Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

00) Does your organisation collect, process, or store personal data, other than that of your own employees?

January 30, 2023

Answer yes if your organisation collects, processes or stores information that relates to an identified or identifiable individual. You need not answer yes if the only personal data you process is that of your own employees for HR requirements. Data collection also includes any identifiable information collected from web cookies.

If you collect, process or store personal data, then you are responsible for protecting the privacy rights of those individuals the data relates to, and you should have the appropriate controls in place to do this.

There are laws and regulations across the world to ensure organisations are meeting these responsibilities. The laws and regulations which apply to you will depend mostly on:

  1. The location of your head offices or main processing facilities (e.g. main datacenters)
  2. The citizenship of the individuals whose data you are processing.

You may need to abide by more than one regulation. Examples of the most commonly referenced and comprehensive data protection laws and regulations are: the EU General Data Protection Regulation (GDPR), the Australian Privacy Principles (APP) and the California Consumer Privacy Act (CCPA).

The EU GDPR is often regarded as the gold standard for data protection regulation and many other regulations have been based upon it.

The GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based.

How to implement the control

This is a scoping question to help determine whether the controls in this domain are applicable to your organisation.

For practical guidance on how to implement privacy controls within your organisation, you may find the ICO’s Guide to the UK GDPR helpful. Whilst this guidance is structured around the UK GDPR, the privacy principles are much the same across many privacy laws around the world.

The International Association of Privacy Professionals (IAPP) provide useful resources to help you understand which privacy laws apply to you.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.