| 1 |
1 |
ID.IM-P1 |
IDENTIFY-P |
Inventory and Mapping |
Systems/products/services that process data are inventoried. |
Data processing by systems, products, or services is understood and informs the management of privacy risk. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 2 |
2 |
ID.IM-P2 |
IDENTIFY-P |
Inventory and Mapping |
Owners or operators (e.g., the organization or third parties such as service providers, partners, customers, and developers) and their roles with respect to the systems/products/services and components (e.g., internal or external) that process data are inventoried. |
Data processing by systems, products, or services is understood and informs the management of privacy risk. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 3 |
3 |
ID.IM-P3 |
IDENTIFY-P |
Inventory and Mapping |
Categories of individuals (e.g., customers, employees or prospective employees, consumers) whose data are being processed are inventoried. |
Data processing by systems, products, or services is understood and informs the management of privacy risk. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 4 |
4 |
ID.IM-P4 |
IDENTIFY-P |
Inventory and Mapping |
Data actions of the systems/products/services are inventoried. |
Data processing by systems, products, or services is understood and informs the management of privacy risk. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 5 |
5 |
ID.IM-P5 |
IDENTIFY-P |
Inventory and Mapping |
The purposes for the data actions are inventoried. |
Data processing by systems, products, or services is understood and informs the management of privacy risk. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 6 |
6 |
ID.IM-P6 |
IDENTIFY-P |
Inventory and Mapping |
Data elements within the data actions are inventoried. |
Data processing by systems, products, or services is understood and informs the management of privacy risk. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 7 |
7 |
ID.IM-P7 |
IDENTIFY-P |
Inventory and Mapping |
The data processing environment is identified (e.g., geographic location, internal, cloud, third parties). |
Data processing by systems, products, or services is understood and informs the management of privacy risk. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 8 |
8 |
ID.IM-P8 |
IDENTIFY-P |
Inventory and Mapping |
Data processing is mapped, illustrating the data actions and associated data elements for systems/products/services, including components; roles of the component owners/operators; and interactions of individuals or third parties with the systems/products/services. |
Data processing by systems, products, or services is understood and informs the management of privacy risk. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 9 |
9 |
ID.BE-P1 |
IDENTIFY-P |
Business Environment |
The organization’s role(s) in the data processing ecosystem are identified and communicated. |
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform privacy roles, responsibilities, and risk management decisions. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 10 |
10 |
ID.BE-P2 |
IDENTIFY-P |
Business Environment |
Priorities for organizational mission, objectives, and activities are established and communicated. |
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform privacy roles, responsibilities, and risk management decisions. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 11 |
11 |
ID.BE-P3 |
IDENTIFY-P |
Business Environment |
Systems/products/services that support organizational priorities are identified and key requirements communicated. |
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform privacy roles, responsibilities, and risk management decisions. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 12 |
12 |
ID.RA-P1 |
IDENTIFY-P |
Risk Assessment |
Contextual factors related to the systems/products/services and the data actions are identified (e.g., individuals’ demographics and privacy interests or perceptions, data sensitivity and/or types, visibility of data processing to individuals and third parties). |
The organization understands the privacy risks to individuals and how such privacy risks may create follow-on impacts on organizational operations, including mission, functions, other risk management priorities (e.g., compliance, financial), reputation, workforce, and culture. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 13 |
13 |
ID.RA-P2 |
IDENTIFY-P |
Risk Assessment |
Data analytic inputs and outputs are identified and evaluated for bias. |
The organization understands the privacy risks to individuals and how such privacy risks may create follow-on impacts on organizational operations, including mission, functions, other risk management priorities (e.g., compliance, financial), reputation, workforce, and culture. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 14 |
14 |
ID.RA-P3 |
IDENTIFY-P |
Risk Assessment |
Potential problematic data actions and associated problems are identified. |
The organization understands the privacy risks to individuals and how such privacy risks may create follow-on impacts on organizational operations, including mission, functions, other risk management priorities (e.g., compliance, financial), reputation, workforce, and culture. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 15 |
15 |
ID.RA-P4 |
IDENTIFY-P |
Risk Assessment |
Problematic data actions, likelihoods, and impacts are used to determine and prioritize risk. |
