Privacy Information Management System Policy

The Privacy Information Management System Policy establishes the organization’s PIMS for the processing of personally identifiable information in controller, joint controller, processor, and subprocessor contexts. Its stated purpose is to define mandatory governance requirements for establishing, implementing, maintaining, monitoring, and continually improving the PIMS. The policy is designed to support accountable, risk-based, and evidence-driven management of PII processing across the applicable PIMS roles. It applies to PIMS scope, organizational context, interested parties, boundaries, role determination, privacy policy, privacy objectives, privacy risk assessment, privacy risk treatment, the PIMS Statement of Applicability, governance, monitoring, internal audit, management review, nonconformity, corrective action, and documented evidence needed to demonstrate conformity and accountability. A central feature of the policy is its focus on defined accountability. Top Management must approve PIMS scope in REG01 before initial implementation and within 30 days of any material change, approve the policy and PIMS objectives in REG12 annually, and review performance, open risks, nonconformities, corrective actions, and improvement decisions during management review. The Privacy Lead / PIMS Manager maintains core PIMS records, including context issues, interested parties, objectives, the Statement of Applicability, risk treatment decisions, the evidence index, metrics, exceptions, corrective actions, and policy review records. Process Owners classify the organization’s PIMS role for each PII processing activity before processing begins, while Vendor / Procurement Owners document joint controller responsibility allocation, customer processing instructions, approved subprocessing arrangements, supplier governance, and externally provided PIMS-relevant processes. The policy connects PIMS governance to operational control. Privacy risk assessment must be initiated before new or materially changed PII processing begins, and DPIA need must be determined before high-risk or materially changed controller processing proceeds. Approved privacy risk treatment decisions are recorded before treatment implementation, and System Owners must confirm PIMS operational controls before go-live for systems processing PII. The Information Security Lead is responsible for documenting the applicable PII security control baseline and maintaining security control implementation status, linking privacy governance with the PII security control baseline and the Statement of Applicability. This structure helps ensure that scope, processing activities, control applicability, supplier arrangements, and risk records remain aligned before management review and certification-related changes. The policy also defines auditability and continual improvement requirements. The Privacy Lead / PIMS Manager must maintain a PIMS evidence index before each internal audit, retain documented information according to evidence retention requirements, maintain performance metrics quarterly, and report objective status before management review. The minimum measurement set includes the percentage of in-scope processing activities with current role classification, the percentage of applicable controls with current implementation status, open nonconformities and overdue corrective actions, and privacy risk assessments pending approval. Internal Audit / Compliance Reviewers must report review results within 15 business days, sample evidence completeness during internal audits, verify expired exception closure evidence, and verify corrective action effectiveness within 30 days of reported closure. Exceptions, enforcement, and maintenance are addressed as formal PIMS processes rather than informal deviations. Requested exceptions must be documented before deviation occurs, assessed for privacy risk before approval, and reviewed quarterly until closure. Exceptions that exceed accepted privacy risk thresholds require Top Management approval before implementation. Suspected nonconformities must be recorded within five business days, overdue major corrective actions must be escalated to Top Management, and unresolved major nonconformities must be reviewed at each management review. The policy itself is reviewed annually and within 30 days of material legal, organizational, processing, technology, or certification scope changes, with approved changes communicated in REG11 within 30 days of publication.