Visibility over Personal Information (VPI)

Best Practices

  • Create an inventory of business processes, enterprise and operational functions, client relationships that deal with personal information
  • Identify the data elements involved in each of these processes, functions and relationships
  • Identify the type and form of data that is transacted in business processes, organization’s functions and relationships
  • Create an inventory of how the data is stored against each of the business processes and various functions and relationships
  • Identify how the data is transmitted by the entities involved in a particular business transaction
  • Record the operations that are performed on the data elements. Against each data elements or their groups identify what operations are being performed. Create an inventory of underlying systems that participate in the transaction of the data
  • Identify the third party service providers, vendors or partners that involve in the transaction of the data elements
  • Identify the characteristics of the data environment – an organization’s own environment, service provider’s environment and third party environment. Record how the data access, flow, underlying environments vary in these environments
  • Create a map of data access. Against each data element, record who has the access to data, how the data is accessed, what systems help for provisioning and de-provisioning the access, and what protocol is used for the access
  • Establish a process for data declaration that can be imposed on all business processes, functions and operations mandating them to report or declare the personal data that they are exposed to or handing
  • Identify the ownership of applications, systems, network components, end points, messaging systems that are involved in the transaction of the data elements
  • Create an inventory of scenarios that could lead to compromise of security of the data

DSCI Privacy Framework