myctrl.tools
Compare

PT-5(1)Just-In-Time Notice

>Control Description

Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or organization-defined frequency.

>Cross-Framework Mappings

SCF

PRI-03.2
Compare

>Supplemental Guidance

Just-in-time notices inform individuals of how organizations process their personally identifiable information at a time when such notices may be most useful to the individuals. Individual assumptions about how personally identifiable information will be processed might not be accurate or reliable if time has passed since the organization last presented notice or the circumstances under which the individual was last provided notice have changed. A just-in-time notice can explain data actions that organizations have identified as potentially giving rise to greater privacy risk for individuals.

Organizations can use a just-in-time notice to update or remind individuals about specific data actions as they occur or highlight specific changes that occurred since last presenting notice. A just-in-time notice can be used in conjunction with just-in-time consent to explain what will occur if consent is declined. Organizations use discretion to determine when to use a just-in-time notice and may use supporting information on user demographics, focus groups, or surveys to learn about users' privacy interests and concerns.

>Related Controls

PM-21

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern just-in-time notice in organizational systems?
  • Who is responsible for implementing and overseeing just-in-time notice controls?
  • How does the organization ensure just-in-time notice complies with privacy laws and regulations?
  • What process exists for documenting and maintaining just-in-time notice?
  • What governance exists for monitoring and enforcing just-in-time notice requirements?

Technical Implementation:

  • What systems or tools technically implement just-in-time notice?
  • How are just-in-time notice requirements enforced in PII processing systems?
  • What privacy-enhancing technologies support just-in-time notice?
  • How is just-in-time notice integrated with data governance and privacy tools?
  • What technical controls prevent violations of just-in-time notice requirements?

Evidence & Documentation:

  • Provide documented policies and procedures for just-in-time notice.
  • Provide evidence of just-in-time notice implementation in PII systems.
  • Provide documentation demonstrating compliance with just-in-time notice requirements.
  • Provide records of just-in-time notice reviews and updates.
  • Provide privacy impact assessments or other documentation addressing just-in-time notice.

Ask AI

Configure your API key to use AI features.