Data Privacy Management

Expertise & Automation

TrustArc’s all-in-one data privacy management solution
makes it easy for your company to access and manage data
while ensuring you remain compliant with global privacy
regulations. By combining the right advice, governance,
operations, and technology, TrustArc helps you scale your
compliance using automation to maximize customer trust.
 PRIVACY MANAGEMENT
ACCOUNTABILITY FRAMEWORK ™
A Practical and Operational Structure for Complying with the World’s Privacy Requirements

Maintain Governance Structure

1 Ensure that there are individuals responsible for data privacy, accountable management,
and management reporting procedures

PRIVACY MANAGEMENT ACTIVITIES

• Assign responsibility for data privacy to an individual (e.g. Privacy • Integrate privacy into the Data Ethics/Stewardship program
Officer, General Counsel, CPO, CISO, EU Representative) • Report to internal stakeholders on the status of privacy management
• Engage senior management in data privacy (e.g. at the Board of (e.g. board of directors, management)
Directors, Executive Committee) • Report to external stakeholders on the status of privacy management
• Appoint a Data Protection Officer (DPO) in an independent oversight (e.g. regulators, third-parties, clients)
role • Manage enterprise privacy risk consistent with organizational
• Assign responsibility for data privacy throughout the organization objectives
(e.g. Privacy Network) • Integrate data privacy into business risk assessments/reporting
• Maintain roles and responsibilities for individuals responsible for data • Align privacy strategy with organizational objectives
privacy (e.g. job descriptions) • Maintain a privacy program charter/mission statement
• Conduct regular communication between the privacy office, privacy • Require employees to acknowledge and agree to adhere to the data
network, and others responsible/accountable for data privacy privacy policies
• Engage stakeholders throughout the organization on data privacy
matters (e.g. information security, marketing, etc.)

Maintain Personal Data Inventory and Data Transfer Mechanisms

2 Maintain an inventory of the location of key personal data storage or personal data flows,
including cross-border, with defined classes of personal data

PRIVACY MANAGEMENT ACTIVITIES

• Maintain an inventory of personal data and/or processing activities • Use Binding Corporate Rules as a data transfer mechanism
• Classify personal data by type (e.g. sensitive, confidential, public) • Use contracts as a data transfer mechanism (e.g. Standard
• Obtain regulator approval for data processing (where prior approval Contractual Clauses)
is required) • Use APEC Cross Border Privacy Rules as a data transfer mechanism
• Register databases with regulators (where registration is required) • Use the Data Privacy Framework as a data transfer mechanism
• Maintain documentation of data flows (e.g. between systems, between • Use regulator approval as a data transfer mechanism
processes, between countries) • Use adequacy or one of the derogations (e.g. consent, performance
• Maintain documentation of the transfer mechanism used for of a contract, public interest) as a data transfer mechanism
cross-border data flows (e.g., model clauses, BCRs, regulator
approvals)

Maintain Internal Data Privacy Policy

3 Maintain a data privacy policy that meets legal requirements and addresses operational risk
and risk of harm to individuals

PRIVACY MANAGEMENT ACTIVITIES

• Maintain a data privacy policy • Document legal basis for processing personal data
• Maintain an employee data privacy policy • Integrate ethics into data processing (Codes of Conduct, policies and
• Maintain an organizational code of conduct that includes privacy other measures)

2
 Embed Data Privacy Into Operations
4 Maintain operational policies and procedures consistent with the data privacy
policy, legal requirements, and operational risk management objectives

