Privacy Contract Management (PCM)

Best Practices

  • Create a list of relationships that an organization is engaged with and where the personal information is exchanged as part of the business transactions
  • Create a map of the type of data being transacted against each of these relationships
  • Create a centralized repository of the legal provisions, bindings and liabilities that govern the data transfer with these relationships
  • Identify the technological and organizational measures that an organization has to implement or demands from its service providers as part of compliance to the legal requirements
  • Create an inventory of the liability conditions that an organization may like to incorporate in the contractual terms for sharing the liabilities with its service providers, vendors and partners
  • Create an inventory of the specific contractual terms that explicitly mention the data protection requirements. This applies to an organization that receives the data from its clients on the basis of specified terms. And, to an organization which would like to outsource its operations, where it would specify such terms
  • Ensure that there exists an understanding in the organization about the contractual guidelines prescribed by the regulatory bodies. It should have significant knowledge about the interpretation of these guidelines and their impact on its business
  • Create an inventory of scenarios that reveal how in the case of a specific incident or breach, the organization or its clients can use the contractual instruments
  • Create a map of the protection measures against each of the contractual terms or requirements. Ensure that these measures generate adequate and timely compliance demonstration artefacts
  • Ensure that the central privacy function oversees the business transactions that involve privacy treatment to the contract
  • Ensure that the central privacy function guides the business units on their contractual requirements and queries
  • Ensure that there exists a proactive mechanism to manage the contracts from a privacy perspective. This requires a central visibility over the privacy contractual elements under which the business units are operating

DSCI Privacy Framework