The following article contains guidance explaining portions of the Personal Data Management Policy that we frequently see questions around, explaining what the sections mean.
Guidance statements will appear in bold and enclosed in brackets “[ ]” below the statements of the policy.
Personal Data Management Policy
[COMPANY NAME] ____________________________________________________________________________
Purpose
The purpose of this Personal Data Management Policy is to establish, document, approve, communicate, apply, evaluate, and maintain policies and procedures for managing personal data within [COMPANY NAME]. This policy aims to ensure that [COMPANY NAME] adheres to legal obligations, industry-specific regulations, regional requirements, compliance mandates, security and privacy requirements, and personal data management best practices. By implementing a robust Personal Data Management Policy, [COMPANY NAME] seeks to protect the privacy of individuals and maintain the trust of its customers, partners, and stakeholders.
Scope
This policy applies to all employees, contractors, and third-party vendors of [COMPANY NAME] who interact with, manage, or access any personal data owned or controlled by [COMPANY NAME].
Roles & Responsibilities
<ROLES AND RESPONSIBILITIES>
[Please see here for more guidance on roles and responsibilities: https://help.drata.com/en/articles/5829670-roles-and-responsibilities-guidance. For example, “Who is responsible for updating, reviewing, and maintaining this policy?” The statement may become “The CISO is responsible for updating, reviewing, and maintaining this policy.”]
Policy
The Personal Data Management Policy identifies the responsibilities of [COMPANY NAME] to maintain compliance with applicable standards, regulations, and obligations. This document is supplemented by other security policies and procedures that enable the personal data management of the organization.
Personal Data Collection
[COMPANY NAME] will ensure that:
Data subjects will receive proper notice that their personal information will be collected or processed.
Data subject consent is obtained before collecting or processing personal information for a purpose that does not meet the requirements in this policy.
The collection, use, retention, and sharing of personal data is reasonably necessary and proportionate to the company’s identified purpose(s). Therefore, [COMPANY NAME] will (a) only collect the minimum necessary personal information; (b) consider possible negative impacts on data subjects; and (c) implement additional measures to address any identified impact.
The purpose(s) for collecting or processing personal data aligns with the data subject’s expectations, based on their relationship with [COMPANY NAME], the type of personal information collected, the source and method of collection, and clear disclosures about the purpose of collection.
Categories of personal information that have not been disclosed to a data subject in the notice, and any additional collecting or processing of personal information will comply with the established requirements.
[This section addresses the collection of Personal Data, which encompasses the gathering, processing, and storage of Personal Information.]
[COMPANY NAME] will provide an easily-accessible notice for collection of personal data, at the time of, or before the point of, collection. The notice will include:
Categories of personal data collected, including sensitive personal information.
Purpose(s) for collecting and using personal data.
Whether personal data is sold or shared.
Retention period or criteria for determining the retention period.
Links to opt-out of sale/sharing and privacy policy.
Online Collection
[COMPANY NAME] will provide a conspicuous link to the notice on relevant web pages and webforms. For mobile applications, a link to the notice is provided on the download page and within the app settings menu.
[The notice will describe the types of personal data collected, the purposes for collection, and how the data will be used or shared.]
Offline Collection
[COMPANY NAME] will include the notice on printed forms or will provide a paper version. For telephone or in-person collection, the notice will be provided orally.
[In each case, the individual will be informed of their rights related to their data, including how they can access, correct, or request deletion of their information.]
Third-Party Collection
If [COMPANY NAME] partners with a third-party business to collect personal data, both parties will provide a notice at the time of collection. [COMPANY NAME] and the third-party business may provide a single notice including required information about their collective information practices.
[This statement ensures that you conduct due diligence on third-party data sources to ensure compliance with privacy regulations and establish clear data-sharing agreements. Only collect and/or process third-party data that has been lawfully collected.]
Exemptions
[COMPANY NAME] will not provide a notice if it neither collects nor controls the collection of personal data and does not sell or share it.
[Certain data collection activities may be exempt from specific regulatory requirements, such as data collected for legal, security, or contractual obligations.]
