Purpose

Bramble implements a privacy program to align privacy engineering decisions with the organization’s overall privacy strategy and industry-recognized leading practices to secure Personal Information (PI) that implements the concept of privacy by design and by default.

Scope

This control applies to the entire Bramble organization.

Ownership

This control is owned by the Legal Team.

Controls

Control Number Control Title Control Statement Goal TOD TOE
PRI-05 Use, Retention & Disposal Bramble Group Corp. has implemented mechanisms to: ▪ Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law; ▪ Dispose of, destroys, erases, and/or anonymizes the PI, regardless of the method of storage; and ▪ Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records). Do mechanisms exist to:

- Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;

- Disposes of, destroys, erases, and/or anonymizes the PI, regardless of the method of storage; and

- Uses organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records)?
1. Examine the policies, procedures and related documents associated with the use, retention and disposal of Personal Data (PD), including metadata. This should include the following for originals, copies and archived records: Defined time period for use, retention, disposal Secure, Delete Destroy Dispose or anonymization methods.

2. Identify applicable laws, regulations and contractual obligations applicable to PD.

3. Interview key organizational personnel within Bramble to discuss high level planning and workflows that support use, retention and disposal of PD and metadata.
1. Examine the PD for evidence that applicable laws, regulations and contractual obligations were considered during the annual review and approval of the PD policy.

2. Examine the PD policy for evidence that the PD policy contains processes, procedures and requirements to address Personal Data (PD) use, retention and disposal as outlined in the ToD.

3. Pull a population of all PD storage methods for evidence manual or automated configurations support the use, retention and disposal methods outlined in the ToD.
PRI-14 Privacy Records & Reporting Bramble Group Corp. has implemented mechanisms to maintain privacy-related records and develop, disseminate and update reports to internal senior management, as well as external oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates. Does the organization develop, disseminate and update reports to internal senior management, as well as external oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates? 1. Identify statutory and regulatory privacy program mandates associated with privacy-related records.

2. Examine policies, procedures and relevant documentation for personal data, privacy and metadata communication requirements to senior management and external oversight bodies.
1. Examine policies, procedures and related documentation for records and reports to senior management and/or external regulators for evidence that personal, private and applicable metadata records are stored and maintained according to regulatory and statutory mandates.
  • Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
  • Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.

Policy Reference