Understanding Privacy Program Reporting
Privacy programs rely on reports to demonstrate compliance and to monitor the status of their program. The WireWheel platform offers several reports for programs to use to monitor Data Subject Access Requests and privacy operations.
Data Subject Access Rights (DSAR) Reporting
The California Consumer Privacy Act (CCPA) requires businesses subject to the regulation to post their consumer request metrics. These reporting obligations, outlined in Section 999.317(g) of the CCPA, apply to any business that is subject to the CCPA and that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more California residents in a calendar year.
- The number of requests to know that the business received, complied with in whole or in part, and denied;
- The number of requests to delete that the business received, complied with in whole or in part, and denied;
- The number of requests to opt-out that the business received, complied with in whole or in part, and denied;
- The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
WireWheel – DSAR Reporting
With WireWheel’s Trust Access and Consent Center (TAC), customers can export DSAR metrics including Request Type, Request Status and Due Date.
Users with appropriate permissions can generate reports as follows:
- A summary of DSAR metrics for the last year in a simple CSV format.
- Abandoned and Failed DSAR Report – A CSV summary of all Data Subject Access Requests that were begun, but not fully submitted
- DSAR Summary Report – A CSV summary of all Data Subject Access Requests that were begun, regardless of whether or not they were fully submitted.
WireWheel – Sample DSAR Report
Privacy Impact Assessment Reporting
Record Of Processing Activities (ROPA)
WireWheel’s Privacy Operations Manager (POM) enables companies to create a Record of Processing Activity or ROPA. A Record of Processing Activities (ROPA) is a record of an organization’s processing activities involving personal data. Some businesses may think of “processing” as being limited to active events, but a ROPA must also cover data that sits on a server or a shelf. A ROPA includes the following information for each processing activity:
- Names and contact details of the data controller, data processor, data controller’s representative, joint controller, and data protection officer (DPO), if applicable
- Purpose (i.e., lawful basis) of processing personal data
- Categories of data subjects and categories of personal data being processed
- Categories of recipients to whom the personal data has been or will be disclosed
- Third parties in other countries or international organizations who receive the personal data
- Retention schedule for each category of personal data
- General description of technical and organizational security measures related to each processing activity
A completed ROPA lists each processing activity involving personal data and provides detailed information about each of the items listed above.
Why is Record Of Processing Activities (ROPA) Required?
In 2018, companies were first introduced to the concept of a ROPA because of the General Data Protection Regulation (GDPR). Article 30, on Processing Record keeping. Article 30 requires companies to keep a detailed record of all activities related to the processing of personal data, also known as a Record of Processing Activities (ROPA).
Currently U.S. data privacy laws have not directly adopted a provision comparable to Article 30. However, laws like CCPA require an entity to retain records on consumer requests. The Federal Information Security Management Act (FISM) contains a data retention requirement that directs government agencies to archive records on categories of data and certain processing activities.
Benefits of ROPAs include:
- Providing organizations with a close look at their data processes from an enterprise-wide perspective
- Identifying redundancies by detailing cases of the same types of data being saved and updated in different locations at different times, which can make it impossible to identify which records are the most current, complete, and accurate.
- Helping organizations identify where the category of the data is located and how it’s being processed thus enabling the organization to respond to data subject requests promptly and accurately.
- Thinking strategically about data retention schedules and implementing time limits allows the organization to control “data swell” and better leverage its data as a strategic asset. This helps organizations to plan for data retention.
Through the process of data discovery, some organizations realize they have been collecting certain categories of personal data that serve no specific purpose, and the ROPA can serve to validate that data being acquired actually has business value thus streamlining data collection.
WireWheel – ROPA
WireWheel provides customers the ability to customize the ROPA and include only the required information from assessments. ROPAs are mapped to a template which is essentially the blueprint of the assessments. The ROPA is designed to give organizations a single source for answers to key questions about the personal data in the organization: what, who, why, where, when, and how.
WireWheel’s Privacy Operations Manager also provides users with the relevant permissions, the ability to export reports. These reports are used to understand the system process, changes over a period of time, efficiency of the assessments and so on.
The WireWheel platform includes:
- Assessment Summary Report – A summary of the selected assessments in a simple CSV format.
- Assessments by Business Process – Download a CSV (Excel compatible) of a tabular listing of all your Assessments grouped by Business Process.
- User History Over Time – Download a CSV file (Excel compatible) of the number of users by month, segmented by user types.
- Users by Assessment – Download a CSV (Excel compatible) of all your Assessments segmented by users assigned to those Assessments.
WireWheel – Sample POM Report