Search
Updated on November 24, 2023

PRIV- 39 – R&D Privacy Practices

Estimated reading: 2 minutes 544 views

What is this control about?

Implementing the control of ‘R&D Privacy Practices’ is of paramount importance in any organization engaged in research and development activities. This control ensures that privacy and data protection considerations are embedded throughout the R&D process, safeguarding sensitive information and maintaining compliance with data protection laws and regulations.

Available tools in the marketplace

Tools:
  • N/A – No tools for this control

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

Control implementation

Here are some guidelines to implement an effective records of R&D Privacy Practices program:

  • Privacy Impact Assessment (PIA): Conduct a privacy impact assessment for each R&D project to identify potential privacy risks and assess the data protection implications. This involves evaluating the types of data collected, processed, and stored during the project, as well as the associated privacy risks and mitigations.
  • Privacy Policy and Notices: Develop a comprehensive privacy policy and data protection notices specific to R&D activities. These documents should inform research participants about the purpose of data collection, the types of data processed, and their rights regarding their personal information.
  • Informed Consent Process: Establish an informed consent process that ensures research participants understand the implications of sharing their data for R&D purposes. Obtain explicit and informed consent from individuals before collecting and processing their personal data.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

  • Privacy Impact Assessments (PIAs): Copies of Privacy Impact Assessments conducted for each R&D project. These assessments should identify privacy risks associated with the project, outline mitigation strategies, and demonstrate a comprehensive understanding of data protection implications.
  • Privacy Policy and Data Protection Notices: The organization’s privacy policy specific to R&D activities, along with data protection notices provided to research participants. These documents should inform individuals about the purpose of data collection, the types of data processed, and their rights regarding their personal information

Evidence example

For the suggested action, an example is provided below:

  • Privacy Impact Assessments (PIAs)

Leverage this template Privacy Impact Assessment Report

  • Privacy Policy and Data Protection Notices

Screenshot source

PRIV 39 1

Join the conversation

ON THIS PAGE
SHARE THIS PAGE

SUBSCRIBE
FlightSchool
Trusty

Want to see how to turn GRC into a profit center?

Ready to save time and money on audits, pass security reviews faster, and manage enterprise-wide risk? Let’s talk! 

Learn More
TrustCommunity

The #1 Community for Security, Privacy, and GRC Professionals.

© 2024 TrustCloud Corporation. All rights reserved.
TrustCloud® and TrustOps® are registered trademarks of TrustCloud Corporation.

Facebook Linkedin Youtube Rss

Resources

Platform

TOPICS

ABOUT US

AICPA
Monitored by TrustCloud

💛 Joyfully Crafted to Elevate GRC Leaders into Trust Champions.

OR