A Quick Data Protection Assessment

If you are the person in your organization responsible for leading the effort for protecting non public private information and data you must be aware of all of the state and federal privacy law requirements. Included in these responsibilities is the need to understand the data breach responsibility laws of 47 states (excluding Alabama, New Mexico and South Dakota) as well as DC, Guam, Puerto Rico and the USVI.

This quick data protection survey is designed to point out weaknesses in your compliance efforts. The level of detail, which you will find useful, will obviously depend on the scope of nonpublic personal information kept by your organization.

Remember, if your organization has a complete and working security protection plan, you should be able to answer "YES" to all statements and questions below. If there are some "NO" answers, the survey will provide you with assistance on areas where you need to improve.


Rule 1: Collecting Data

At the time we collect information from individuals they are made aware of the uses for that information.

Are the individuals we collect information from made aware of any disclosures of their data to third parties?

We have obtained consent from individuals for any secondary uses of their personal data.

Can we describe our data collection practices as open, transparent and upfront?

Rule 2: Specific Purpose

We have a clear purpose (or purposes) about why we keep personal information.

Do the individuals in our database have a clear understanding about the purpose of retaining their personal information?

We have clear written procedures for maintaining the personal information of individuals in our database.

Rule 3: Use And Disclosure Of Information

We have clear written procedures on the use and disclosure of personal information by us for the individuals in our database.

Are all members of our organization aware of the written procedures and disclosure rules?

Has all of our data been identified and evaluated for sensitivity?

Rule 4: Security Administration

We have a designated person to oversee compliance of all security policies and procedures in our firm.

We have a written security plan for our organization.

We have a process in place to review and update the security plan at least annually.

All of our computers, servers and databases password protected and encrypted as required by law.

All of our computers, servers and files securely locked away from unauthorized people.

Rule 5: Adequate, Relevant And Not Excessive

Do we collect all the information we need to serve our purposes effectively?

Do we check to make sure that all of the nonpublic personal information we collect is relevant and not excessive for our specified purposes?

If we were asked to justify every piece of nonpublic personal information we keep on an individual, could we do so?

We have current written policies and procedures for nonpublic personal information retention.

Rule 6: Accurate and Timely

We have written policies and procedures to review our data for accuracy and timeliness.

Our data is analyzed, evaluated and updated at least annually

We have assigned the responsibility to audit date to assure that it is being reviewed and updated as necessary.

Rule 7: Retention Period

We have written policies and procedures on how long items of nonpublic information are to be retained.

We are clear about any legal requirements on us to retain nonpublic personal information.

We have written policies and procedures and schedules for purging unnecessary data.

Do we review purge activity to assure that data no longer needed or required for former customers and employees is being done per our schedule?

Rule 8: The Right of Access

We have a specific person responsible for handling access requests.

Do we have clear written policies and procedures for access requests?

Do these policies and procedures meet compliance with all known data security laws and requirements?

Rule 9: Training

We have clear written policies and procedures in place to assure that everyone in our organization receives security awareness training at least annually.

Our staff is aware of their data protections responsibilities including confidentiality.

Data protection and security is included as part of the overall training for employees of our organization.

Rule 10: Coordination and Compliance

We a have a data protection coordinator and compliance person designated.

We have written policies and procedures in place for our coordinator to audit data protection and security.

We have detailed plans to describe how each mitigating action will be completed, the human or material resources required to implement the measure and how each action can be tracked.