Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

07-G: Privacy

This section assesses how your organization handles personal data and meets privacy obligations.

The questions focus on how you collect, use, share, and retain personal information; how you provide notice and obtain consent where required; how you protect data subjects’ rights (such as access, correction, or deletion); and how you manage cross-border transfers or third-party sharing. Overall, it confirms that privacy is governed by clear policies, aligned with applicable laws, and supported by operational controls.

Organization

Full Name

26.7- Does your company have a formal, documented privacy policy?

YES

NO

N/A

Explanation: A privacy policy outlines how the company collects, uses, stores, and protects personal data, ensuring compliance with data protection laws.

Risks of Incorrect Answer: Potential legal penalties for failing to comply with privacy regulations.

Loss of client trust if data is mismanaged or mishandled.

Applicable Frameworks: GDPR (Art. 12-14): Requires clear and transparent privacy policies.

ISO 27001 (A.18.1.4): Ensures protection of privacy and personal data.

CCPA (Section 1798.100): Mandates privacy disclosures for businesses handling California residents' data.''

26.7- If No or N/A, please provide an additional explanation

27.6- Does your company have a formal, documented data retention policy?

YES

NO

N/A

Explanation: A data retention policy ensures that data is stored only as long as necessary and securely disposed of when no longer required.

Risks of Incorrect Answer: Excessive data retention increases exposure to breaches and compliance violations.

Non-compliance with regulations mandating data minimization and retention limits.

Applicable Frameworks: ISO 27001 (A.8.3.2): Ensures secure disposal of media containing sensitive information.

GDPR (Art. 5(1)(e)): Requires data retention limits based on necessity.

HIPAA (164.310(d)(2)(i)): Mandates proper retention and destruction of health data.''

27.6- If No or N/A, please provide an additional explanation

28.8- Do you collect personal information directly from individuals?

YES

NO

N/A

Explanation: Understanding how personal data is collected allows for assessing whether appropriate consent mechanisms and safeguards are in place.

Risks of Incorrect Answer: Unauthorized or non-compliant data collection may lead to regulatory fines.

Increased risk of misuse or breaches of sensitive information.

Applicable Frameworks: GDPR (Art. 6, 7): Requires lawful basis and consent for data collection.

CCPA (Section 1798.120): Grants consumers rights over the collection of personal data.'

28.8- If No or N/A, please provide an additional explanation

29.8- Do you have a process in place to securely delete (purge) our client’s data when required?

YES

NO

N/A

Explanation: Secure data deletion ensures that sensitive information is not recoverable and complies with regulatory requirements for data lifecycle management.

Risks of Incorrect Answer: Residual sensitive data could be accessed or leaked, leading to reputational damage.

Non-compliance with regulations requiring secure data destruction.

Applicable Frameworks: ISO 27001 (A.11.2.7): Requires secure disposal of data and equipment.

GDPR (Art. 17): Grants the right to data erasure (right to be forgotten).

HIPAA (164.310(d)(2)(i)): Mandates secure data deletion for healthcare data

29.8- If No or N/A, please provide an additional explanation

Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

HOME

ABOUT

CONTACT

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Privacy Policy

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

I Consent to Receive SMS Notifications, Alerts & Occasional Marketing Communication from CRISP. Message frequency varies. Message & data rates may apply. Text HELP to (330) 737-2223 for assistance. You can reply STOP to unsubscribe at any time.

​Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

07-G: Privacy

​Compliance Risk &

Information SecurityPartners

Empowering small businesses with BIG Solutions

HOME

ABOUT

Contact Us

LEGAL POLICIES

Compliance Risk &

Compliance Risk &

Information Security
Partners

Empowering small businesses
with BIG Solutions