Privacy Risk Assessment Template

1. 1. Does the business have control procedures (SOPs, access requirements, periodic reviews, etc.) in place to limit company agents (employee, contractor, vendor, alliance partner, etc.) access to PI ONLY to those having a business need for such access?

2. 2. Can the business produce a list of all individuals having access to PI (whether it is electronic data, hard copy data, etc.)?

3. 3. How often is system access reviewed and individual access rights updated?

4. 4. Which of the following methods do you use when transferring PI? (SOPs, Access Control Lists , Periodic Reviews of Access Control lists, Secure Email, Virtual Privacy Networks, File-based encryption, Secure, dedicated line transfer)

5. 5. What security measures does the business area regularly use to physically protect PI?

6. 6. Is the business area following privacy guidance when collecting, storing, or processing PI via electronic, audio, visual, or print media?

1. 1. Does your business area comply with the Global Records Retention Schedule with regard to PI or SPI?

2. 2. Do you routinely access / review / monitor your affiliate or business area to determine whether the PI collected, stored, or processed is necessary to meet the stated business objectives?

3. 3. Are privacy stewards aware they must report unauthorized PI disclosures (for example, lost backup tapes containing PI) to the Global Privacy Office or to the Chief Privacy Officer?

4. 4. Enforcement: Has management actively informed employees of their responsibility, except where prohibited by law, to report incidents or suspected personal incidents?

1. 1. Has your business area provided notice to each person where it is either legally or otherwise required by Lilly or local regulations?

2. 2. Is the purpose for the collection and use of the information included in the notice?

3. 3. Is information on how individuals can contact the company with concerns, questions, or issues included in the notice?

4. 4. Are the types of third parties to whom this information is disclosed included in the notice?

5. 5. Is information on how the organization limits its use and disclosure of this information included in the notice?

6. 6. Does the business area have documented procedures or processes to manage requests from individuals that allow them access to, copies of, corrections to, or removal of their personal information?

1. 1. Do third parties manage information for the business area?

2. 2. Does the business area have an inventory of where personal information is collected, stored, processed, or managed?

3. 3. If yes, does this inventory document what is collected, stored, and processed?

4. 4. If yes, is this data transferred to another organization or entity?

5. 5. If PI is transferred, check the following by each type of control used to protect the PI

6. 6. Are there documented agreements in place with external organizations, when transferring data between a company entity and an external organization, requiring the external organization to comply with the company’s privacy expectations?