privacy risk assessment - short form — confidential - International ...

Question Background information, questions to address Requirement Solution / Mitigation Action or Approval (Refer to
Appendix A)
3. What PI is
collected, used,
retained or disclosed
Feel free to use Appendix B as an initial reference, and then be sure
and document any addition data elements here that may be
considered sensitive in the country(s) of concern.
Can the risk of unauthorized access be mitigated by de-identifying the PI, in whole
or part
*For each sensitive
data element, please
describe the need for
collecting or using it..
Can each data element be linked to a valid business or legal reason for collection
and use
Comment [A1]: Why are we asking
them if a data element is sensitive
4. Data flow: Please
describe the flow of
PI (between client,
ourselves, any
vendors or third
parties).
5. Are there any client
contractual
requirements
affecting or requiring
this collection, use or
disclosure of PI
6. Will any third party
be collecting,
managing or
processing PI
provided by
[Company] Please
attach any relevant
agreement.
7. To whom is the PI
disclosed Why (i.e.,
business, legal, or
regulatory reason)
8. Where is the PI
stored (physical
location)
Data flows are very helpful to understand how PI moves and with
whom it’s shared: this is a template to use:
Attach relevant contract terms.
If PI is being shared with a third party or being processed by a
vendor, please complete the data flow above.
Include where appropriate, PI shared with employers, vendors of the
client, or other third parties.
Are there any new vendors involved Have the vendor(s) gone through the Vendor
Security & Privacy Risk Assessment
Page 2 of 8