Assessment Tests
Privacy Assessment Test

Privacy Assessment Test

Self assess your privacy compliance readiness now.

Organisation Details

Fields marked with * are mandatory.

Questions

Context of the organization
Personal Information Management System
Have you identified the role of the organization - as PII controller and/or as PII processor?
Uncheck if not relevant.
Have you established an information security management system for your organization, supporting the processing of privacy information?
Uncheck if not relevant.
Have you identified the applicable legislations, regulations, judicial decisions and administrative decisions associated with the personal data management, relevant to your organization?
Uncheck if not relevant.
Context of the organization
Internal and external stakeholders
Have you included privacy management in the scope of information security management system / personal information management system?
Uncheck if not relevant.
Have you identified and listed stakeholders associated with privacy, in the list of interested parties?
Uncheck if not relevant.
Planning
Information Security Risk Assessment & Treatment
Have you included the scenarios of loss of confidentiality, integrity and availability of personal information, in your risk assessment process?
Uncheck if not relevant.
Have you assessed the risk of processing PII, in the risk assessment?
Uncheck if not relevant.
Have you identified risk treatment plans for treating risks associated with personal data privacy?
Uncheck if not relevant.
Do you possess and manage a risk register, containing personal data risks?
Uncheck if not relevant.
Do you have a statement of applicability containing controls associated with Personal data protection?
Uncheck if not relevant.
Do you have documented risk treatment plans for identified risks associated with personal data?
Uncheck if not relevant.
Planning
Information security objectives and planning to achieve them
Have you identified Key Performance Indicators (KPIs) for Personal Data Security?
Uncheck if not relevant.
Have you defined targets against KPIs identified
Uncheck if not relevant.
Information Security Management System
Policy and Roles and Responsibilities
Have you established an information security policy or a separate personal data protection policy, to list policies related to personal data protection?
Uncheck if not relevant.
Have you defined the roles and responsibilities to manage personal data security?
Uncheck if not relevant.
Have you designated a single point of contact, independent and reporting to management level, in charge of personal data processing?
Uncheck if not relevant.
Information Security Management System
Organizational Controls
Have you included the Personally Identifiable Information in the schema of classifying information?
Uncheck if not relevant.
Have you included the classification schema with PII information, in the user awareness training material?
Uncheck if not relevant.
Have you listed the minimum technical and organizational security measures required for storing personal data, in the agreement with third parties, to ensure that your organization meets the PII protection obligations?
Uncheck if not relevant.
Have you identified the timelines to notify associated party, in case of any personal data breach of the provided data is suspected?
Uncheck if not relevant.
Have you identified who owns the listed security measures - whether owned by your organization or tenant - and documented in the agreement?
Uncheck if not relevant.
Do you consider the suspected PII data breaches as one of the events to trigger information security incident management?
Uncheck if not relevant.
Do you own and practice the procedure to alert data subjects in case of confirmed data breach, within the committed time period?
Uncheck if not relevant.
Do you own and practice the procedure to notify legal and regulatory authorities, in case of confirmed data breach, within the committed time period?
Uncheck if not relevant.
Do you own and practice the procedure to notify associated third parties, in case of confirmed data breach, within the committed time period?
Uncheck if not relevant.
Do you have a practice of reviewing the personal data breach at a management level, to plan the necessary response?
Uncheck if not relevant.
Do you maintain the record of breaches, with information such as description of the incident, duration, consequence of the incident, stakeholders notified of the incident, mitigation measures, level of information lost or altered by the incident and lessons learned?
Uncheck if not relevant.
Do you perform regular independent audits of the PII data protection measures implemented?
Uncheck if not relevant.
Do you have a record retention policy mandating the retention of records involving personal data, and or associated with personal data policy as mandated by the laws and regulations of the country of operation?
Uncheck if not relevant.
Does your annual technical review (e.g.: penetration testing) covers the measures taken to secure PII data?
Uncheck if not relevant.
Information Security Management System
Physical Controls
Have you included the restrictions required while creating the hard copy material containing PII, in the clear desk and clear screen policy?
Uncheck if not relevant.
Do you have mechanisms in place, to erase PII data in the storage device, as the part of handing over assets for re-use?
Uncheck if not relevant.
Do you adopt secure disposal methodologies, to dispose storage media, so that contained PII can not be retrieved?
