Sample CCPA and GDPR Data Privacy Readiness Assessment Report - Nov2018

COMPANY DATA PRIVACY
READINESS ASSESSMENT
2018
Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege. Internal Audit, Risk, Business & Technology Consulting
TABLE OF CONTENTS
➢ EXECUTIVE SUMMARY ➢ APPENDIX A

➢ PROJECT APPROACH & SCOPE ➢ KEY PROCESSING ACTIVITIES
➢ SUMMARY OF RESULTS ➢ IN-SCOPE SYSTEMS
➢ PRIVACY COMPLIANCE FRAMEWORK ➢ PROJECT STAKEHOLDERS
➢ PRIVACY COMPLIANCE ROADMAP
➢ APPENDIX B
➢ CURRENT STATE ANALYSIS ➢ PRIVACY STATEMENT ANALYSIS DETAILS
➢ CONTEXUAL BUSINESS OVERVIEW ➢ APPENDIX C
➢ HIGH RISK PROCESSING ANALYSIS ➢ DATA PRIVACY COMPLIANCE FRAMEWORK
➢ DATA PRIVACY RISK ASSESSMENT
➢ APPENDIX E
➢ GDPR & CCPA IN-SCOPE OBLIGATIONS
➢ COOKIE CONSENT SCAN ASSESSMENT & SUMMARY
➢ GAP ANALYSIS DETAILS AND REMEDIATION PLAN
➢ APPENDIX F
➢ GAP DETAILS BY ASSESSMENT AREA
➢ SUMMARY OF GDPR and CCPA GAPS
➢ REMEDIATION PLAN SUMMARY
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
2 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
EXECUTIVE SUMMARY
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their
respective owners. Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
PROJECT APPROACH
Protiviti executed the following phased approach to evaluate COMPANY’s current state environment
against the new General Data Protection Regulation (GDPR) & California Consumer Privacy Act
(CCPA) and developed a high-level roadmap of recommendations to close the identified gaps.
1 2 3
Discovery & Inventory Gap Analysis Gap Remediation

• Understand current state of data • Assess current state of controls • Support COMPANY in applying for
privacy governance and controls. against defined GDPR & CCPA privacy shield certification
requirements and identify initial gaps.
• Understand data subject categories • Assess contractual controls related
and high level personal data • Redline three sample contracts and to sharing data with third parties is
processing activities. data sharing agreements against privacy shield appropriate
privacy requirements.
• Identify research projects/surveys, • Draft privacy shield compliance
systems and third parties that collect, • Develop a current state of statement and any related privacy
process, and store personal data. compliance document. shield notices.
• Identify project stakeholders. • Prioritize compliance remediation
strategies and define preferred
• Develop a data inventory of records course of action for remediation
of personal data processing strategies.
activities (RoPA).
• Develop a compliance roadmap.
• Identify privacy shield requirements.
• Review compliance implementation
constraints and dependencies.
• Develop data privacy compliance
program framework
Note: Highlighted bullets represent tangible outcomes/deliverables for this project
KEY GDPR & CCPA REQUIREMENTS
DATA PROTECTION GOVERNANCE
10. Privacy by Design & Default 1. Data Protection Officer (DPO)

– records retention, data
minimization, and system
design
11. Data Security - controls
related to the confidentiality,
availability and integrity of PERSONAL
CCPA
personal data DATA
Requirements
12. Breach Notification –
identification of and
response to data breaches PRIVACY
RECORDS MANAGEMENT 2. Legal Basis for Processing

