PrivacyVault
Free Privacy Scan
12 questions. 3 minutes. Find out where your privacy gaps are — before a regulator does.
Phase 1: Core Privacy Practices
1 of 12
Does your organisation collect personal data from customers, employees, or website visitors?
Why this matters: If you collect names, emails, phone numbers, or any identifying information — you are a data controller under the Privacy Act, GDPR, and PDPA.
Phase 1: Core Privacy Practices
2 of 12
Do you have a published privacy policy on your website?
Legal requirement: Under Privacy Act APP 1, GDPR Art. 13-14, and PDPA, a clear, accessible privacy policy is mandatory.
Phase 1: Core Privacy Practices
3 of 12
Do you track consent for marketing communications and data processing?
Context: GDPR requires explicit, purpose-specific consent. Privacy Act requires consent for direct marketing. Without records, you cannot prove compliance during audit.
Phase 1: Core Privacy Practices
4 of 12
Do you know where all personal data is stored across your systems?
Context: A data inventory (ROPA under GDPR Art. 30) is the foundation. You cannot protect what you cannot find. First thing an auditor asks for.
Phase 2: Data Subject Rights
5 of 12
Could someone submit a data access, correction, or deletion request to you today?
Legal requirement: Under Privacy Act APP 12-13 and GDPR Art. 15-20, you must respond within 30 days. Failure triggers regulatory investigation.
Phase 2: Data Subject Rights
6 of 12
Do you track who accesses personal data, and can data subjects see who viewed their information?
Why this matters: Data access request tracking is essential for breach investigations, DSAR fulfilment, and demonstrating accountability under GDPR Art. 5(2). Consumer-facing access logs build trust.
Phase 3: Data Protection & Security
7 of 12
Do you have a data breach response plan?
Legal requirement: NDB scheme requires OAIC notification within 30 days. GDPR: 72 hours. Without a plan, you face penalties up to A$50M.
Phase 3: Data Protection & Security
8 of 12
Do you obfuscate or encrypt personal data based on its classification and sensitivity level?
Why this matters: Health records, financial data, and biometric data require stronger protection than email addresses. Data-at-rest encryption, tokenisation, masking reduce breach impact. Required under Privacy Act APP 11 and GDPR Art. 32.
Phase 3: Data Protection & Security
9 of 12
Do you have data access authorisation policies controlling who can view personal data?
Why this matters: GDPR Art. 25 and Privacy Act APP 11 require restricting PI access to authorised personnel only. RBAC, least privilege, and separation of duties prevent unauthorised exposure.
Phase 4: Cross-Border & Vendor Management
10 of 12
Is personal data transferred to or processed in countries outside your jurisdiction?
Why this matters: Under Privacy Act APP 8, overseas recipients must handle data per the APPs. GDPR Art. 44-49 restricts transfers without adequacy decisions. Using AWS US-East, Google Analytics, or Salesforce counts as cross-border transfer.
Phase 4: Cross-Border & Vendor Management
11 of 12
Do you have Data Processing Agreements (DPAs) with vendors who process personal data?
Legal requirement: GDPR Art. 28 mandates DPAs with all processors. Without them, you are liable for your vendors’ data handling failures.
Phase 4: Cross-Border & Vendor Management
12 of 12
Do you have data retention and deletion policies?
Why this matters: GDPR Art. 5(1)(e) requires data minimisation. Privacy Act APP 11.2 requires destruction when no longer needed. Keeping data longer increases breach risk.