TrustArc Privacy and
Data Governance Framework

Program Phase: Build
Establish, maintain, and continually evolve and improve a privacy program aligned with other information governance, compliance and risk management functions such as security, IP and trade secret protection and e-discovery. “Build” standards aligned with key laws, regulations, and effective ethics and compliance programs.
Standards
Integrated Governance | Identify stakeholders. Establish program leadership and governance. Define program mission, vision and goals. |
Risk Assessment | Identify, assess and classify data-related strategic, operational, legal compliance and financial risks. |
Resource Allocation | Establish budgets. Define roles and responsibilities. Assign competent personnel. |
Policies & Standards | Develop policies, procedures and guidelines to define and deploy effective and sustainable governance and controls for managing data-related risks. |
Processes | Establish, manage, measure and continually improve processes for D/PIAs, vendor assessments, incident management and breach notification, complaint handling and individual rights management. |
Awareness & Training | Communicate expectations. Provide general and contextual training. |
Program Phase: Implement
“Implement” standards for designing and/or engineering effective privacy and data governance controls into organizational processes products and technologies and maintain or enhance those controls throughout the lifecycle for the product, process or technology. Conduct privacy impact assessments (D/PIAs) presents a high inherent risk of harm to individuals and remediate identified risks.
Standards
Data Necessity | Optimize data value by collecting and retaining only the data necessary for strategic goals. Leverage anonymization, de-identification, pseudonymization and coding to mitigate data-related risks. |
Use, Retention and Disposal | Ensure data are used only as legally permissible and solely for purposes that are relevant to and compatible with the purposes for which it was collected. |
Disclosure to Third Parties and Onward Transfer | Preserve the standards and protections for data when it is transferred to third party organizations and / or across country borders. |
Choice and Consent | Enable individuals to choose whether personal data about them is processed. Obtain and document prior permission where necessary and appropriate, and enable individuals to opt-out of ongoing processing. |
Access and Individual Rights | Enable individuals to access information about themselves, to amend, correct, and as appropriate, delete information that is inaccurate, incomplete or outdated. |
Data Integrity and Quality | Assure that data are kept sufficiently accurate, complete, relevant and current consistent with its intended use. |
Security | Protect data from loss, misuse and unauthorized access, disclosure, alteration or destruction. |
Transparency | Inform individuals about the ways in which data about them are processed and how to exercise their data-related rights, including those arising out of data breaches. |
Program Phase: Demonstrate
“Demonstrate” standards for providing evidence of program and practices compliance, maturity, responsibility and value.
Standards
Monitoring and Assurance | Evaluate and audit effectiveness of controls and risk mitigation initiatives. |
Reporting and Certification | Demonstrate the value and effectiveness of your program and controls to customers, employees, management, the board of directors, regulators and the public. |