3. Privacy Notice & Disclosures
7. Records of Processing – data
inventory and recordkeeping 4. Consent Management
8. Cross-Border Data Transfers 5. Individual Privacy Rights
9. Third Party Management – 6. Privacy Impact Analysis
contracts and due-diligence
Privacy Law: General Data Protection Regulation (GDPR) California Consumer Privacy Act (CCPA) & Civil Code
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not
5 issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RESULTS SUMMARY
Protiviti assessed COMPANY’s current state environment against the GDPR and CCPA requirements across the
following key compliance areas and identified the following remediation activities for compliance. Refer to slides 17 – 38
for details. Governance
(GDPR)
1. Data Protection Officer: Based on the review of processing activities, DPO appointment is not required. In
lieu of this requirement, as part of this project, COMPANY will be establishing a “Data Privacy Compliance
Program” with defined roles and responsibilities for current and future privacy and data protection
requirements
Governance
Data Privacy Compliance Program provides a structured framework through which COMPANY employs
(GDPR) protections to the processing of Personal Data based on the fundamental principles of data protection and
associated privacy standards, all the while maintaining regulatory requirements and supporting the
COMPANY business.
2. Legal Basis for Processing: COMPANY relies on consent, performance of contract and legitimate
interests as valid legal grounds for data processing activities. No gaps were found.
3. Privacy Notice and Disclosures: COMPANY must revise the privacy statement for Non-EU and EU on
their website for GDPR and CCPA compliance
4. Consent Management: COMPANY must enhance the current consent management process for audio,
online and written consent for explicit opt-outs, provide details on consent recordings and ensure consent
document management is formalized for GDPR. For CCPA, provide right to opt-out and maintain procedure
Privacy for collection and use of minors personal data.
(GDPR & CCPA) 5. Individual Rights: COMPANY grants Individual Rights such as right of access and right of erasure to data
at the project level via manual process based on client contract. However, COMPANY should formally
document within the privacy policy to the data subject population. Additionally, define & document
procedures to facilitate additional individual rights as required by the GDPR & CCPA currently not in place.
6. Privacy Impact Analysis: As a data processor, COMPANY is not required to independently perform a
Data Protection Impact Assessment (DPIA). However, future client needs may require COMPANY assist
controller to meet this requirement. Protiviti recommends building a DPIA threshold into the Institutional
Review Board process to trigger high risk processing activities that may require a formal DPIA in the future .
RESULTS SUMMARY
Protiviti assessed COMPANY’s current state environment against the GDPR and CCPA requirements across the
following key compliance areas and identified the following remediation activities for compliance. Refer to slides 17 – 38
for details.
7. Records of Processing Activities: A record listing the purposes of data processing activities or
RoPA, categories of recipients and countries they are located in, and applicable transfers, retention
and security, etc. has been created as part of this project. This is a living document and COMPANY
should identify ownership to keep it up to date.
Records
8. Cross-Border Data Transfers: Although under existing operations, less than 5% pf personal data
Management involves cross-border transfer from US to EU, COMPANY is committed to obtaining Privacy Shield
(GDPR & CCPA) Certification. COMPANY has engaged Protiviti to prepare necessary documentation for submission.
9. Third Party Risk Management: Current contracts does not clearly differentiate between data
controller and data processor. COMPANY should include standardized language to show data
controller and data processor obligations.
10. Privacy by Default and Design: COMPANY must implement a data retention policy and remove
any obsolete personal data. COMPANY currently relies on retention requirements defined in the
contracts. The retention policy should outline data retention management for the two use cases –
COMPANY owned data and client data. Further, the institutional review board (software
development lifecycle) should be enhanced to include recommended privacy and data protection
controls covered in other assessment areas along with explicit retention requirements.
Data Protection 11. Data Security: COMPANY should (i) conduct an audit assessment of Access Controls to effectively
(GDPR & CCPA) manage access (ii) establish data classification policy and schema (iii) confirm effectiveness of data
de-identification and/or anonymization process for high-risk applications.
12. Breach Notification: COMPANY must enhance incident response policy and establish data breach
management procedures to notify their relevant data controller (in case of EU based incident), or
relevant regulators (in case of non-EU and/or CA based incident), and affected individuals of any
breach without undue delay after becoming aware of it. Further, COMPANY should prepare an
inventory of client requirements.
DATA PRIVACY COMPLIANCE LIFECYCLE
COMPANY Data Privacy Compliance Program provides a structured framework through which COMPANY can
employ data protections to the processing of Personal Data based on the fundamental principles of data protection
and associated privacy standards, all the while maintaining regulatory requirements and supporting the COMPANY
business.
The following lifecycle of ongoing compliance activities will help organizations implement and maintain appropriate privacy and data protection
practices across all applicable privacy regulations. NOTE: **This has been customized for COMPANY in the Privacy Program Framework**
Monitor Identify
• First and second “lines of defense” • Establish a record of key business
processing activities that collect and
• KRIs, KPIs
process personal data
• State of compliance reporting
• Inventory supporting systems,
• Results of self-assessments, vendors, and data stores to establish
monitoring, audits, exams data lineage
• Compliance training results • Identify applicable regulations (i.e.,
• Resource needs assessment GDPR, CCPA, ePrivacy, etc.)
• Communicate requirements to
internal stakeholders
Privacy &
Data Protection
Program
Execute Assess
• Identify program sponsor and funding • Assess business and operational
• Establish program governance structure, changes for privacy impact
with clearly defined roles and • Assess new and enhanced
responsibilities technologies for privacy and data
• Integrate with Information Security and protection requirements
Contract Management functions • Data Protection Impact Assessments
• Develop a program charter and project • Assess current capabilities related to
plan fulfilling data subject rights
• Establish required policies and procedures
PRIVACY COMPLIANCE ROADMAP
11. Mature Data Security
6. Enhance Privacy by
7. Create a data inventory of
Design & Default 8. Legitimize Cross-Border
Records of Processing
Activities Data Transfer through
5. Address Individual
Privacy Shield Certification
Privacy Rights
1. Establish COMPANY Data
4. Enhance Consent 6. Enable Privacy Impact
Privacy Compliance
Management Analysis
Program – A structured
framework for Personal Data 3. Revise Privacy Notice for Address any Future
protections 9. Manage Third Party Risk
GDPR and CCPA Regulatory Requirements
H2 2018 H1 2019 H2 2019 2020
In Process High Priority Medium Priority Future
For additional context, please refer to:

