This scenario represents a major non-conformity under DAF P©. Lack of detailed visibility into

personal information across business functions and processes suggests a foundational weakness in

the privacy program. This absence of specific knowledge impairs risk assessment, control

implementation, and compliance alignment — key elements for a robust privacy framework.

The “Privacy Organization and Relationship (POR)” practice area is aimed at building the

organizational structure for privacy. It includes:

Establishing the privacy function and governance (D)

Identifying responsibilities and stakeholders (B)

Coordinating between legal, IT, and security functions (C)

Option A relates more to the “Visibility over Personal Information (VPI)” practice area, where data

inventories and mapping of processes are core objectives. Hence, it is not aligned with POR.

Privacy Enhancing Tools (PETs), as referenced in the DSCI Privacy Framework and aligned global

frameworks, enable users to:

Exercise control over how their personal data is collected, shared, and processed

Use services with the option of anonymity or pseudonymity

Receive sufficient information for informed consent

Opt-out of non-essential data uses such as profiling and behavioral targeting

All the listed actions (I to IV) are valid functions provided by PETs, which support transparency, user

control, and minimization of unnecessary data exposure.

The DSCI Assessment Framework for Privacy (DAF P©) outlines that the Privacy Third Party

Assessment is conducted in two phases:

Initial Assessment – High-level review of privacy practices and process readiness

Detailed Assessment – In-depth evaluation of privacy implementation and evidence review

This phased approach allows assessors to identify maturity gaps early and gather comprehensive

evidence in the second phase.

The complexity of implementing data security for personal information is often influenced by

operational and architectural factors such as:

A: Collecting data through various channels like web forms, mobile apps, customer support, etc.,

which introduces complexity in tracking and securing each channel.

B: Flexible and dynamic business processes that evolve rapidly can complicate access management

due to frequent changes in user roles, workflows, and data access needs.

While regulatory requirements (C) do impact privacy governance, they do not directly contribute to

the complexity of implementing technical security measures.

The DAF P© explicitly states that only DSCI has the authority to issue privacy certification. The

assessor organization conducts the assessment and submits the findings and recommendation, but

the final certification decision rests solely with DSCI based on its review process.

According to the DSCI Assessment Framework for Privacy (DAF P©), the total duration for completing

the assessment, from the initial kickoff to the final report submission to DSCI, must be concluded

within a two-week period. This timeline ensures the assessment stays current and reflects the

organization's real-time privacy status during certification.

According to the DAF P©, the assessment process begins only after the assessee provides required

pre-requisites. These may include:

Completed self-assessment checklist

Documentation on privacy policy, data flows, training records, etc.

This ensures the assessor can effectively plan the assessment and identify areas for further

investigation.

The DAF P© clearly mandates that only assessors affiliated with DSCI Accredited Organizations are

authorized to conduct certification assessments. Even if an individual holds a DSCI Certified Lead

Assessor credential, they must be employed with or contracted through an accredited organization

to carry out official DSCI certification assessments.

below.

Explanation:

The consulting arm of XYZ developed a comprehensive privacy program in line with the company’s

goal to leverage its existing technology infrastructure, resources and capabilities for protecting data.

The program had three parts – awareness and training, policy development and implementation. On

the awareness front, extensive training was conducted for employees on various aspects of privacy

including GDPR compliance. This was followed by the development and rollout of an enterprise-wide

privacy policy which clearly defined the various steps to be taken to protect sensitive personal

information (SPI) such as encryption, access controls etc. After this, customer contracts were

reviewed for appropriate protection clauses and service providers were made to sign ‘reasonable

security practices’ clauses in their contractual obligations as specified in EU GDPR.

At first glance, it seemed that XYZ had taken adequate steps to protect SPI dealt by its service

providers and ensure that it complies with the regulatory requirements. However, on careful

scrutiny, there were some lacunae in the program. For instance, as per EU GDPR, personal data must

be pseudonymized or encrypted prior to transfer from one entity to another. In this case, though

encryption was mentioned in the policy documents but there were no specific measures given for

ensuring proper encryption of data before any transfer. Similarly, ‘reasonable security practices’

clause was included in customer contracts but there was no mention of any tools like firewalls or

other means of protecting sensitive information which could have further strengthened the privacy

protection efforts made by the company.

Thus, it is clear that XYZ did made some efforts to comply with the EU GDPR but in order to ensure

full compliance, more specific measures should have been taken and all contractual obligations must

be such that they clearly define the security and privacy controls that need to be put in place

between customer/client and service provider. This would further give customers greater assurance

of privacy protection from XYZ’s services. Going forward, XYZ can consider investing in more

advanced technologies like biometrics authentication etc for maximum security of data.

Furthermore, the company should also ensure periodic reviews of its policy documents and contracts

so as to ensure better protection of sensitive personal information.

Overall, though XYZ took some reasonable steps to protect SPI of its customers, it should have done

more by introducing advanced security measures and including stringent contractual obligations for

service providers. This would have enabled the company to achieve full compliance with EU GDPR

and ensure greater security of customer’s personal data.