TRUSTe GDPR Readiness Privacy Assessment

Sample
About the Assessment: This high-level readiness assessment is designed to help companies understand the core obligations of the
European Union's General Data Protection Regulation (GDPR), and determine which business processes they will need to review and
implement in preparation for the GDPR. This version of the Assessment is based on the final version of the GDPR which was formally
adopted by Parliament on April 14, 2016. The GDPR is scheduled to take effect in Spring 2018.
Note - This sample contains one section of the full TRUSTe GDPR Readiness assessment. To access the full 70+ question template, or find
out about our other privacy assessment templates, contact your TRUSTe Representative.

Q#

Question

Possible
Responses

Compliant
Response

Remediation Recommendation

Section 1 - Transparency
Review general and specific Privacy Notices to ensure the following information is provided to individuals in advance of collecting personal information from
them.
A Privacy Notice is a comprehensive, outward-facing statement explaining the
organization's privacy policies and practices.

Are individuals provided with a Privacy Notice

explaining the organization's internal Privacy
Policy and practices?

Yes
No

Yes

Provide a Privacy Notice prominently and conspicuously on the website,

mobile application, or online service. The Privacy Notice should be clearly
labeled and placed in an area of the organization's website or service that is
easily accessible and intuitive, usually the homepage.
The Privacy Notice should be written in plain language so that it is easily
understandable by individuals and should explain the organization's policies
and procedures around collecting, using, and disclosing individuals' personal
information, as well as processes and procedures for requesting access to
collected personal information or to submit a privacy-related complaint.

Does the Privacy Notice include the identity of

and contact information for the controller or the
controller's representative, as well as the contact
details of the data protection officer (if any)?

Yes
No

Yes

Include in the Privacy Notice the identity of and contact information for the
controller or the controller's representative, as well as the contact details of
the data protection officer (if any).

Q#

Question

Possible
Responses

Compliant
Response

Remediation Recommendation

Where an individual's personal information is processed based on the

individual's consent, explain the types of personal information collected and
processed. The types of personal information collected and processed do not
need to be included in the notice if processing is based on a legitimate legal
interest or the information processed relates to a third party.

Does the Privacy Notice describe the types of

personal information, including sensitive
information, collected from individuals?
Where individuals' personal information is
processed based on their consent, explain the
types of information collected and processed.
Where processing is based on a legitimate legal
interest or the information processed relates to a
third party, the types of information collected and
processed do not need to be explained.

Yes
No
N/A, this
assessment does
not relate to
information
processed based
on individuals'
consent

Does the Privacy Notice describe the purposes

for which collected personal information, including
sensitive information, will be used?

Yes
No

Does the Privacy Notice describe the

circumstances under which personal information
is disclosed or shared with third parties, including
service providers, and the purpose for those
disclosures?

Yes
No
N/A, we do not
share or otherwise
disclose
individuals'
personal
information to third
parties

Where necessary, explain in the Privacy Notice what types of personal

information are collected from or about individuals.

Yes

Yes

In a plain, straightforward manner:

Describe how personal information is collected from or about individuals;
Describe the types of personal information collected from or about individuals,
including sensitive information;
If personal information is collected on the organization's website or online
service through passive technologies such as cookies or web beacons, clearly
describe the collection methods and what personal information is collected
through those mechanisms;
Be reasonably specific in describing the kind of personal information collected;
Explain whether personal information is appended with information obtained
from third-party sources, and, if so, the types of information being appended
and the purpose for appending collected information;
At a minimum, list the categories of personal information the organization
collects from individuals.

Explain in the Privacy Notice the purpose for collecting personal information,
including sensitive information, from individuals. The Notice should include a
description of how personal and/or sensitive information collected from
individuals will be used, including whether individuals' personal information will
be disclosed to third parties and a description of communications or other
contact an individual may receive by providing their personal information.
Disclosures of consumer privacy and sharing practices are key in building
trust in an organization. An organization's Privacy Notice that explains to
individuals and visitors how it uses and shares their personal information
helps achieve transparency and build user trust.

No

The Privacy Notice should:

Explain whether and when an individuals' personal information may be
disclosed to third parties;
Explain practices regarding the sharing of personal information with other
entities, including affiliates and marketing partners;
Explain the purposes for disclosing indviduals' personal information.

Q#

Question

Does the Privacy Notice include a description of

the categories or types of third parties to whom
personal information is disclosed or shared?

Are individuals informed that their personal

information will be transferred to a third country or
international organization and whether there is a
legitimate transfer mechanism in place?
Common transfer mechanisms include an
adequacy decision by the Commission regarding
the recipient of the transfer, Binding Corporate
Rules, Model Contract Clauses, an approved
Code of Conduct, or approved certification
mechanism.

Does the Privacy Notice describe the method for

individuals to exercise choice and update their
preferences regarding how their personal
information will be used, including whether and to
whom it is disclosed?

Possible
Responses
Yes
No
N/A, we do not
share or otherwise
disclose
individuals'
personal
information to third
parties

Yes
No

Yes
No

Compliant
Response

Remediation Recommendation

No

At a minimum, list the different types or categories of companies with whom

individuals' personal information will be shared in the Privacy Notice.
Whenever possible, provide a link to the Privacy Notices of third parties with
whom individuals' personal information will be shared.

Yes

Inform individuals that their personal information will be transferred to a third

country or international organization and explain whether there is a legitimate
transfer mechanism regarding the recipient of that transfer, such as an
adequacy decision by the Commission regarding the recipient of the transfer,
Binding Corporate Rules, Model Contract Clauses, an approved Code of
Conduct, or approved certification mechanism.

Yes

The Privacy Notice should describe choices available to individuals about how
their personal information is used, including any choice programs whereby an
individual may indicate preferences about whether their personal information
is disclosed to third parties and preferences regarding the frequency, subject
matter, and/or format of communications.