Requests and Consent Principles
[COMPANY NAME] will abide by the following request and consent principles:
Easy to understand. [COMPANY NAME] will use clear language for data subject requests and consent.
Symmetry in choice. Paths for privacy-protective and less privacy-protective options will be equally accessible, to ensure no impairment or interference with data subject choices.
Avoid confusing language or elements. [COMPANY NAME] will avoid double negatives and unclear interactive elements, to ensure clarity in data subject choices.
Avoid choice architecture impairments. [COMPANY NAME] will design methods that allow for freely given, specific, informed, and unambiguous data subject consent.
Easy to execute. [COMPANY NAME] will make every effort to minimize burden and friction in data subject request processes, to ensure functionality and prevent the undermining of data subject choices.
[This section describes that data subjects have the right to request access, rectification, deletion, or restriction of their personal data. Consent management ensures data subjects can control how their data is used.]
Privacy By Design
Prohibited Use of Dark Patterns
[COMPANY NAME] prohibits the use of dark patterns, and will ensure that user interfaces that substantially subvert or impair user autonomy, decision-making, or choice are not used.
Interfaces that will be avoided include:
Pre-checked consent boxes
Obscure “unsubscribe” links (e.g., links that are hidden, camouflaged, or presented in the same color as the background, making it difficult for users to locate and opt-out)
Misleading buttons (e.g., buttons with confusing text or placements that would lead users into performing unintended actions)
Forced continuity (e.g., automatic enrollment into paid subscriptions without their knowledge or consent after a trial period)
Bait and switch (e.g., promotion of attractive offers and then changing the terms or conditions after user engagement)
Hidden costs
Use of guilt-inducing language to manipulate user choices
[Dark patterns, or deceptive User Experience (UX)/User Interface (UI) practices designed to mislead users into providing personal data without informed consent, are prohibited.]
Opt-out Preference Signals
[COMPANY NAME] incorporates opt-out preference signals, to provide a simple method for data subjects to opt-out of the sale/sharing of their personal information by:
Processing opt-out preference signals in commonly used formats (e.g., HTTP header field or JavaScript object) if they clearly indicate the data subject's intent to opt-out.
Upon receiving a valid opt-out preference signal, treating it as a request to opt-out of sale/sharing for the browser or device and any associated profiles, including pseudonymous profiles.
Not requiring additional information beyond what is necessary to send the signal; but may offer an option to provide more information to facilitate the opt-out request.
Resolving any conflicts between opt-out preference signals and business-specific privacy settings or financial incentive programs through the processing of the opt-out request and giving the data subject an opportunity to consent to the sale/sharing of their information.
Not interpreting the absence of an opt-out preference signal after a previous signal, as consent to opt-in to the sale/sharing of personal information.
Displaying the processing status of the opt-out preference signal on its website.
Not using, disclosing, or retaining personal information collected during the opt-out process for any purpose other than sending or processing the signal.
Process opt-out preference signals in a frictionless manner, without charging fees or changing the data subject's experience.
Including information about the data subject's right to opt-out, the processing of opt-out preference signals, and instructions for submitting opt-out requests in the company Privacy Policy.
[This section describes honoring user opt-out preference signals (OOPS) as required by regulations. Systems will be designed to detect and respect these signals, ensuring that data subjects can exercise their right to data privacy without additional friction or unnecessary verification steps.]
Personal Data Requests
Responding to Requests
[COMPANY NAME] will respond to requests as follows:
For online-only businesses with direct data subject relationships, [COMPANY NAME] will provide an email address for submitting deletion, correction, and information requests.
For other businesses, [COMPANY NAME] will provide two or more methods to submit these requests, including a toll-free phone number and, if a website is maintained, a webform. Other methods may be provided depending on the primary mode of interaction with data subjects.
For Requests that are deficient or are submitted through undesignated methods, [COMPANY NAME] will either process the request or provide guidance for proper submission.
[COMPANY NAME] will confirm receipt of requests within 10 business days and provide information about the processing and verification procedures.