- Slide 39 for Recommendations
- Appendix E for GDPR and CCPA Gap summary
9 © 2018 Protiviti Inc. This material is the confidential property of Protiviti Inc. Copying or reproducing this material is strictly prohibited.
GAP ANALYSIS DETAILS
AND
REMEDIATION PLAN
GAP ANALYSIS DETAILS (3/12)
3. PRIVACY NOTICE AND DISCLOSURES (1/2)
GDPR – YES
APPLICABILITY
CCPA – YES
GDPR (Article 2 – 14)

Data controllers must provide transparent and accessible information to individuals about how their personal data is used as well as
communications regarding access, rectification, correction and erasure of personal data. Whether through a Privacy Statement, or
as part of breach notifications, the communication must be in a concise, transparent, intelligible, and easily accessible form.
REQUIREMENT DESCRIPTION
CCPA ( Provision 1798.100 (b) 1798.105 (b) 1798.115 (a)-(d) 1798.120 (b) 1798.125 (b)(2) 1798.135 (a)(2))
Requires procedures to disclose, at or before the point of collection, the categories of personal data to be collected and the
purpose for which the categories of it used. The disclosure should further outline consumer rights and clear and explicit choices
and how consumer can exercise those rights. Further, description of financial incentives business is offering as compensation for
collection, sale or deletion of personal data
Protiviti reviewed COMPANY customer facing Privacy Notice against the & CCPA GDPR requirements and documented the
following gaps:
Non-EU Notice: COMPANY does not fully inform data subjects about its information management practices and data processing
activities in relation to personal data collected from all sources: description of categories of personal information to be collected,
purposes of collection and use, how to exercise choices about uses and disclosures and whether the individual can access or
update the information.
COMPANY does not provide a disclosure of categories of personal information of California residents collected in the preceding 12
months as required by CCPA.
Privacy notice does not inform about categories of third party recipients of personal information and purposes of disclosure.
GAP DESCRIPTION
COMPANY's notice does not provide for at least two methods for submitting requests (at minimum toll-free telephone number and
a web-site address).
Advance Letters (written disclosures) specific to the project: Add description of categories of personal information to be collected
for the project; add reference/ link to the Privacy Statement.
EU Privacy Notice: Categories of personal data processed by COMPANY need to be defined; “creation of de-Identified data”
section refers to personal data deidentified but does not provide specifics on types and categories of personal information.
Cookie Policy: Protiviti noted a cookie policy does not exist and a cookie banner has not been posted to COMPANY to inform
© 2018 Protiviti Inc. An Equal Opportunity
users that Employer
onlineM/F/Disability/Veterans.
identifiers are beProtiviti is not licensed or registered as a public accounting firm and
collected.
3. PRIVACY NOTICE AND DISCLOSURES (2/2)
GDPR : Unlawful data processing exposes data controllers to a compliance risk which may result in a Tier-2 level of fines (up to
10M Euros or 2% of the global revenue, whichever is higher).
RISK EXPOSURE
CCPA - Non-EU Notice: non-compliance with CCPA with regard to the disclosure on information rights and data access. $7,500
per intentional violation; $2,500 per unintentional violation.
COMPANY provides separate privacy notices for EU and non-EU data subjects that address only processing of personal data
collected by COMPANY website.
Research participant privacy policy informs what information is collected and used from research participants.
Refer to Appendix B for details.
CURRENT STATE DETAILS
Additionally, Protiviti performed a scan of COMPANY websites in scope for the project and determined cookies are collected on
individuals who access the public facing website. Protiviti noted a cookie policy does not exist and a cookie banner has not been
posted to COMPANY to inform users that online identifiers are be collected.
Refer to Appendix D for Details.
Revise Privacy Notice and maintain procedures for GDPR and CCPA Compliance
Non-EU Privacy Notice: Review and amend non-EU Privacy Notice to comply with the requirements of CCPA
Disclosure under CCPA: CCPA requires issue of privacy notice on or before collection of personal data. CCPA additionally
requires, disclosure of personal data collected in the preceding 12 months to support consumer request to access information.
RECOMMENDATION PLAN COMPANY should maintain policy and procedure to show COMPANY does not resell your personal data. Currently, only
DETAILS mentioned in COMPANY EEA Policy, but is not specifically mentioned in COMPANY non-EEA Policy, Policy for Research
Participant Privacy Policy and AmeriSpeak Privacy Policy.
EU Privacy Policy: Define and inform categories of personal data to be collected
Cookie Policy:
COMPANY to create a cookie policy to describe the cookies being used on abc.COMPANY.org. COMPANY to create a GDPR
compliant cookie banner that allows users to opt-in & opt-out of groups of cookies.
3.1 Update the Non-EU Privacy Notice to address CCPA requirements