Q#

Question

Possible
Responses

Compliant
Response

Remediation Recommendation

A Privacy Notice is "conspicuous" when it is easily recognizable and

accessible. Below are some additional recommendations on how to make the
Privacy Notice easily accessible and distinguishable through an online
service.

Is the Privacy Notice easily accessible at the time

the individual first interacts with the product or
service (e.g., accessible via website homepage or
app store listing)?

Yes
No

Yes

Websites:
Make the link conspicuous by using type that is larger than the surrounding
text, set in a contrasting color, or use symbols that call attention to it;
Put a conspicuous link to the Privacy Notice on the homepage and all pages
that collect personal information from individuals;
Format the Privacy Notice so that it can be printed as a separate document.
Mobile apps:
Provide a link to the Privacy Notice from the applications app store listing, so
that the Notice is accessible prior to downloading and installing an application;
Provide a link to the Privacy Notice from within the application. Typically, a
Privacy Notice can be found when accessing the app's settings.

10

Is the Privacy Notice easily distinguishable from

other information (e.g., Terms of Service) the
organization provides?

Typically a Privacy Notice is made available through an organization's online

service(s). Some organizations also make their privacy notices in printed form.
Yes
No

Yes

The Privacy Notice needs to be easily distinguishable from other types of

notices the organization provides (e.g., Terms of Service). For example, a
link to the Privacy Notice should contain the word Privacy".
The Privacy Notice should be drafted in a clear and understandable format,
using plain language so it is easily understood by individuals.
To ensure readability, the Privacy Notice should:

11

Is the Privacy Notice written in plain language so

that it is easily understood by individuals?

Yes
No

Yes

Use plain, straightforward language, avoiding technical or legal jargon;

Use short sentences;
Use the active voice;
Use titles and headers to identify key parts of the Notice;
Use a format that makes the Notice readable, including on smaller screens
(such as on a mobile device;
Utilize a layered notice format to highlight the most relevant privacy practices;
Use graphics or icons to help individuals easily find information on specific
privacy practices and privacy settings.

Q#

Question

Possible
Responses

12

Is the Privacy Notice available in all languages in

which business is conducted?

Yes
No

13

If the organization seeks consent from individuals

Yes
for the processing of their personal information
No
within its Privacy Notice, is the request for
N/A, we do not
consent conspicuous and set out from the rest of seek consent from
the text of the Privacy Notice (e.g., bold,
individuals within
highlighted, etc.)?
our Privacy Notice

14

Is there an immediately visible, clearly labeled,

and accessible notice regarding the use of
cookies and other passive technologies?

15

Yes
In the event that individuals are not informed in
No
advance of processing activities, are individuals
N/A, notice is
provided specific information about how their
provided prior or at
information is processed within a reasonable time
the time of
after the information has been collected and
personal
before the information is processed?
information
collection

Yes
No

Compliant
Response

Remediation Recommendation

Yes

The Privacy Notice should appear in the language(s) in which the organization
conducts business. For example, if the organization's services support
English, French, and German, the Privacy Notice should be available in those
languages.

Yes or N/A

Where seeking consent from individuals to process their personal information

within the Privacy Notice, ensure that the request is set out from the rest of
the text of the Privacy Notice and is conspicuous and distinguishable from the
rest of the Notice. For instance, set the text in bold, capital letters, or a
contrasting or highlighted color to draw attention to that portion of the Notice.

Yes

Provide a conspicuous and immediately accessible Cookie Notice on the

website or online service if cookies or other passive collection technologies
are used.

Yes

Provide individuals with specific information about their information processing

within a reasonable time after collecting the information from them, not to
exceed one month, or at the time of the first communication with the
individual. Ensure that this information is communicated to individuals before
their information is processed.

Section 2 - Collection and Purpose Limitation

Minimize the collection and use of information. Collect only information which is necessary or relevant to the purpose for collection. Use information only for the
purposes or in the manners outlined in the Privacy Notice or for which the individual has otherwise consented.
Section 3 - Consent
Obtain consent from individuals for the collection or processing of their personal information.
Section 4 - Quality
Steps should be taken to ensure that the information collected from and held about individuals is up-to-date, complete, and accurate.
Section 5 - Privacy Program Management
Put in place a privacy program that documents the organization's privacy policies and procedures. Review the privacy program at regular, planned intervals to
verify that the policies and protocol therein are still complete and relevant to your
organization. Ensure that relevant parties (e.g., employees, subprocessors) are required to indicate in writing their agreement to the policies that apply to them.
Section 6 - Security for Privacy
Implement reasonable technical, administrative, and physical security measures to safeguard individuals' personal information.

Q#

Question

Possible
Responses

Compliant
Response

Remediation Recommendation

Section 7 - Data Breach Readiness and Response

Organizations should have a documented incident response plan with procedures and templates to notify individuals and supervisory authorities.
Section 8 - Individual Rights
This section covers several rights belonging to the individual laid out in GDPR: access, data portability, erasure, and the right to object to certain types of
processing.

Tired of managing assessments in a spreadsheet? Schedule a demo of TRUSTe Assessment Manager, an online / interactive
system that streamlines the process of conducing and managing privacy assesments and PIAs.

TRUSTe Assessment Manager

Visit TRUSTe Website
Comprehensive Library of Assessment Templates
- GDPR, Vendor Risk, Breach Preparation, PIAs, etc.
Automated Gap Analysis
Remediation Guidance
Executive Dashboard
Centralized, On-Demand Reporting
SaaS Technology (No downloads, IT, custom coding)
Flexible, usage based pricing options

TRUSTe also offers privacy consulting on a wide range of topics.

For more information, call 888-878-7830 or visit www.truste.com