A third-party privacy control assessment is an independent and objective evaluation of the design
and effectiveness of the privacy controls implemented by an organization to protect personal data
and comply with privacy laws and regulations. A third-party privacy control assessment can help
senior management to verify the success of its commitment to privacy by design, by providing the
following benefits:
It can measure the extent to which the organization has adopted and integrated the principles and
practices of privacy by design throughout its products, services, processes and systems.
It can identify the strengths and weaknesses of the organization’s privacy governance, policies,
procedures, standards and guidelines, and provide recommendations for improvement.
It can validate the organization’s compliance with the applicable privacy requirements and
expectations of its customers, stakeholders, regulators and auditors.
It can enhance the organization’s reputation and trustworthiness as a responsible and transparent
data controller and processor.
The other options are less effective or irrelevant for verifying the success of the commitment to
privacy by design. Reviewing the findings of an industry benchmarking assessment may provide
some insights into how the organization compares with its peers or competitors in terms of privacy
performance, but it may not reflect the specific privacy goals, risks and challenges of the
organization. Identifying trends in the organization’s amount of compromised personal data or
number of privacy incidents may indicate some aspects of the organization’s privacy maturity, but
they are reactive and lagging indicators that do not capture the proactive and preventive nature of
privacy by design. Moreover, these metrics may not account for other factors that may influence the
occurrence or impact of data breaches or privacy violations, such as external threats, human errors
or environmental changes.
Reference:
Privacy by Design: How Far Have We Come? - ISACA, section 1: “Privacy by design challenges
conventional system thinking. It mandates that any system, process or infrastructure that uses
personal data consider privacy throughout its development life cycle.”
Privacy Control Assessment - ISACA, section 1: “A Privacy Control Assessment (PCA) is an
independent evaluation performed by a qualified assessor to determine whether an entity’s controls
are suitably designed and operating effectively to meet its objectives related to protecting personal
information.”
Privacy by Design: The New Competitive Advantage - ISACA, section 2: “Privacy by design is a
proactive approach to embedding privacy into the design specifications of various technologies,
business practices and networked infrastructure.”
