There are four sections of basic and applicable questions related to data privacy law compliance and standardization that can be initiated within for adapters or organizations.
For updates, don't forget to check introduction.
---
I.
Is there any present engagement being done in between technology (take it up in the context of TICOSC, instead of IT as you may see them in the succeeding sections), various
business units and Data Privacy offices? If none, please skip #1. If
yes, please identify everything by enumerating and elaborating each
subject area, if possible (including the process involved with IT and DP
offices that created <<COMPANY OR ENTITY NAME>> data
privacy policy) and continue by answering the succeeding questions.
II.
When did <<COMPANY OR ENTITY NAME>> registered its data
privacy efforts with authorized government entity and international
organization, if any?
III. Do <<COMPANY OR ENTITY
NAME>> have specific and unique application of data privacy law or
standard (ie specific national regulation or standards requirement) in
particular to data handling within its various business units or
departments or divisions and its data privacy organization? If yes,
continue by answering the succeeding questions. If none, the succeeding
questions might be of significant help to the <<COMPANY OR ENTITY
NAME>> data privacy organizational structure and their
responsibilities.
BUSINESS UNIT OR DEPARTMENT'S NAME: ____________________________
What
do you require (ID and relevant forms to be or that must be filled out)
when doing business and dealing with the following? After encircling
which entity, enumerate said requirements below.
Encircle or underline if NEW member, customer, supplier, service provider, business partner reps, employees.
Encircle or underline if RETURNING or existing member, customer, supplier, service provider, business partner reps, employees.
Are there any other stakeholders, you have to deal with aside from the underlined above? Identify specifics.
Is your office considered the first line in the collection of data from the answer above, as per first two question above?
How
do you collect data i.e. paper form, online form or internal business
software/application/system et al? Identify specifics.
What data do you collect i.e. fullname, birthday et al? Enumerate all peronally identifiable and senstive information.
Who is the overall in-charge of data collection in your office?
Who is in-charge in the recording and storage of data? Identify if done physically (paper) or digitally (computer/web) process.
Who
has access to those data that was collected and is being stored/filed?
Identify specific if not all business units and users of data including
which entity, departments or individuals they are shared with.
Identify and enumerate details of data your office is sharing with other departments. How they are shared?
Do you approve, as per questions #8 & 9, the use and processing of those collected and stored data? How, elaborate.
Who, or which office or organization, were your source of data if you're not the first line in the data collection?
Identify and enumerate details of data your office is receiving from the source department(s).
Do
you happen to require additonal details of data source ie IDs,
passport, affiliation/employer certification? Identify specifics, aside
from the default data being requested as stated or requested above, by
using the following:
Paper form: ___________________________________
Computer entry/online form on-premise exclusively managed and externally hosted and managed system: _________
Do
you require identification and validation ie ID, passport et al to
process underlined (see first two questions in section III or relevant
question/number above) data? Enumerate copy of ID's collected how they
are validated.
Where do you store/file the photocopies of the
collected IDs? Identify specifics for physical and digital &/or
cloud-enabled storage/filings.
How frequent and when do you have
to update customers, vendors, service providers including but not
limited to stakeholders' data?
When are stored data being
considered for deletion (digital copies) and/or proper disposal (paper
copies and computer storage hardware)?
As a compliance officer
(if none within your department please ask the data privacy officer or
data controller chief or whoever has the lead role and leading data
privacy effort to answer this), within the data privacy office, are you
completely aware and do you fully understand your role (if the data
privacy officer is answering this, consider this question how aware
departments are about these activities) in the acquisition, updates and
management of those data that your office and data processor collects
and use? Yes or No? If answer is Yes, how? If answer is No, why?
As
a data processor, within the data privacy office, are you completely
aware and do you fully understand your role in the acquisition, updates
and management of those data that you and your office collects and use,
including how to work with your compliance officer if you need
assistance concerning data privacy? Yes or No? If answer is Yes, how? If
answer is No, why?
Aside from the questionnaires just provided
and you have answered do you have any additional comments and ideas that
will enable data privacy office further improve its responsibilities
and for its conformance and compliance of such an organization-wide
initiative?
Do you understand that data privacy laws enables
organization's computing and its data to be a lot more secure and that
collection and processing of personally identifiable and sensitive
information needs to be properly managed according to the reinforcement
as well as needs of the business and regulatory regimes? Yes or No. If
answer is Yes, how? If answer is No, why?
IV. As a lead data
privacy officer or data controller how do you operate and what direction
has been rendered and consented for data privacy responsibilities and
concerns for the entire organization's compliance, its stakeholders and
customers' data protection and awareness, and system's security?
V. How have the organization designed, operated and control privacy access and consent of data (captured, processed, stored through various electronic/digital means including textuals, audios and videos) considered private and sensitive?
VI. How are consents with, and use of, private and sensitive data explicitly stated in organization's data privacy policy or notices?
VII. What are private and sensitive data for the organization and its stakeholders (everyone involved)?
VIII. Who can view organization's and stakeholder's data holdings, shared, classified and those that are not?