How does company store or retain personal information, and how does the company determine when such data needs to be destroyed?
Please describe how company destroys personal information
Does the company have a policy on secure deletion of archived or backed-up data?
What process is in place, if any, for assessing the potential privacy and data protection risks that may be associated with a new type of processing activity?
Is personal information retained or deleted in accordance with a data retention policy?
Please provide a copy of that policy
Does company have a security breach or incident response plan?
Please provide a copy of the plan and any breach reports, audits, and assessments
Does the company have a data inventory or other type of information governance program?