REMEDIATION PLAN SUMMARY 3.2 Update the EU Privacy Notice to address GDPR requirements
3.3 Draft and implement a cookie policy to describe the cookies being used on nlsy97.COMPANY.org
4. CONSENT MANAGEMENT (1/2)
GDPR – YES
APPLICABILITY
CCPA – YES
GDPR (Article 7)
Organizations collecting personal data must provide transparent and accessible information to individuals about how their personal
data is used as well as communications Where processing is based on consent, the controller/processor shall be able to demonstrate
that the data subject has consented to processing of his or her personal data. The data subject shall have the right to withdraw his or
her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its
withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the
data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by
electronic means, or an oral statement. Silence, pre-ticked boxes or inactivity should not constitute consent. Consent should cover all
processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be
REQUIREMENT
given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear,
DESCRIPTION
concise and not unnecessarily disruptive to the use of the service for which it is provided. Consent should not be regarded as freely
given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
CCPA (Right to opt-out from sale & Right to opt-in for minors – Provision 1798.120 1798.135 (obligations for 1798.120),
1798.120(d))
This provision protects consumers right to opt-out, restrict or object to sale of their personal data:
- Provides consumers the right to opt-out from businesses that sell personal information
- A business that sells personal data to 3rd parties should provide notice to consumers that the information may be sold and
consumers have right to opt out
- A business should receive explicit direction (or consent) from the consumer to not sell personal information.
Protiviti reviewed COMPANY consent management for GDPR & CCPA requirements and documented the following gaps across two
key areas: Research projects covering survey processing and AmeriSpeak program.
GAP DESCRIPTION
Although COMPANY maintains a comprehensive consent management process, the current policies and procedures should align with
certain specific GDPR and CCPA requirements especially in the area where consent is obtained through audio recording and in
consent document management.
GDPR : Unlawful data processing exposes data controllers to a compliance risk which may result in a Tier-2 level of fines (up to 10M
Euros or 2% of the global revenue, whichever is higher).
RISK EXPOSURE
CCPA - non-EU Notice: non-compliance with CCPA with regard to the disclosure on information rights and data access. $7,500 per
intentional violation; $2,500 per unintentional violation.
4. CONSENT MANAGEMENT(2/2)
COMPANY maintains governance and oversight on consent management across AmeriSpeak and research projects. COMPANY obtains
written, verbal, and online consents of research participants.
- Consent review starts at IRB, and IRB approves consent requirements for a research project to move ahead based on common law
requirements and federal law requirements and contract with the sponsor.
CURRENT STATE DETAILS - IRB reviews language used for consent, ensures there is provision to delete or withdraw consent.
- COMPANY currently has inbox to collect consent withdrawals and the current process supports manual consent withdrawals
- Consent withdrawals are stored in project folder
Current consent management supports both audio recording consent and written consent. There is adequate training given to both field
and telephone interviewers on consent management.
Enhance Consent Management to support GDPR and CCPA requirements

