🟢 Commons — Visible to all members
1. Purpose and Scope
This policy defines how personal and corporate data is collected, processed, stored, and protected. It applies to all employees, contractors, suppliers, and partners.
Policy Statements:
🔵 Core — Core membership and above
🔒 Core membership required — Core membership required for full Data Protection & Privacy Policy content.
Login
or become a member →
- A Privacy Information Management System (PIMS) is maintained in line with ISO/IEC 27701:2019 Clause 5.4.2, integrated into the ISMS scope (ISO/IEC 27001:2022 Clause 4.3).
- Privacy objectives are documented, measurable, and reviewed annually (Clause 6.2).
- Data protection responsibilities are assigned to a formally appointed Data Protection Officer under applicable data protection law; representative reference: EU GDPR Article 37.
2. Lawful Processing
Policy Statements:
- Data is processed lawfully, fairly, and transparently under applicable data protection law in each operating jurisdiction; representative references include EU GDPR Article 5 and POPIA Section 11.
- Consent is obtained where required (Singapore PDPA Part IV, India DPDP Act Section 7).
- Processing activities are documented in a Record of Processing Activities consistent with applicable data protection law; representative reference: EU GDPR Article 30.
- Legitimate interest assessments are conducted before processing where that legal basis is invoked under applicable data protection law; representative reference: EU GDPR Article 6(1)(f).
- Collaborative agreements with partners include explicit data protection clauses, aligned with ISO 44000 Clause 6.2 (Relationship requirements).
- Data sharing agreements define lawful bases for processing and ensure compliance with applicable data protection law in each operating jurisdiction.
- Privacy risks are assessed within the organisation’s enterprise risk management framework — COSO ERM, ISO 31000:2018, or equivalent — ensuring compliance obligations are part of enterprise risk registers.
🟡 Essential — Essential membership and above
🔒 Essential membership required — Essential membership required for control mappings and appendix references.
Login
or become a member →
3. Data Subject Rights
Policy Statements:
- Individuals can access, correct, delete, and port their data under applicable data protection law; representative references include EU GDPR Articles 15–22, POPIA Chapter 3, and Mauritius DPA Section 23.
- Requests are logged and fulfilled within the statutory timelines of applicable data protection law; representative windows include 30 days under POPIA and one month under EU GDPR.
- Appeals and complaints are escalated to the DPO and reviewed quarterly.
4. Security of Processing
Policy Statements:
🟠 Professional — Professional membership and above
🔒 Professional membership required — Professional membership required for framework cross-references and heatmap detail.
Login
or become a member →
- Personal data is encrypted at rest and in transit in accordance with the encryption requirements of applicable data protection law and recognised cloud-privacy standards; representative references: EU GDPR Article 32 and ISO/IEC 27018:2019 Clause 11.1.
- Cloud privacy controls are enforced (ISO/IEC 27017:2015, ISO/IEC 27018:2019).
- Access to personal data is restricted to authorised personnel only (ISO 27001 Annex A.9.1.1).
- Regular vulnerability assessments are conducted, aligned with NIST CSF Protect function.
- Joint security controls are agreed upon with cloud providers and data processors, consistent with ISO 44000 Clause 7.3 (Operational management).
- Collaborative audits are conducted with suppliers handling personal data to ensure compliance with ISO/IEC 27701 and privacy laws.
- Internal controls for data protection are designed and evaluated using COSO Internal Control — Integrated Framework (2013) or equivalent internal-control framework adopted by the organisation.
- Collaborative audits with suppliers include COSO control principles for monitoring and assurance.
5. Breach Notification
Policy Statements:
- Breaches are reported to supervisory authorities within the timing required by applicable data protection law; representative window: 72 hours under EU GDPR Articles 33–34, with equivalent obligations under other applicable regimes.
- Affected individuals are notified promptly as required by applicable data protection law; representative reference: POPIA Section 22, with equivalent obligations under other applicable regimes.
- Breach logs are maintained and reviewed quarterly.
- Case studies drawn from significant publicly-reported data protection incidents are used in training exercises. Illustrative examples include Equifax 2017 and MOVEit 2023, alongside regionally-relevant incidents in each organisation’s operating jurisdiction.
6. Cross‑Border Transfers
Policy Statements:
- Cross-border transfers comply with the lawful transfer mechanisms of applicable data protection law in each operating jurisdiction; representative references include EU GDPR Chapter V and Mauritius DPA Section 36.
- Standard Contractual Clauses (SCCs) are reviewed annually.
- AU Convention 108+ obligations are integrated into transfer policies where the organisation operates in signatory states.
- Privacy impact assessments are conducted before new transfers.
- Cross‑border data transfers are governed by collaborative agreements that include safeguards and mutual accountability (ISO 44000 Clause 8.2).
- Partners are required to adopt equivalent privacy and security standards before data exchange.
- Internal controls for data protection are designed and evaluated using COSO Internal Control — Integrated Framework (2013) or equivalent internal-control framework adopted by the organisation.
7. Audit and Assurance
Policy Statements:
- Annual privacy audits are conducted (ISO/IEC 27701 Clause 9.2).
- Management reviews privacy performance quarterly (Clause 9.3).
- External audits validate compliance with recognised privacy assurance frameworks applicable to the organisation’s market context; representative reference: SOC 2 Privacy principle (AICPA).
- Corrective actions are tracked and verified.
8. Governance Alignment Statement
This policy supports transparency, accountability, fairness, and stakeholder trust, consistent with recognised corporate governance instruments in each jurisdiction in which the organisation operates. Representative instruments include the OECD Principles of Corporate Governance and the AU APRM framework. National codes referenced as applicable include (non-exhaustive):
- UK Corporate Governance Code
- US SOX Section 404
- Japan Corporate Governance Code
- Singapore Code of Corporate Governance
- India SEBI LODR
- South Africa King V
- Mauritius National Code of Corporate Governance
- AU APRM
- OECD Principles of Corporate Governance
© 2026 [C-AO.com].
This policy is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License .
You are free to share and adapt this material for any purpose, even commercially, provided that you give appropriate credit, provide a link to the license, and indicate if changes were made. If you remix, transform, or build upon this material, you must distribute your contributions under the same license as the original.
⚫ Enterprise & Conglomerate — Implementation artifacts
🔒 Enterprise membership required — Enterprise membership required for procedures, templates and work instructions.
Login
or become a member →
Enterprise and Conglomerate implementation content will be added here.
● LIVE CONTENT
· Verified 29 May 2026 at 16:22 UTC · Version 1.0
· Always current at
c-ao.com
· © CIAO Standard Secretariat 2026