GOV-022 Privacy Program and Data Protection Policy
Description
A documented privacy program exists with a named privacy lead, a data protection policy approved by management, and controls covering the personal data lifecycle. The program addresses applicable privacy regulations and is reviewed at defined intervals.
Rationale
Privacy compliance requires both a governing policy and an operationalized program. A policy without a program is unenforceable; a program without a policy lacks the authoritative mandate needed for organizational compliance.
Framework Mappings (5)
| DSP-01 | Security and Privacy Policy and Procedures | partial |
| GDPR-Art.24 | Controller Responsibility and Demonstrable Compliance | full |
| 5.34 | Privacy and protection of PII | full |
| PM-18 | Privacy Program Plan | full |
| PM-19 | Privacy Program Leadership Role | partial |
Evidence (2)
Data protection policy approved by management, with a named privacy lead, covering the personal data lifecycle and applicable privacy regulations.
Example: Data Protection Policy (Confluence / policy management system), approved by the named DPO or privacy lead and a senior executive, covering: lawful basis for processing, data subject rights, data retention, breach notification, and applicable regulations (GDPR, CCPA, etc.).
Test: Request the data protection policy. Verify: (1) a named privacy lead or DPO is identified, (2) lawful bases for processing are listed, (3) data subject rights procedures are referenced, (4) breach notification obligations and timelines are stated, (5) the policy has been approved and is dated within the last 12 months.
Privacy program activity records confirming the privacy program is operational — including a Records of Processing Activities (RoPA), DPIA log, or privacy review records.
Example: GDPR Records of Processing Activities document (Article 30 RoPA) and/or DPIA register (OneTrust / spreadsheet), showing at least three current processing activities with named controller, data categories, purposes, retention periods, and recipients.
Test: Request the RoPA and/or DPIA register. Verify: (1) at least the key data processing activities are documented, (2) each entry includes: data categories, purpose, legal basis, retention, and third-party recipients, (3) high-risk processing activities have an associated DPIA, (4) the RoPA is reviewed within the last 12 months.
Questions (2)
Does your organization have a documented data protection policy, approved by management, with a named privacy lead responsible for the privacy program?
The policy should cover lawful basis for processing, data subject rights, breach notification, and applicable regulations (e.g. GDPR, CCPA), and be approved within the last 12 months.
Which of the following privacy program artifacts does your organization currently maintain?
A functioning privacy program requires operational artifacts beyond the policy itself — at minimum a RoPA and a breach notification procedure.