For Audio consent – Through IRB consent management process or via “recording consent policy” COMPANY should ensure audio
consents have explicit opt-out and opt-in options and actively justify lawfulness of recording. Oral/verbal consents are permissible but a
record/note of when those consents were captured obtained should be kept by COMPANY. It is necessary to train all employees involved
in recording consent trained on the process.
For Online consent – For AmeriSpeak portal, the consent is implied. While this works for CCPA, GDPR consent should express explicit
opt-in. Note: AmeriSpeak program maybe exempt from GDPR consent due to geographical nature of its operations. However, other
consent mechanism should be updated for explicit GDPR opt-in requirements.
For Audio, Online and Written consents - An effective ‘recording consent policy’ or IRB procedures should provide details on retention
RECOMMENDATION PLAN and destruction of audio & written consents maintained by COMPANY, ensuring that consent documentation are created, managed, and
DETAILS disposed of in accordance with applicable regulatory record-keeping requirements and business needs
To support CCPA for consumers right to opt-out or object to processing - Maintain procedure to respond to opt-out is aligned to
privacy notice. Maintain procedure for collection and use of children and minors personal data. Since COMPANY does not resell personal
data, other aspects of this provision around selling of personal data of minors can be omitted. However, COMPANY should ensure that
they show “COMPANY does not resell your personal data” be included in the privacy notice (which should be provide on or before
disclosure of personal data). See Privacy Notice and Disclosure slide. Currently, only mentioned in COMPANY EEA Policy, but is not
specifically mentioned in NOR non-EEA Policy, Policy for Research Participant Privacy Policy and AmeriSpeak Privacy Policy.
Training should be updated and executed to reflect recommendations.
4.1 Enhance consent management policy and procedure to have explicit out-out and opt-in options to support GDPR and CCPA
RECOMMENDATION PLAN requirements
SUMMARY 4.2 Implement consent document management to formalize retention and destruction of audio, online and written consents
4.3 Formalize “COMPANY does not resell your personal data” to support CCPA requirements
12. BREACH NOTIFICATION (1/2)
GDPR – YES
APPLICABILITY
CCPA – YES
GDPR (Article 33 and 34)

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become
aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights
REQUIREMENT and freedoms of natural persons.
DESCRIPTION CCPA (Provision 1798.150) and California Data Breach Notification Law (Civil Code section 1798.82)
Provision 1798.150 provides consumers with the right to institute a civil action for damages resulting from a data breach of their non-encrypted
and non-redacted personal information. The breach must result from a violation of duty to implement and maintain reasonable security
procedures and practices, appropriate to the nature of the information.
Protiviti concluded formal procedures are not currently in place to report potential data breaches to data controller in case of EU based data or
authorities and/or individuals in case on CA based incident. Additionally, Protiviti noted there is not a clear criteria to guide COMPANY
GAP DESCRIPTION employees in determining if the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals” or whether notice
is not required.
An inventory of data breach requirements of active clients by risk priority is missing.
GDPR : Failure to report data breaches exposes data controllers and processors to a compliance risk which may result in a Tier-2 level of fines
(up to 10M Euros of 2% of the global turnover of Shulmans, whichever is higher).
RISK EXPOSURE CCPA: Consumer is required to provide business a 30 written notice of any personal data violation or unencrypted data was exposed. Business
has 30 days to respond in fixing the issue. If a business continues to violate, the consumer may initiate an action against the business and
pursue statutory damage for each breach which may result in imposition of fines up to $7,500 for each violation of the Act.
Based on Protiviti’s analysis of COMPANY’s Incident Response Plan, it was concluded that procedures are not currently in place to report
potential data breaches as per the GDPR or CCPA requirements.
CURRENT STATE Under GDPR, to the data protection authorities and impacted data subjects within 72 hours. Additionally, Protiviti noted that the Incident
DETAILS Response Plan does not include a clear criteria to guide COMPANY employees in determining if the personal data breach “is likely to result in a
high risk to the rights and freedoms of individuals” or whether notice is not required.
Under CCPA, for a data breach, a notice will be required as per California Data Breach Notification Law (Civil Code section 1798.82).
12. BREACH NOTIFICATION (2/2)
Mature Incident Response & Breach Notification