[COMPANY NAME] will respond to requests within 45 calendar days, with a possible extension of up to 90 days if necessary. In such cases, data subjects will be notified and provided an explanation for the extension.
[Requests must be verified and processed within the legally required timeframes. Employees handling requests must document the process and outcomes.]
Requests to Know
[COMPANY NAME] will respond to requests to know as follows:
Certain sensitive information will not be disclosed, but data subjects will be informed of the type of information collected.
Reasonable security measures will be used when transmitting personal information.
Personal information collected within the 12 months preceding the request will be provided. Requests for information beyond 12 months may be subject to limitations.
Provide individualized responses for requests to know categories of personal information, sources, or third parties.
Categories of personal information, sources, and third parties will be identified in a way that provides data subjects a meaningful understanding.
For password-protected accounts, a secure self-service portal may be used to comply with a request to know.
If [COMPANY NAME] cannot verify the identity of the requestor, the request for specific personal information will be denied, and the requestor will be informed. The request will be treated as one for disclosure of categories of personal information. If a request for categories of personal information cannot be verified, the requestor will be informed and directed to the organization’s privacy policy. If a request is denied due to a conflict or an exception to an international, federal or state law, the requestor will be informed and provided an explanation.
[Data Subjects may request details on what personal data is collected, processed, and shared. Verify the requestor's identity and if you cannot verify the requestor, provide a detailed explanation.]
Requests to Correct
Upon an approved correction requested, [COMPANY NAME]:
May correct the information on its systems and instruct service providers and contractors to do the same.
May request documentation from the data subject to verify the accuracy of the information.
May delete the contested information as an alternative to correction if it doesn't negatively impact the data subject or if the data subject consents.
May deny a request to correct if it has already denied a similar request within the past six months or if it believes the request is fraudulent or abusive.
Will inform the data subject of the outcome of their request. If denied, an explanation will be provided, and the data subject may be offered the option to delete the information.
Will disclose specific pieces of personal information to confirm the correction, excluding certain sensitive information. This is only if the data subject requests the information.
Will implement measures to ensure that corrected personal information remains accurate.
If [COMPANY NAME] is not the source of the contested information, the data subject may be provided with the name of the source. If [COMPANY NAME] cannot verify the identity of the requestor, the request to correct personal information may be denied, and the requestor will be informed. [COMPANY NAME] will consider the totality of the circumstances to determine the accuracy of the contested personal information.
[This section describes correcting the data, verifying its accuracy, deleting it, or denying the request under specific circumstances. Be prepared to confirm the correction with the data subject, if requested, and ensure the accuracy of the corrected data going forward.]
Requests to Delete
[COMPANY NAME] will respond to requests to delete as follows:
Upon approved deletion requests, [COMPANY NAME] will erase, deidentify, or aggregate the personal information, excluding archived or backup systems.
Upon approved deletion requests, [COMPANY NAME] will notify service providers, contractors, and third parties to delete the data subject's personal information, providing a detailed explanation if notifying all parties is impossible or involves disproportionate effort.
[COMPANY NAME] may offer the data subject the option to delete select portions of personal information but must also provide an option to delete all personal information.
In other contexts, [COMPANY NAME] must inform data subjects of their ability to delete select categories of personal information and direct them on how to do so.
Compliance with deletion requests may be delayed for data stored on archived or backup systems until the data is restored or accessed for a sale, disclosure, or commercial purpose.
[COMPANY NAME] will inform the data subject of the deletion request's compliance status and maintain a record of the request as required by law.
If [COMPANY NAME] cannot verify the identity of a deletion requestor, the request may be denied, and the requestor will be informed of the verification issue. If a deletion request is denied in whole or in part, [COMPANY NAME] will provide a detailed explanation, delete the non-exempt personal information, and instruct service providers and contractors to do the same. If a denied deletion request involves personal information sales or sharing, [COMPANY NAME] will ask the data subject if they want to opt-out and provide the Notice of Right to Opt-out of Sale/Sharing.
