comply with international standards that include the protection of personal information.  Still, others might not even have begun the process of orienting themselves with the Data Privacy Act or have initiated the compliance process required by the law.

Our Data Privacy Compliance Process starts with evaluating the organization’s degree of compliance and situating the organization in the compliance spectrum.  In this regard, we conduct Data Privacy Audits (sometimes referred to as privacy impact assessments or privacy risk assessments).  Our audit adopts a process-centric approach that analyzes business methods across the organization, in order to map out the collection and processing of personal information. We also examine the organization’s rules, policies, processes, and third-party contracts that have data privacy implications.  We describe the personal information life-cycle relevant to these processes and identify the points at which personal information is collected, assessed, analyzed, stored, transferred, sold, and destroyed.

Our audit also includes a comprehensive look at the organization’s governance processes to see whether they adhere to the requirements of the Data Privacy Act.  Some questions we consider are:

  • Does the organization have a Data Privacy Policy?
  • Has the organization named its Data Privacy Officer?
  • Has the organization ensured that its data sharing and outsourcing agreements conform to the Data Privacy Act?
  • How does the organization respect the rights of the data subject outlined in the law?
  • Has the organization implemented information security controls to protect data, particularly, personal information?