The organization understands the privacy risks to individuals and how such privacy risks may create follow-on impacts on organizational operations, including mission, functions, other risk management priorities (e.g., compliance, financial), reputation, workforce, and culture. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 16 |
16 |
ID.RA-P5 |
IDENTIFY-P |
Risk Assessment |
Risk responses are identified, prioritized, and implemented. |
The organization understands the privacy risks to individuals and how such privacy risks may create follow-on impacts on organizational operations, including mission, functions, other risk management priorities (e.g., compliance, financial), reputation, workforce, and culture. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 17 |
17 |
ID.DE-P1 |
IDENTIFY-P |
Data Processing Ecosystem Risk Management |
Data processing ecosystem risk management policies, processes, and procedures are identified, established, assessed, managed, and agreed to by organizational stakeholders. |
The organization’s priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem. The organization has established and implemented the processes to identify, assess, and manage privacy risks within the data processing ecosystem. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 18 |
18 |
ID.DE-P2 |
IDENTIFY-P |
Data Processing Ecosystem Risk Management |
Data processing ecosystem parties (e.g., service providers, customers, partners, product manufacturers, application developers) are identified, prioritized, and assessed using a privacy risk assessment process. |
The organization’s priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem. The organization has established and implemented the processes to identify, assess, and manage privacy risks within the data processing ecosystem. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 19 |
19 |
ID.DE-P3 |
IDENTIFY-P |
Data Processing Ecosystem Risk Management |
Contracts with data processing ecosystem parties are used to implement appropriate measures designed to meet the objectives of an organization’s privacy program. |
The organization’s priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem. The organization has established and implemented the processes to identify, assess, and manage privacy risks within the data processing ecosystem. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 20 |
20 |
ID.DE-P4 |
IDENTIFY-P |
Data Processing Ecosystem Risk Management |
Interoperability frameworks or similar multi-party approaches are used to manage data processing ecosystem privacy risks. |
The organization’s priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem. The organization has established and implemented the processes to identify, assess, and manage privacy risks within the data processing ecosystem. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 21 |
21 |
ID.DE-P5 |
IDENTIFY-P |
Data Processing Ecosystem Risk Management |
Data processing ecosystem parties are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual, interoperability framework, or other obligations. |
The organization’s priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem. The organization has established and implemented the processes to identify, assess, and manage privacy risks within the data processing ecosystem. |
Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
| 22 |
22 |
GV.PO-P1 |
GOVERN-P |
Governance Policies, Processes, and Procedures |
Organizational privacy values and policies (e.g., conditions on data processing such as data uses or retention periods, individuals’ prerogatives with respect to data processing) are established and communicated. |
The policies, processes, and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of privacy risk. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 23 |
23 |
GV.PO-P2 |
GOVERN-P |
Governance Policies, Processes, and Procedures |
Processes to instill organizational privacy values within system/product/service development and operations are established and in place. |
The policies, processes, and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of privacy risk. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 24 |
24 |
GV.PO-P3 |
GOVERN-P |
Governance Policies, Processes, and Procedures |
Roles and responsibilities for the workforce are established with respect to privacy. |
The policies, processes, and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of privacy risk. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 25 |
25 |
GV.PO-P4 |
GOVERN-P |
Governance Policies, Processes, and Procedures |
Privacy roles and responsibilities are coordinated and aligned with third-party stakeholders (e.g., service providers, customers, partners). |
The policies, processes, and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of privacy risk. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 26 |
26 |
GV.PO-P5 |
GOVERN-P |
Governance Policies, Processes, and Procedures |
Legal, regulatory, and contractual requirements regarding privacy are understood and managed. |
The policies, processes, and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of privacy risk. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 27 |
27 |
GV.PO-P6 |
GOVERN-P |
Governance Policies, Processes, and Procedures |
Governance and risk management policies, processes, and procedures address privacy risks. |
The policies, processes, and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of privacy risk. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 28 |
28 |
GV.RM-P1 |
GOVERN-P |
