PRIV- 15 – Data Collection Tracking

What is this control about?

Implementing the ‘Data Collection Tracking’ control is crucial for organizations to ensure responsible and transparent data handling practices. In today’s data-driven world, organizations collect and process vast amounts of data from various sources. This data often includes sensitive information about individuals, which may be subject to privacy regulations and data protection laws.

Available tools in the marketplace

Tools:

TrustArc DataGrail

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• N/A- No templates for this section

Control implementation

Here are some guidelines to implement a Data Collection Tracking program:

• Identify Data Collection Objectives – Clearly define the purpose and goals of the data collection program. Understand what specific data you need to collect and why.
• Conduct a Privacy Impact Assessment (PIA) –  Perform a comprehensive privacy impact assessment to identify potential risks and ensure that data collection aligns with privacy regulations and principles.
• Define Data Categories and Data Types – Categorize the data you plan to collect based on its sensitivity and impact on user privacy. Identify personal data and sensitive information that may require special protection.
• Determine Legal Basis and Consent Mechanisms – Identify the legal basis for data collection, ensuring compliance with relevant privacy laws (e.g., GDPR, CCPA). Determine whether consent is required and establish appropriate consent mechanisms.
• Implement Data Protection Measures – Develop and implement data protection measures, including encryption, access controls, and secure storage, to safeguard collected data from unauthorized access.
• Create Transparent Privacy Notices – Develop clear and concise privacy notices that inform users about the data collection, its purpose, the legal basis, and their rights regarding their data.
• Obtain User Consent – Obtain explicit and informed consent from users before collecting their data. Ensure that the consent process is user-friendly and easily accessible.
•  Establish Data Retention Policies – Define data retention periods and adhere to the principle of data minimization. Regularly review and delete unnecessary data to reduce the risk of data breaches.
• Implement Tracking Mechanisms -Use appropriate tracking technologies to monitor data collection activities. These may include cookies, analytics tools, or other tracking scripts.
• Conduct Regular Audits – Conduct periodic audits to ensure that data collection practices align with the defined objectives, consent mechanisms, and privacy policies.
• Train Staff and Raise Awareness – Train employees involved in data collection on privacy best practices and data protection measures. Educate all staff members about the importance of privacy and their role in maintaining data security.
• Monitor Data Requests and User Rights – Establish a process to handle data access requests and user rights, such as data deletion or data portability.

   

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

• Data Collection Consent Mechanisms Configuration

Provide evidence of consent mechanisms used by the organization to obtain explicit consent from individuals whose data is collected. This could include consent forms, cookie banners (for websites), or other documented means of obtaining consent.

Evidence example

For the suggested action, an example is provided below:

• Data Collection Consent Mechanisms Configuration

Screenshot source