Uncheck if not relevant.
Information Security Management System
Technological Controls
Have you adopted the policy and implemented necessary controls to ensure that PII information is secure in approved mobile devices?
Uncheck if not relevant.
Do you have guiding policies to register and de-register users including admins accessing systems containing PII?
Uncheck if not relevant.
Have you adopted the policies to report events such as detection of unauthorized access to systems, compromise of passwords?
Uncheck if not relevant.
Have you adopted a policy not to re-issue the expired or de-activated user IDs to users
Uncheck if not relevant.
Do you maintain an inventory of users who have access to systems where PII is stored?
Uncheck if not relevant.
Have you adopted a policy and implemented required measures to ensure that PII information is erased from backups on a need basis?
Uncheck if not relevant.
Do you have measures in place to ensure that restored PII data is secure and integrity of PII data can be assured, during restoration testing?
Uncheck if not relevant.
Have you ensured that system logs and application logs are protected, and access is restricted to users, since the log information can contain PII?
Uncheck if not relevant.
Have you documented and adopted a policy to alert data owners in the event of unauthorized access or deletion of PII data?
Uncheck if not relevant.
Do you encrypt PII data or at least critical data such as health information, passport information etc., while storing?
Uncheck if not relevant.
Do you encrypt PII data or at least critical data such as health information, passport information etc., while transmitting?
Uncheck if not relevant.
Do you have an approved secure development process integrated with organization's obligations to PII principles?
Uncheck if not relevant.
Do you perform privacy impact assessment prior to the finalization of system / software development or enhancement requirements?
Uncheck if not relevant.
Have you adopted the principles of privacy by design and privacy by default, as part of the secure system engineering principles?
Uncheck if not relevant.
Do you follow an approved software development policy, aligning with privacy principles adopted by the organization?
Uncheck if not relevant.
Have you adopted policies that mandate PII shall not be used for testing, unless there is an approved exception?
Uncheck if not relevant.
PIMS Specific Controls
Conditions for collecting and processing
Have you identified and documented the purpose of collecting personal data?
Uncheck if not relevant.
Do you find any lawful basis for processing the personal data?
Uncheck if not relevant.
Have you adopted a process to obtain consent from the data subject?
Uncheck if not relevant.
Do you obtain and record the consent from the data subject?
Uncheck if not relevant.
Do you have a practice of securing digital and physical records associated with processing of PII?
Uncheck if not relevant.
Have you adopted a policy and practice to restrict the usage of PII for marketing and advertising purpose, unless there is an explicit consent from the user to use?
Uncheck if not relevant.
Do you have a process to notify the data subject, if an infringement is observed with laws and regulations, while processing PII?
Uncheck if not relevant.
PIMS Specific Controls
Obligations to PII principals
Have you identified the obligations to PII data subjects?
Uncheck if not relevant.
Do you practice the fulfillment of obligations to PII data subjects?
Uncheck if not relevant.
Do you provide a mechanism to data subjects to modify or withdraw the consent?
Uncheck if not relevant.
Do you provide a mechanism to object the PII processing?
Uncheck if not relevant.
Do you allow the users to access, request access, correct and/ or erase the PII data?
Uncheck if not relevant.
Do you have a practice inform third parties on the policies and obligations related to securing PII?
Uncheck if not relevant.
Have you adopted a process to provide the copy of PII data to data subjects?
Uncheck if not relevant.
Have you adopted measures to respond to data user requests on the PII data?
Uncheck if not relevant.
PIMS Specific Controls
Privacy by design and privacy by default
Have you adopted policies to limit the collection and processing of PII data?
Uncheck if not relevant.
Have you adopted a policy to minimize the collection of PII?
Uncheck if not relevant.
Do you practice de-identification or deletion of the PII after the end of processing?
Uncheck if not relevant.
Do you adopt a policy to clear the temporary files created as the part of processing?
Uncheck if not relevant.
Do you have a process to transfer PII to a third party, if the data subject requires so?
Uncheck if not relevant.
PIMS Specific Controls
PII sharing, transfer and disclosure
Have you listed the countries and organizations to which PIIs can be transferred?
Uncheck if not relevant.
Do you maintain the record of transfer of PII?
Uncheck if not relevant.
Do you maintain the records of disclosing PII to third parties?
Uncheck if not relevant.
Do you disclose the list of associated subcontractors processing PII, to the data subjects or third party?
Uncheck if not relevant.
Do you notify data controllers if there is a change in subcontractor processing PII?
Uncheck if not relevant.

Comments (if any)

Result Preview

After you submit the assessment form, summary charts and download button will appear here.

🔒

Complete the form and click "Submit Assessment" to see your privacy compliance results

Call Now Button