Professional Documents
Culture Documents
Sample CCPA and GDPR Data Privacy Readiness Assessment Report - Nov2018
Sample CCPA and GDPR Data Privacy Readiness Assessment Report - Nov2018
READINESS ASSESSMENT
2018
Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege. Internal Audit, Risk, Business & Technology Consulting
TABLE OF CONTENTS
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
2 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
EXECUTIVE SUMMARY
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their
respective owners. Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
PROJECT APPROACH
Protiviti executed the following phased approach to evaluate COMPANY’s current state environment
against the new General Data Protection Regulation (GDPR) & California Consumer Privacy Act
(CCPA) and developed a high-level roadmap of recommendations to close the identified gaps.
1 2 3
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
4 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
KEY GDPR & CCPA REQUIREMENTS
Privacy Law: General Data Protection Regulation (GDPR) California Consumer Privacy Act (CCPA) & Civil Code
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not
5 issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RESULTS SUMMARY
Protiviti assessed COMPANY’s current state environment against the GDPR and CCPA requirements across the
following key compliance areas and identified the following remediation activities for compliance. Refer to slides 17 – 38
for details. Governance
(GDPR)
1. Data Protection Officer: Based on the review of processing activities, DPO appointment is not required. In
lieu of this requirement, as part of this project, COMPANY will be establishing a “Data Privacy Compliance
Program” with defined roles and responsibilities for current and future privacy and data protection
requirements
Governance
Data Privacy Compliance Program provides a structured framework through which COMPANY employs
(GDPR) protections to the processing of Personal Data based on the fundamental principles of data protection and
associated privacy standards, all the while maintaining regulatory requirements and supporting the
COMPANY business.
2. Legal Basis for Processing: COMPANY relies on consent, performance of contract and legitimate
interests as valid legal grounds for data processing activities. No gaps were found.
3. Privacy Notice and Disclosures: COMPANY must revise the privacy statement for Non-EU and EU on
their website for GDPR and CCPA compliance
4. Consent Management: COMPANY must enhance the current consent management process for audio,
online and written consent for explicit opt-outs, provide details on consent recordings and ensure consent
document management is formalized for GDPR. For CCPA, provide right to opt-out and maintain procedure
Privacy for collection and use of minors personal data.
(GDPR & CCPA) 5. Individual Rights: COMPANY grants Individual Rights such as right of access and right of erasure to data
at the project level via manual process based on client contract. However, COMPANY should formally
document within the privacy policy to the data subject population. Additionally, define & document
procedures to facilitate additional individual rights as required by the GDPR & CCPA currently not in place.
6. Privacy Impact Analysis: As a data processor, COMPANY is not required to independently perform a
Data Protection Impact Assessment (DPIA). However, future client needs may require COMPANY assist
controller to meet this requirement. Protiviti recommends building a DPIA threshold into the Institutional
Review Board process to trigger high risk processing activities that may require a formal DPIA in the future .
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
6 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
RESULTS SUMMARY
Protiviti assessed COMPANY’s current state environment against the GDPR and CCPA requirements across the
following key compliance areas and identified the following remediation activities for compliance. Refer to slides 17 – 38
for details.
7. Records of Processing Activities: A record listing the purposes of data processing activities or
RoPA, categories of recipients and countries they are located in, and applicable transfers, retention
and security, etc. has been created as part of this project. This is a living document and COMPANY
should identify ownership to keep it up to date.
Records
8. Cross-Border Data Transfers: Although under existing operations, less than 5% pf personal data
Management involves cross-border transfer from US to EU, COMPANY is committed to obtaining Privacy Shield
(GDPR & CCPA) Certification. COMPANY has engaged Protiviti to prepare necessary documentation for submission.
9. Third Party Risk Management: Current contracts does not clearly differentiate between data
controller and data processor. COMPANY should include standardized language to show data
controller and data processor obligations.
10. Privacy by Default and Design: COMPANY must implement a data retention policy and remove
any obsolete personal data. COMPANY currently relies on retention requirements defined in the
contracts. The retention policy should outline data retention management for the two use cases –
COMPANY owned data and client data. Further, the institutional review board (software
development lifecycle) should be enhanced to include recommended privacy and data protection
controls covered in other assessment areas along with explicit retention requirements.