12.1 Expand the incident response plan to include procedures for executing a breach notification to affected individuals and to
report data breaches authorities within 72 hours after detection as a data controller and notification procedures to notify the data
controllers within 24-hours when acting as data processor on their behalf.
• Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
• If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
• When acting as the data processor notice should be provided to the data controller within 24 hours.
• A key exception to the supervisory authority notification requirement: Notice is not required if “the personal data breach is
unlikely to result in a risk for the rights and freedoms of natural persons,” a phrase that will no doubt offer data protection
officers and their outside counsel opportunities to debate the necessity of notification.
12.2 & 12.3 Develop communication templates and assign roles and responsibilities for notifying DPAs and data subjects in the
RECOMMENDATION
event of a potential data breach impacting EU data subjects. Develop template for “data breach notice” for transactions related to
PLAN DETAILS
California.
Create templates to ensure all content requirements are met and to aid in efficiency. Notification to the authority must “at least”: (1)
describe the nature of the personal data breach, including the number and categories of data subjects and personal data records
affected; (2) provide the supervisory authority contact information; (3) “describe the likely consequences of the personal data
breach”; and (4) describe how the controller proposes to address the breach (GDPR scenario), including any mitigation efforts. If
not all information is available at once, it may be provided in phases. Consider also stating that breaches of encrypted data do not
need to be reported, unless evidence exist that also the encryption key(s) were included in the breach. This is particularly
important where there is a risk of lost or stolen laptops from staff to avoid the need to report on each of these instances
12.4 Amend DUA and Subcontract agreement so that breach reports are reported within 24 hours by third parties processing
personal data.
12.5 Prepare an inventory of client requirements for timely access of breach requirements.
12.1 Expand the scope of the Incident Response Plan to include procedures for executing a breach notification to affected
individuals and to relevant data controller (in case of EU based incident), or relevant regulators (in case of non-EU and/or CA
based incident).
12.2 Develop criteria of what constitutes a data breach resulting in high-risk to the rights and freedoms of individuals.
RECOMMENDATION 12.3 Develop communication templates and assign roles and responsibilities for notifying controller in the event of a potential data
PLAN SUMMARY breach impacting individuals.
12.4 Develop template for “data breach notice” for transactions related to California and non-EU authorities.
12.5 Amend DUA and Subcontract agreement so that breach reports are reported within 24 hours by third parties processing
personal data.
12.6 Prepare an inventory of client requirements for timely access of breach requirements.

Sample CCPA and GDPR Data Privacy Readiness Assessment Report - Nov2018

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sample CCPA and GDPR Data Privacy Readiness Assessment Report - Nov2018

Uploaded by

Copyright:

Available Formats

COMPANY DATA PRIVACY

➢ EXECUTIVE SUMMARY ➢ APPENDIX A

Discovery & Inventory Gap Analysis Gap Remediation

Note: Highlighted bullets represent tangible outcomes/deliverables for this project

DATA PROTECTION GOVERNANCE

10. Privacy by Design & Default 1. Data Protection Officer (DPO)

RECORDS MANAGEMENT 2. Legal Basis for Processing

11. Mature Data Security

H2 2018 H1 2019 H2 2019 2020

In Process High Priority Medium Priority Future

For additional context, please refer to:

GDPR (Article 2 – 14)

EU Privacy Policy: Define and inform categories of personal data to be collected

3.1 Update the Non-EU Privacy Notice to address CCPA requirements

Enhance Consent Management to support GDPR and CCPA requirements

Training should be updated and executed to reflect recommendations.

GDPR (Article 33 and 34)

Mature Incident Response & Breach Notification

You might also like