20 Questions to Ask Yourself About Privacy

  1. What personal information about customers and employees does your business collect and retain?
  2. What personal information do you need and use to conduct sales, marketing, fundraising, and customer relations activities?
  3. What personal information do you obtain from or disclose to affiliates or third parties, for example, in payroll outsourcing, credit processing, and in accordance with business agreements?
  4. What legal and/or customary obligations does your business have to protect the privacy of personal information?
  5. What do your competitors and other business associates do about privacy? What is the “standard”?
  6. To what degree are senior managers or owners actively involved in the development, implementation, and promotion of privacy measures within your business?
  7. Have you assigned someone (for example, a privacy officer) the responsibility for privacy issues?
  8. Does the individual responsible for privacy issues have clear authority to oversee the business’s privacy policies and practices?
  9. Are your privacy policies clearly written and enforceable, and do they address issues related to the collection, use, disclosure, and retention of personal information?
  10. Do your privacy policies and practices meet the needs of your business and customers?
  11. How do you communicate to employees your policies and practices for managing personal information?
  12. How do you train employees to protect the privacy of personal information?
  13. How do you communicate your privacy policies and practices to your customers and others, including procedures to make inquiries and file complaints?
  14. Have you set specific privacy-related objectives? What are they?
  15. Have you addressed all privacy-related laws and regulations that apply to your business?
  16. How do your privacy policies and practices compare to those of your competitors and other similar businesses?
  17. Have you established procedures to monitor compliance with your policies and practices? What are they?
  18. What procedures do you have for dealing with inquiries and complaints regarding your business’s collection, use, disclosure, and retention of personal information?
  19. How would your business benefit from a comprehensive, independent assessment of the risks, controls, and business disclosures associated with personal information privacy?
  20. Do you want to add value to your business by employing good privacy practices?

These questions were adapted from “20 Questions Directors Should Ask About Privacy,” published by the Canadian Institute of Chartered Accountants (CICA).

Leave a Reply