Data Protection 11. Data Security: COMPANY should (i) conduct an audit assessment of Access Controls to effectively
(GDPR & CCPA) manage access (ii) establish data classification policy and schema (iii) confirm effectiveness of data
de-identification and/or anonymization process for high-risk applications.
12. Breach Notification: COMPANY must enhance incident response policy and establish data breach
management procedures to notify their relevant data controller (in case of EU based incident), or
relevant regulators (in case of non-EU and/or CA based incident), and affected individuals of any
breach without undue delay after becoming aware of it. Further, COMPANY should prepare an
inventory of client requirements.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
7 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
DATA PRIVACY COMPLIANCE LIFECYCLE
COMPANY Data Privacy Compliance Program provides a structured framework through which COMPANY can
employ data protections to the processing of Personal Data based on the fundamental principles of data protection
and associated privacy standards, all the while maintaining regulatory requirements and supporting the COMPANY
business.
The following lifecycle of ongoing compliance activities will help organizations implement and maintain appropriate privacy and data protection
practices across all applicable privacy regulations. NOTE: **This has been customized for COMPANY in the Privacy Program Framework**
Monitor Identify
• First and second “lines of defense” • Establish a record of key business
processing activities that collect and
• KRIs, KPIs
process personal data
• State of compliance reporting
• Inventory supporting systems,
• Results of self-assessments, vendors, and data stores to establish
monitoring, audits, exams data lineage
• Compliance training results • Identify applicable regulations (i.e.,
• Resource needs assessment GDPR, CCPA, ePrivacy, etc.)
• Communicate requirements to
internal stakeholders
Privacy &
Data Protection
Program
Execute Assess
• Identify program sponsor and funding • Assess business and operational
• Establish program governance structure, changes for privacy impact
with clearly defined roles and • Assess new and enhanced
responsibilities technologies for privacy and data
• Integrate with Information Security and protection requirements
Contract Management functions • Data Protection Impact Assessments
• Develop a program charter and project • Assess current capabilities related to
plan fulfilling data subject rights
• Establish required policies and procedures
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
8 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
PRIVACY COMPLIANCE ROADMAP
6. Enhance Privacy by
7. Create a data inventory of
Design & Default 8. Legitimize Cross-Border
Records of Processing
Activities Data Transfer through
5. Address Individual
Privacy Shield Certification
Privacy Rights
1. Establish COMPANY Data
4. Enhance Consent 6. Enable Privacy Impact
Privacy Compliance
Management Analysis
Program – A structured
framework for Personal Data 3. Revise Privacy Notice for Address any Future
protections 9. Manage Third Party Risk
GDPR and CCPA Regulatory Requirements
9 © 2018 Protiviti Inc. This material is the confidential property of Protiviti Inc. Copying or reproducing this material is strictly prohibited.
GAP ANALYSIS DETAILS
AND
REMEDIATION PLAN
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their
respective owners. Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
GAP ANALYSIS DETAILS (3/12)
3. PRIVACY NOTICE AND DISCLOSURES (1/2)
GDPR – YES
APPLICABILITY
CCPA – YES
Protiviti reviewed COMPANY customer facing Privacy Notice against the & CCPA GDPR requirements and documented the
following gaps:
Non-EU Notice: COMPANY does not fully inform data subjects about its information management practices and data processing
activities in relation to personal data collected from all sources: description of categories of personal information to be collected,
purposes of collection and use, how to exercise choices about uses and disclosures and whether the individual can access or
update the information.
COMPANY does not provide a disclosure of categories of personal information of California residents collected in the preceding 12
months as required by CCPA.
Privacy notice does not inform about categories of third party recipients of personal information and purposes of disclosure.
GAP DESCRIPTION
COMPANY's notice does not provide for at least two methods for submitting requests (at minimum toll-free telephone number and
a web-site address).
Advance Letters (written disclosures) specific to the project: Add description of categories of personal information to be collected
for the project; add reference/ link to the Privacy Statement.
EU Privacy Notice: Categories of personal data processed by COMPANY need to be defined; “creation of de-Identified data”
section refers to personal data deidentified but does not provide specifics on types and categories of personal information.