PRIVACY MANAGEMENT ACTIVITIES

• Maintain policies/procedures for collection and use of sensitive • Integrate data privacy into hiring practices
personal data (including biometric data) • Integrate data privacy into the organization’s use of social media
• Maintain policies/procedures for collection and use of children and • Integrate data privacy into Bring Your Own Device (BYOD)
minors’ personal data policies/procedures
• Maintain policies/procedures for maintaining data quality • Integrate data privacy into health & safety practices
• Maintain policies/procedures for the de-identification of personal data • Integrate data privacy into interactions with works councils
• Maintain policies/procedures to review processing conducted wholly • Integrate data privacy into practices for monitoring employees
or partially by automated means • Integrate data privacy into use of CCTV/video surveillance
• Maintain policies/procedures for algorithmic accountability • Integrate data privacy into use of geo-location (tracking and or
• Maintain policies/procedures for secondary uses of personal data location) devices
• Maintain policies/procedures for obtaining valid consent • Integrate privacy into the System Development Life Cycle
• Maintain policies/procedures for secure destruction of personal data • Integrate data privacy into policies/procedures regarding access to
• Integrate data privacy into use of cookies and tracking mechanisms employees' company e-mail accounts
• Integrate data privacy into records retention practices • Integrate data privacy into e-discovery practices
• Integrate data privacy into direct marketing practices • Integrate data privacy into conducting internal investigations
• Integrate data privacy into e-mail marketing practices • Integrate data privacy into practices for disclosure to and for law
• Integrate data privacy into telemarketing practices enforcement purposes
• Integrate data privacy into digital advertising practices (e.g. online, • Integrate data privacy into research practices (e.g. scientific
mobile) and historical research)

Maintain Training and Awareness Program

5 Provide ongoing training and awareness to promote compliance with the data privacy
policy and to mitigate operational risks

PRIVACY MANAGEMENT ACTIVITIES

• Conduct privacy training • Maintain privacy awareness material (e.g. posters and videos)
• Conduct privacy training reflecting job specific content • Conduct privacy awareness events (e.g. an annual data privacy
• Conduct regular refresher training day/week)
• Incorporate data privacy into operational training (e.g. HR, marketing, • Measure participation in data privacy training activities
call center) (e.g. number of participants, scoring)
• Deliver training/awareness in response to timely issues/topics • Enforce the requirement to complete privacy training
• Deliver a privacy newsletter, or incorporate privacy into existing • Provide ongoing education and training for the Privacy Office and/or
corporate communications DPOs
• Provide a repository of privacy information (e.g. an internal data • Maintain qualifications for individuals responsible for data privacy,
privacy intranet) including certifications

Manage Information Security Risk

6 Maintain an information security program based on legal requirements and
ongoing risk assessments

PRIVACY MANAGEMENT ACTIVITIES

• Integrate data privacy risk into security risk assessments • Integrate data privacy into a corporate security policy (protection of
• Integrate data privacy into the information security program physical premises and hard assets)
• Maintain technical security measures (e.g. intrusion detection, • Maintain human resource security measures (e.g. pre-screening,
firewalls, monitoring) performance appraisals)
• Maintain measures to encrypt personal data • Integrate data privacy into business continuity plans
• Maintain an acceptable use of information resources policy • Maintain a data-loss prevention strategy
• Maintain procedures to restrict access to personal data • Conduct regular testing of data security posture
(e.g. role-based access, segregation of duties) • Maintain a security certification (e.g. ISO, NIST, SOC)

3
 Manage Third-Party Risk
7 Maintain contracts and agreements with third-parties and affiliates consistent
with the data privacy policy, legal requirements, and operational risk tolerance

PRIVACY MANAGEMENT ACTIVITIES

• Maintain defined roles and responsibilities for third parties • Maintain a third party data privacy risk assessment process
(e.g. partners, vendors, processors, customers) • Maintain a policy governing use of cloud providers
• Maintain procedures to execute contracts or agreements with • Maintain procedures to address instances of non-compliance with
all processors contracts and agreements
• Conduct due diligence around the data privacy and security posture • Conduct due diligence around the data privacy and security posture
of potential vendors/processors of existing vendors/processors
• Conduct due diligence on third party data sources • Review long-term contracts for new or evolving data privacy risks

Maintain Notices
8 Maintain notices to individuals consistent with the data privacy policy, legal
requirements, and operational risk tolerance

PRIVACY MANAGEMENT ACTIVITIES

• Maintain a data privacy notice • Provide notice in contracts and terms
• Provide data privacy notice at all points where personal data • Maintain scripts for use by employees to explain or provide the data
is collected privacy notice
• Provide notice by means of on-location signage, posters • Maintain a privacy Seal or Trustmark on the website to increase
• Provide notice in marketing communications (e.g. emails, customer trust
flyers, offers)