[When a deletion request is approved, the data is deleted in accordance with the request. If the requestor's identity cannot be verified or if the request is denied, provide a detailed explanation to the requestor based on established procedures.]
Requests to Limit the Use and Disclosure of Sensitive Personal Information
Sensitive Personal Information (SPI) is defined as:
A data subject’s social security, driver’s license, state identification card, or passport number.
A data subject’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
A data subject’s precise geolocation.
A data subject’s racial or ethnic origin, religious or philosophical beliefs, or union membership.
The contents of a data subject’s mail, email, and text messages unless the business is the intended recipient of the communication.
A data subject’s genetic data.
The processing of biometric information for the purpose of uniquely identifying a data subject.
Personal information collected and analyzed concerning a data subject’s health.
Personal information collected and analyzed concerning a data subject’s sex life or sexual orientation.
[COMPANY NAME] will respond to requests to limit the use and disclosure of sensitive personal information as follows:
SPI will be used or disclosed only for purposes necessary to provide requested goods or services or for specific reasons compatible with the context in which it was collected. SPI will not be used for purposes beyond data subject expectations, except for narrowly tailored exceptions outlined in the policy.
Data subjects have the right to request limiting the use of their SPI. [COMPANY NAME] will provide multiple methods for submitting such requests, which are easy to execute, require minimal steps, and comply with relevant regulations.
Requests to limit the use of SPI will be processed promptly, and service providers, contractors, and third parties will be notified accordingly.
Data subjects may use authorized agents to submit requests to limit on their behalf, provided that the agent has written permission from the data subject.
At least 12 months will pass before asking a data subject, who has requested limiting their SPI use, to consent to the use or disclosure of their SPI for purposes other than those previously specified.
[This section outlines the procedures and requirements for limiting the use and disclosure of Sensitive Personal Information (SPI) in response to requests from individuals seeking to restrict the processing of their sensitive data.]
Requests to Opt-out of Sale/Sharing
[COMPANY NAME] will respond to requests to opt-out of sale/sharing as follows:
[COMPANY NAME] offers multiple methods for data subjects to submit requests to opt-out of personal information sale/sharing, taking into account interaction methods, personal information collection, technology, and ease of use. At least one method aligns with the primary interaction mode with data subjects.
For online personal information collection, [COMPANY NAME] allows data subjects to submit opt-out requests via an opt-out preference signal and at least one other method, such as an interactive form accessible through a "Do Not Sell or Share My Personal Information" link.
If [COMPANY NAME] interacts with data subjects both in person and online, an in-person opt-out method may be provided in addition to the opt-out preference signal.
Opt-out methods are easy to execute and require minimal steps.
[COMPANY NAME] does not require data subjects to create an account or provide unnecessary information when submitting opt-out requests.
[COMPANY NAME] believes an opt-out request is fraudulent, it may be denied, and the requestor will be informed and provided an explanation.
[COMPANY NAME] ceases personal information sale/sharing within 15 business days from receiving the opt-out request and notifies all third parties to comply with the data subject's request.
[COMPANY NAME] may offer a means for data subjects to confirm that their opt-out request has been processed.
Data subjects may be presented with choices to opt-out of personal information sale/sharing for certain uses, as long as a single option to opt-out of all sale/sharing is also offered.
Data subjects may use authorized agents to submit opt-out requests with written permission from the data subject. [COMPANY NAME] may deny requests from agents without the data subject's signed permission.
[COMPANY NAME] shall wait at least 12 months before asking data subjects who opted out of personal information sale/sharing to consent to the sale or sharing of their personal information.
[This section describes that clear, easily accessible, and user-friendly methods are available for data subjects to exercise their opt-out rights regarding the sale or sharing of their personal information.]
Requests to Opt-in After Opting-out of the Sale or Sharing of Personal Information
To opt-in to personal information sale/sharing, [COMPANY NAME] requires a two-step process, where data subjects must first clearly request to opt-in and then separately confirm their choice.