Cookie Policy: Protiviti noted a cookie policy does not exist and a cookie banner has not been posted to COMPANY to inform
© 2018 Protiviti Inc. An Equal Opportunity
users that Employer
onlineM/F/Disability/Veterans.
identifiers are beProtiviti is not licensed or registered as a public accounting firm and
collected.
11 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
GAP ANALYSIS DETAILS (3/12)
3. PRIVACY NOTICE AND DISCLOSURES (2/2)
GDPR : Unlawful data processing exposes data controllers to a compliance risk which may result in a Tier-2 level of fines (up to
10M Euros or 2% of the global revenue, whichever is higher).
RISK EXPOSURE
CCPA - Non-EU Notice: non-compliance with CCPA with regard to the disclosure on information rights and data access. $7,500
per intentional violation; $2,500 per unintentional violation.
COMPANY provides separate privacy notices for EU and non-EU data subjects that address only processing of personal data
collected by COMPANY website.
Research participant privacy policy informs what information is collected and used from research participants.
Refer to Appendix B for details.
CURRENT STATE DETAILS
Additionally, Protiviti performed a scan of COMPANY websites in scope for the project and determined cookies are collected on
individuals who access the public facing website. Protiviti noted a cookie policy does not exist and a cookie banner has not been
posted to COMPANY to inform users that online identifiers are be collected.
Refer to Appendix D for Details.
Revise Privacy Notice and maintain procedures for GDPR and CCPA Compliance
Non-EU Privacy Notice: Review and amend non-EU Privacy Notice to comply with the requirements of CCPA
Disclosure under CCPA: CCPA requires issue of privacy notice on or before collection of personal data. CCPA additionally
requires, disclosure of personal data collected in the preceding 12 months to support consumer request to access information.
RECOMMENDATION PLAN COMPANY should maintain policy and procedure to show COMPANY does not resell your personal data. Currently, only
DETAILS mentioned in COMPANY EEA Policy, but is not specifically mentioned in COMPANY non-EEA Policy, Policy for Research
Participant Privacy Policy and AmeriSpeak Privacy Policy.
Cookie Policy:
COMPANY to create a cookie policy to describe the cookies being used on abc.COMPANY.org. COMPANY to create a GDPR
compliant cookie banner that allows users to opt-in & opt-out of groups of cookies.
GDPR (Article 7)
Organizations collecting personal data must provide transparent and accessible information to individuals about how their personal
data is used as well as communications Where processing is based on consent, the controller/processor shall be able to demonstrate
that the data subject has consented to processing of his or her personal data. The data subject shall have the right to withdraw his or
her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its
withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the
data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by
electronic means, or an oral statement. Silence, pre-ticked boxes or inactivity should not constitute consent. Consent should cover all
processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be
REQUIREMENT
given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear,
DESCRIPTION
concise and not unnecessarily disruptive to the use of the service for which it is provided. Consent should not be regarded as freely
given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
CCPA (Right to opt-out from sale & Right to opt-in for minors – Provision 1798.120 1798.135 (obligations for 1798.120),
1798.120(d))
This provision protects consumers right to opt-out, restrict or object to sale of their personal data:
- Provides consumers the right to opt-out from businesses that sell personal information
- A business that sells personal data to 3rd parties should provide notice to consumers that the information may be sold and
consumers have right to opt out
- A business should receive explicit direction (or consent) from the consumer to not sell personal information.
Protiviti reviewed COMPANY consent management for GDPR & CCPA requirements and documented the following gaps across two
key areas: Research projects covering survey processing and AmeriSpeak program.
GAP DESCRIPTION
Although COMPANY maintains a comprehensive consent management process, the current policies and procedures should align with
certain specific GDPR and CCPA requirements especially in the area where consent is obtained through audio recording and in
consent document management.
GDPR : Unlawful data processing exposes data controllers to a compliance risk which may result in a Tier-2 level of fines (up to 10M
Euros or 2% of the global revenue, whichever is higher).
RISK EXPOSURE
CCPA - non-EU Notice: non-compliance with CCPA with regard to the disclosure on information rights and data access. $7,500 per
intentional violation; $2,500 per unintentional violation.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
13 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
GAP ANALYSIS DETAILS (4/12)
4. CONSENT MANAGEMENT(2/2)
COMPANY maintains governance and oversight on consent management across AmeriSpeak and research projects. COMPANY obtains
written, verbal, and online consents of research participants.
