TrustArc Privacy and Data Governance Framework

TrustArc Privacy and Data Governance Framework Overview

Program PhaseStandard


Build Framework

Establish, maintain and continually evolve and improve a privacy program aligned with other information governance, compliance and risk management functions such as security, IP and trade secret protection and e-discovery

6 “Build” standards aligned with key laws, regulations and effective ethics and compliance programs

Integrated GovernanceIdentify stakeholders. Establish program leadership and governance. Define program mission, vision and goals.
Risk AssessmentIdentify, assess and classify data-related strategic, operational, legal compliance and financial risks.
Resource AllocationEstablish budgets. Define roles and responsibilities. Assign competent personnel.
Policies & StandardsDevelop policies, procedures and guidelines to define and deploy effective and sustainable governance and controls formanaging data-related risks.
ProcessesEstablish, manage, measure and continually improve processes for D/PIAs, vendor assessments, incident management and breach notification, complaint handling and individual rights management.
Awareness & TrainingCommunicate expectations. Provide general and contextual training.


Implement Framework

8 “Implement” standards for designing and/or engineering effective privacy and data governance controls into organizational processes products and technologies and maintain or enhance those controls throughout the lifecycle for the product, process or technology

Conduct privacy impact assessments (D/PIAs) presents a high inherent risk of harm to individuals and remediate identified risks

Data NecessityOptimize data value by collecting and retaining only the data necessary for strategic goals. Leverage anonymization, de-identification, pseudonymization and coding to mitigate data-related risks.
Use, Retention and DisposalEnsure data are used only as legally permissible and solely for purposes that are relevant to and compatible with the purposes for which it was collected.
Disclosure to Third Parties and Onward TransferPreserve the standards and protections for data when it is transferred to third party organizations and / or across country borders.
Choice and ConsentEnable individuals to choose whether personal data about them is processed. Obtain and document prior permission where necessary and appropriate, and enable individuals to opt-out of ongoing processing.
Access and Individual RightsEnable individuals to access information about themselves, to amend, correct, and as appropriate, delete information that is inaccurate, incomplete or outdated.
Data Integrity and QualityAssure that data are kept sufficiently accurate, complete, relevant and current consistent with its intended use.
SecurityProtect data from loss, misuse and unauthorized access, disclosure, alteration or destruction.
TransparencyInform individuals about the ways in which data about them are processed and how to exercise their data-related rights, including those arising out of data breaches.


Demonstrate Framework

2 “Demonstrate” standards for providing evidence of program and practices compliance, maturity, responsibility and value

Monitoring and AssuranceEvaluate and audit effectiveness of controls and risk mitigation initiatives.
Reporting and CertificationDemonstrate the value and effectiveness of your program and controls to customers, employees, management, the board of directors, regulators and the public.