If a data subject who has opted out attempts a transaction or uses a service requiring personal information sale/sharing, [COMPANY NAME] will inform them of the requirement and provide instructions on how to consent to opt-in.
[Ensure that the data subject making the request to Opt-In understand that their personal information will be shared or sold. ]
<This section is required for GDPR, and possibly other data protection legislation. Adjust as needed for your organization based upon your organization’s data collection and processing activities.>
APPENDIX A
Record of Processing Activity (ROPA)
Different legal jurisdictions have specific requirements and procedures for the processing of personal data. This APPENDIX will highlight those procedures.
[This appendix should be completed when personal data is processed in jurisdictions that require a Record of Processing Activities (ROPA), such as under the EU GDPR or UK GDPR. A ROPA is only required if your organization has over 250 employees, or if your processing is likely to result in high risk to the rights and freedoms of individuals — for example, if you're handling large volumes of sensitive personal data or conducting non-occasional processing. Organizations should assess these criteria to determine their ROPA obligations.]
GDPR
[COMPANY NAME] will maintain a record of personal data processing activities under its responsibility. The record will contain all of the following information:
Name and contact details of [COMPANY NAME] and the data protection officer; and when applicable, a joint controller
Purpose (lawful basis) of processing personal data
Categories of data subjects and categories of personal data being processed
Categories of recipients to whom the personal data has been or will be disclosed
Third parties in other countries or international organizations who receive the personal data
Retention schedule for each category of personal data
General description of technical and organizational security measures related to each processing activity
Processors (and their representatives), who carry out personal data processing on behalf of [COMPANY NAME] will also maintain a record of all categories of processing activities, which will contain:
Name and contact details of the processor and of [COMPANY NAME], and when applicable, each of their representatives and data protection officers
Categories of data subjects and categories of personal data being processed
Third parties in other countries or international organizations who receive the personal data
General description of technical and organizational security measures related to each processing activity
These records will be documented in writing or electronic form, and will be made available to the supervisory authority on request.
<This is required for CCPA. Adjust as needed for your organization based upon your data collection and processing activities.>
CCPA
[COMPANY NAME] is aware that there is no explicit requirement for a formal Record of Processing Activity to be maintained under CCPA regulations; however, [COMPANY NAME] will maintain a record of personal information processing activity, in order to comply with CCPA requirements for record-keeping and responding to consumer requests regarding their personal information collected, maintained, and/or used by [COMPANY NAME]. The record will contain:
Date of an activity (e.g., collection, use)
Nature of the activity
Categories of personal information collected about a consumer
Categories of sources from which the personal information is collected
Business or commercial purpose for collecting or selling the personal information
Categories of third parties with whom [COMPANY NAME] shares personal information
Specific pieces of personal information that have been collected about a consumer
If the activity is a consumer request:
Date and nature of request
Manner in which request was made
Date and nature of response
Basis for denial of a request, if denied in whole or in part
[COMPANY NAME] has no obligation to:
Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained.
Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.
<This section is required for GDPR. Adjust as needed for your organization based upon your data collection and processing activities.>
APPENDIX B
Privacy Regulation Key Terminology
| GDPR |
Controller | The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; |
Processor | A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; |
Processing | Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Pseudonymisation | The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. |
Third Party | A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data. |
Consent | Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. |
Supervisory Authority | An independent public authority established by a Member State pursuant to Article 51. Supervisory authority concerned means a supervisory authority which is concerned by the processing of personal data because:
|
Cross-Border Processing |
|
| CCPA |
Consumer | A natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier. |
Aggregate Consumer Information | Information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been deidentified. |
Service Provider | A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business. |
Processing | Any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means. |
Pseudonymization | The processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer. |
Third Party | A person who is not any of the following:
|
Deidentified | Information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:
|
Supervisory Authority | The use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:
|
Commercial Purposes | To advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. “Commercial purposes” do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism. |
Verifiable Consumer Request | A request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.110 and 1798.115 if the business cannot verify, pursuant this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf. |
Revision History
Version | Date | Editor | Approver | Description of Changes | Format |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|