Privacy notice up to date
Demonstrate that privacy notices accurately reflect current data processing practices, are reviewed and updated on a defined schedule, and remain compliant with applicable privacy laws and regulations.
Description
What this control does
This control requires that privacy notices provided to data subjects are kept current with actual data processing activities, legal requirements, and organizational practices. It ensures that individuals receive accurate, complete information about how their personal data is collected, used, stored, shared, and protected before or at the point of collection. Regular reviews and update mechanisms are necessary to maintain alignment between published notices and operational reality, particularly when new processing activities are introduced, third-party relationships change, or privacy regulations evolve.
Control objective
What auditing this proves
Demonstrate that privacy notices accurately reflect current data processing practices, are reviewed and updated on a defined schedule, and remain compliant with applicable privacy laws and regulations.
Associated risks
Risks this control addresses
- Individuals consent to data processing based on outdated or inaccurate information, invalidating legal basis for processing under GDPR, CCPA, or similar regulations
- Regulatory fines and enforcement actions resulting from failure to provide accurate, up-to-date privacy disclosures as required by law
- Reputational damage and loss of customer trust when actual data practices diverge from published privacy commitments
- Legal liability from processing data beyond the scope disclosed in outdated privacy notices, creating unauthorized data use scenarios
- Inability to demonstrate accountability and transparency in privacy governance during regulatory audits or investigations
- Failure to inform data subjects of material changes in data sharing arrangements with third parties, processors, or cross-border transfers
- Non-compliance with breach notification or privacy rights fulfillment due to outdated contact information or procedures in privacy notices
Testing procedure
How an auditor verifies this control
- Obtain all current privacy notices published across organizational channels including website, mobile applications, point-of-sale systems, and customer-facing forms
- Retrieve the privacy notice review and update policy, including defined triggers for updates and approval workflows
- Interview the privacy officer or designated data protection lead to understand the process for identifying when privacy notice updates are required
- Compare the published privacy notice content against documented data processing activities, data flow diagrams, and Records of Processing Activities (ROPA) to verify alignment
- Review change logs, version control records, or document management system metadata to verify the date of last privacy notice review and update
- Select a sample of recent changes to data processing activities (new vendor engagements, new data collection points, new product launches) and verify corresponding privacy notice updates were completed
- Verify that privacy notice update approval involved legal counsel, privacy/compliance team, and appropriate business stakeholders as defined in policy
- Test public-facing privacy notice accessibility by attempting to locate and access notices from multiple user entry points and verify they display the current version with effective date
Where this control is tested