Respond to Requests and Complaints from Individuals

9 Maintain effective procedures for interactions with individuals about their
personal data

PRIVACY MANAGEMENT ACTIVITIES

• Maintain procedures to address complaints • Maintain procedures to respond to requests for data portability
• Maintain procedures to respond to requests for access to • Maintain procedures to respond to requests to be forgotten
personal data or for erasure of data
• Maintain procedures to respond to requests and/or provide • Maintain Frequently Asked Questions to respond to queries
a mechanism for individuals to update or correct their personal data from individuals
• Maintain procedures to respond to requests to opt-out of, restrict or • Investigate root causes of data privacy complaints
object to processing • Obtain feedback from individuals about privacy
• Maintain procedures to respond to requests for information • Monitor and report metrics for data privacy complaints (e.g. number,
• Maintain procedures to respond to requests for accounting for root cause)
disclosures, transfers and sharing of data

Monitor for New Operational Practices

10 Monitor organizational practices to identify new processes or material changes to
existing processes and ensure the implementation of Privacy by Design principles

PRIVACY MANAGEMENT ACTIVITIES

• Integrate Privacy by Design into data processing operations • Engage external stakeholders (e.g., individuals, privacy advocates) as
• Maintain PIA/DPIA guidelines and templates part of the PIA/DPIA process
• Conduct Impact Assessments for new programs, systems, processes • Track and address data protection issues identified during PIAs/DPIAs
• Conduct PIAs or DPIAs for changes to existing programs, systems, • Report PIA/DPIA analysis and results to regulators (where required)
or processes and external stakeholders (if appropriate)

4
 11 Manage Data Privacy Breach Management Program
Maintain an effective data privacy incident and breach management program

PRIVACY MANAGEMENT ACTIVITIES

• Maintain a data privacy incident/breach response plan • Conduct periodic testing of data privacy incident/breach plan
• Maintain a breach notification (to affected individuals) and • Engage a breach response remediation provider
reporting (to regulators, credit agencies, law enforcement) protocol • Engage a forensic investigation team
• Maintain a log to track data privacy incidents/breaches • Obtain data privacy breach insurance coverage
• Monitor and report data privacy incident/breach metrics
(e.g. nature of breach, risk, root cause)

Monitor Data Handling Practices

12 Verify operational practices comply with the data privacy policy and operational
policies and procedures, and measure and report on their effectiveness

PRIVACY MANAGEMENT ACTIVITIES

• Conduct self-assessments of privacy management • Maintain documentation as evidence to demonstrate compliance
• Monitor effectiveness of privacy controls and/or accountability
• Conduct ad-hoc walk-throughs • Use interoperable frameworks to monitor and report on
• Conduct ad-hoc assessments based on external events, privacy risks
such as complaints/breaches • Maintain certifications, accreditations or data protection seals
• Engage a third party to conduct audits/assessments for demonstrating compliance to regulators
• Monitor and report privacy management metrics

13 Track External Criteria

Track new compliance requirements, expectations, and best practices

PRIVACY MANAGEMENT ACTIVITIES

• Identify ongoing privacy compliance requirements e.g., law, • Seek legal opinions regarding recent developments in law
case law, codes, etc. • Identify and manage conflicts in law
• Maintain subscriptions to compliance reporting service/law firm • Document decisions around new requirements, including their
updates to stay informed of new developments implementation or any rationale behind decisions not to implement
• Attend/participate in privacy conferences, industry association, changes
or think-tank events
• Record/report on the tracking of new laws, regulations, amendments
or other rule sources

To start your free 14 day trial,

visit TrustArc.com

The Privacy Management Accountability Framework(™) was developed based on Nymity’s global research on data privacy accountability.
The Framework is a comprehensive listing of over 130 Privacy Management Activities (PMAs) categorized into 13 Privacy Management Categories (PMCs).

Copyright © 2023 TrustArc Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual property of TrustArc Inc. unless otherwise indicated. Reproduction,
modification, transmission, use or quotation of any content, including text, images, photographs etc., requires the prior written permission of TrustArc Inc. Requests may be sent to: support@trustarc.com. UPDATED SEPT 2023