TrustArc Privacy and
Data Governance Framework


Program Phase: Build


Establish, maintain, and continually evolve and improve a privacy program aligned with other information governance, compliance and risk management functions such as security, IP and trade secret protection and e-discovery. “Build” standards aligned with key laws, regulations, and effective ethics and compliance programs.


Integrated Governance
Identify stakeholders. Establish program leadership and governance. Define program mission, vision and goals.
Risk Assessment
Identify, assess and classify data-related strategic, operational, legal compliance and financial risks.
Resource Allocation
Establish budgets. Define roles and responsibilities. Assign competent personnel.
Policies & Standards
Develop policies, procedures and guidelines to define and deploy effective and sustainable governance and controls for managing data-related risks.
Establish, manage, measure and continually improve processes for D/PIAs, vendor assessments, incident management and breach notification, complaint handling and individual rights management.
Awareness & Training
Communicate expectations. Provide general and contextual training.

Program Phase: Implement


“Implement” standards for designing and/or engineering effective privacy and data governance controls into organizational processes products and technologies and maintain or enhance those controls throughout the lifecycle for the product, process or technology. Conduct privacy impact assessments (D/PIAs) presents a high inherent risk of harm to individuals and remediate identified risks.


Data Necessity
Optimize data value by collecting and retaining only the data necessary for strategic goals. Leverage anonymization, de-identification, pseudonymization and coding to mitigate data-related risks.
Use, Retention and Disposal
Ensure data are used only as legally permissible and solely for purposes that are relevant to and compatible with the purposes for which it was collected.
Disclosure to Third Parties and Onward Transfer
Preserve the standards and protections for data when it is transferred to third party organizations and / or across country borders.
Choice and Consent
Enable individuals to choose whether personal data about them is processed. Obtain and document prior permission where necessary and appropriate, and enable individuals to opt-out of ongoing processing.
Access and Individual Rights
Enable individuals to access information about themselves, to amend, correct, and as appropriate, delete information that is inaccurate, incomplete or outdated.
Data Integrity and Quality
Assure that data are kept sufficiently accurate, complete, relevant and current consistent with its intended use.
Protect data from loss, misuse and unauthorized access, disclosure, alteration or destruction.
Inform individuals about the ways in which data about them are processed and how to exercise their data-related rights, including those arising out of data breaches.

Program Phase: Demonstrate


“Demonstrate” standards for providing evidence of program and practices compliance, maturity, responsibility and value.


Monitoring and Assurance
Evaluate and audit effectiveness of controls and risk mitigation initiatives.
Reporting and Certification
Demonstrate the value and effectiveness of your program and controls to customers, employees, management, the board of directors, regulators and the public.