TrustArc Privacy and Data Governance Framework TrustArc Privacy and Data Governance Framework Overview Program Phase Standard Build Establish, maintain and continually evolve and improve a privacy program aligned with other information governance, compliance and risk management functions such as security, IP and trade secret protection and e-discovery 6 “Build” standards aligned with key laws, regulations and effective ethics and compliance programs Integrated Governance Identify stakeholders. Establish program leadership and governance. Define program mission, vision and goals. Risk Assessment Identify, assess and classify data-related strategic, operational, legal compliance and financial risks. Resource Allocation Establish budgets. Define roles and responsibilities. Assign competent personnel. Policies & Standards Develop policies, procedures and guidelines to define and deploy effective and sustainable governance and controls formanaging data-related risks. Processes Establish, manage, measure and continually improve processes for D/PIAs, vendor assessments, incident management and breach notification, complaint handling and individual rights management. Awareness & Training Communicate expectations. Provide general and contextual training. Implement 8 “Implement” standards for designing and/or engineering effective privacy and data governance controls into organizational processes products and technologies and maintain or enhance those controls throughout the lifecycle for the product, process or technology Conduct privacy impact assessments (D/PIAs) presents a high inherent risk of harm to individuals and remediate identified risks Data Necessity Optimize data value by collecting and retaining only the data necessary for strategic goals. Leverage anonymization, de-identification, pseudonymization and coding to mitigate data-related risks. Use, Retention and Disposal Ensure data are used only as legally permissible and solely for purposes that are relevant to and compatible with the purposes for which it was collected. Disclosure to Third Parties and Onward Transfer Preserve the standards and protections for data when it is transferred to third party organizations and / or across country borders. Choice and Consent Enable individuals to choose whether personal data about them is processed. Obtain and document prior permission where necessary and appropriate, and enable individuals to opt-out of ongoing processing. Access and Individual Rights Enable individuals to access information about themselves, to amend, correct, and as appropriate, delete information that is inaccurate, incomplete or outdated. Data Integrity and Quality Assure that data are kept sufficiently accurate, complete, relevant and current consistent with its intended use. Security Protect data from loss, misuse and unauthorized access, disclosure, alteration or destruction. Transparency Inform individuals about the ways in which data about them are processed and how to exercise their data-related rights, including those arising out of data breaches. Demonstrate 2 “Demonstrate” standards for providing evidence of program and practices compliance, maturity, responsibility and value Monitoring and Assurance Evaluate and audit effectiveness of controls and risk mitigation initiatives. Reporting and Certification Demonstrate the value and effectiveness of your program and controls to customers, employees, management, the board of directors, regulators and the public.