Answer yes if your organisation collects, processes or stores information that relates to an identified or identifiable individual. You need not answer yes if the only personal data you process is that of your own employees for HR requirements. Data collection also includes any identifiable information collected from web cookies.
If you collect, process or store personal data, then you are responsible for protecting the privacy rights of those individuals the data relates to, and you should have the appropriate controls in place to do this.
There are laws and regulations across the world to ensure organisations are meeting these responsibilities. The laws and regulations which apply to you will depend mostly on:
You may need to abide by more than one regulation. Examples of the most commonly referenced and comprehensive data protection laws and regulations are: the EU General Data Protection Regulation (GDPR), the Australian Privacy Principles (APP) and the California Consumer Privacy Act (CCPA).
The EU GDPR is often regarded as the gold standard for data protection regulation and many other regulations have been based upon it.
The GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based.
This is a scoping question to help determine whether the controls in this domain are applicable to your organisation.
For practical guidance on how to implement privacy controls within your organisation, you may find the ICO’s Guide to the UK GDPR helpful. Whilst this guidance is structured around the UK GDPR, the privacy principles are much the same across many privacy laws around the world.
The International Association of Privacy Professionals (IAPP) provide useful resources to help you understand which privacy laws apply to you.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.