Privacy Risk Assessment Questionnaire 

This questionnaire highlights key questions businesses should ask with the aim of understanding privacy risk, implementing sound privacy policies and practices, managing privacy risk, and obtaining privacy assurance.

Understanding Privacy

A key to understanding privacy

  1. What personal information about customers and employees does the organization collect and retain?
  2. What personal information does the organization need and use in carrying out business, for example, in sales, marketing, fund raising, and customer relations activities?
  3. What personal information is obtained from or disclosed to affiliates or third parties, for example, in payroll outsourcing?
  4. What is the impact of United States privacy laws and regulations, and/or international privacy requirements, on the organization (which may require a legal interpretation)?
  5. How does the organization’s business plan address the privacy of personal information?

Implementing a Privacy Program

People writing steps for implementing a privacy program

  1. To what degree is senior management actively involved in the development, implementation, and/or promotion of privacy measures within the organization?
  2. Has the organization assigned someone (for example, a chief privacy officer) the responsibility for compliance with privacy legislation?
  3. Has the designated privacy officer been given clear authority to oversee the organization’s information handling practices?
  4. Are adequate resources available for developing, implementing, and maintaining a privacy compliance system?
  5. What privacy policies has the organization established with respect to the collection, use, disclosure, and retention of personal information?
  6. How are the policies and procedures for managing personal information communicated to employees? 
  7. How are employees with access to personal information trained in privacy protection?
  8. Are the appropriate forms and documents required by the system fully developed?

Managing Privacy Risk

Hands gestures as he manages the privacy risk

  1. To comply with the organization’s established privacy policies, what specific objectives have been established?
  2. What are the consequences of not meeting the specific privacy objectives?
  3. To what extent have appropriate control measures been identified and implemented?
  4. How is the effectiveness of the privacy control measures monitored and reported?
  5. What mechanisms are in place to effectively address failures to properly apply the organization’s established privacy policies and procedures?
  6. How would the organization benefit from a comprehensive assessment of the risks, controls, and business disclosures associated with personal information privacy?
  7. Has the organization considered the value-added services available from an independent assurance practitioner with respect to both offline and online privacy?


© 2017 Association of International Certified Professional Accountants. All rights reserved.