- Consent review starts at IRB, and IRB approves consent requirements for a research project to move ahead based on common law
requirements and federal law requirements and contract with the sponsor.
CURRENT STATE DETAILS - IRB reviews language used for consent, ensures there is provision to delete or withdraw consent.
- COMPANY currently has inbox to collect consent withdrawals and the current process supports manual consent withdrawals
- Consent withdrawals are stored in project folder
Current consent management supports both audio recording consent and written consent. There is adequate training given to both field
and telephone interviewers on consent management.
To support CCPA for consumers right to opt-out or object to processing - Maintain procedure to respond to opt-out is aligned to
privacy notice. Maintain procedure for collection and use of children and minors personal data. Since COMPANY does not resell personal
data, other aspects of this provision around selling of personal data of minors can be omitted. However, COMPANY should ensure that
they show “COMPANY does not resell your personal data” be included in the privacy notice (which should be provide on or before
disclosure of personal data). See Privacy Notice and Disclosure slide. Currently, only mentioned in COMPANY EEA Policy, but is not
specifically mentioned in NOR non-EEA Policy, Policy for Research Participant Privacy Policy and AmeriSpeak Privacy Policy.
4.1 Enhance consent management policy and procedure to have explicit out-out and opt-in options to support GDPR and CCPA
RECOMMENDATION PLAN requirements
SUMMARY 4.2 Implement consent document management to formalize retention and destruction of audio, online and written consents
4.3 Formalize “COMPANY does not resell your personal data” to support CCPA requirements
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
14 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
GAP ANALYSIS DETAILS (12/12)
12. BREACH NOTIFICATION (1/2)
GDPR – YES
APPLICABILITY
CCPA – YES
Protiviti concluded formal procedures are not currently in place to report potential data breaches to data controller in case of EU based data or
authorities and/or individuals in case on CA based incident. Additionally, Protiviti noted there is not a clear criteria to guide COMPANY
GAP DESCRIPTION employees in determining if the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals” or whether notice
is not required.
An inventory of data breach requirements of active clients by risk priority is missing.
GDPR : Failure to report data breaches exposes data controllers and processors to a compliance risk which may result in a Tier-2 level of fines
(up to 10M Euros of 2% of the global turnover of Shulmans, whichever is higher).
RISK EXPOSURE CCPA: Consumer is required to provide business a 30 written notice of any personal data violation or unencrypted data was exposed. Business
has 30 days to respond in fixing the issue. If a business continues to violate, the consumer may initiate an action against the business and
pursue statutory damage for each breach which may result in imposition of fines up to $7,500 for each violation of the Act.
Based on Protiviti’s analysis of COMPANY’s Incident Response Plan, it was concluded that procedures are not currently in place to report
potential data breaches as per the GDPR or CCPA requirements.
CURRENT STATE Under GDPR, to the data protection authorities and impacted data subjects within 72 hours. Additionally, Protiviti noted that the Incident
DETAILS Response Plan does not include a clear criteria to guide COMPANY employees in determining if the personal data breach “is likely to result in a
high risk to the rights and freedoms of individuals” or whether notice is not required.
Under CCPA, for a data breach, a notice will be required as per California Data Breach Notification Law (Civil Code section 1798.82).
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
15 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
GAP ANALYSIS DETAILS (12/12)
12. BREACH NOTIFICATION (2/2)
12.1 Expand the scope of the Incident Response Plan to include procedures for executing a breach notification to affected
individuals and to relevant data controller (in case of EU based incident), or relevant regulators (in case of non-EU and/or CA
based incident).
12.2 Develop criteria of what constitutes a data breach resulting in high-risk to the rights and freedoms of individuals.
RECOMMENDATION 12.3 Develop communication templates and assign roles and responsibilities for notifying controller in the event of a potential data
PLAN SUMMARY breach impacting individuals.
12.4 Develop template for “data breach notice” for transactions related to California and non-EU authorities.
12.5 Amend DUA and Subcontract agreement so that breach reports are reported within 24 hours by third parties processing
personal data.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
12.6 Prepare an inventory of client requirements for timely access of breach requirements.
16 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm
and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their
respective owners. Privileged and confidential. Subject to attorney/client privilege and attorney work product privilege.