Risk Management Strategy |
Risk management processes are established, managed, and agreed to by organizational stakeholders. |
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 29 |
29 |
GV.RM-P2 |
GOVERN-P |
Risk Management Strategy |
Organizational risk tolerance is determined and clearly expressed. |
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 30 |
30 |
GV.RM-P3 |
GOVERN-P |
Risk Management Strategy |
The organization’s determination of risk tolerance is informed by its role(s) in the data processing ecosystem. |
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 31 |
31 |
GV.AT-P1 |
GOVERN-P |
Awareness and Training |
The workforce is informed and trained on its roles and responsibilities. |
The organization’s workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements and organizational privacy values. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 32 |
32 |
GV.AT-P2 |
GOVERN-P |
Awareness and Training |
Senior executives understand their roles and responsibilities. |
The organization’s workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements and organizational privacy values. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 33 |
33 |
GV.AT-P3 |
GOVERN-P |
Awareness and Training |
Privacy personnel understand their roles and responsibilities. |
The organization’s workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements and organizational privacy values. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 34 |
34 |
GV.AT-P4 |
GOVERN-P |
Awareness and Training |
Third parties (e.g., service providers, customers, partners) understand their roles and responsibilities. |
The organization’s workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements and organizational privacy values. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 35 |
35 |
GV.MT-P1 |
GOVERN-P |
Monitoring and Review |
Privacy risk is re-evaluated on an ongoing basis and as key factors, including the organization’s business environment (e.g., introduction of new technologies), governance (e.g., legal obligations, risk tolerance), data processing, and systems/products/services change. |
The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 36 |
36 |
GV.MT-P2 |
GOVERN-P |
Monitoring and Review |
Privacy values, policies, and training are reviewed and any updates are communicated. |
The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 37 |
37 |
GV.MT-P3 |
GOVERN-P |
Monitoring and Review |
Policies, processes, and procedures for assessing compliance with legal requirements and privacy policies are established and in place. |
The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 38 |
38 |
GV.MT-P4 |
GOVERN-P |
Monitoring and Review |
Policies, processes, and procedures for communicating progress on managing privacy risks are established and in place. |
The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 39 |
39 |
GV.MT-P5 |
GOVERN-P |
Monitoring and Review |
Policies, processes, and procedures are established and in place to receive, analyze, and respond to problematic data actions disclosed to the organization from internal and external sources (e.g., internal discovery, privacy researchers, professional events). |
The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 40 |
40 |
GV.MT-P6 |
GOVERN-P |
Monitoring and Review |
Policies, processes, and procedures incorporate lessons learned from problematic data actions. |
The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 41 |
41 |
GV.MT-P7 |
GOVERN-P |
Monitoring and Review |
Policies, processes, and procedures for receiving, tracking, and responding to complaints, concerns, and questions from individuals about organizational privacy practices are established and in place. |
The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk. |
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. |
| 42 |
42 |
CT.PO-P1 |
CONTROL-P |
Data Processing Policies, Processes, and Procedures |
Policies, processes, and procedures for authorizing data processing (e.g., organizational decisions, individual consent), revoking authorizations, and maintaining authorizations are established and in place. |
Policies, processes, and procedures are maintained and used to manage data processing (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) consistent with the organization’s risk strategy to protect individuals’ privacy. |
Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. |
| 43 |
43 |
CT.PO-P2 |
CONTROL-P |
Data Processing Policies, Processes, and Procedures |
Policies, processes, and procedures for enabling data review, transfer, sharing or disclosure, alteration, and deletion are established and in place (e.g., to maintain data quality, manage data retention). |
Policies, processes, and procedures are maintained and used to manage data processing (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) consistent with the organization’s risk strategy to protect individuals’ privacy. |
Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. |
| 44 |
44 |
CT.PO-P3 |
CONTROL-P |
Data Processing Policies, Processes, and Procedures |
Policies, processes, and procedures for enabling individuals’ data processing preferences and requests are established and in place. |
Policies, processes, and procedures are maintained and used to manage data processing (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) consistent with the organization’s risk strategy to protect individuals’ privacy. |
Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. |
| 45 |
45 |
CT.PO-P4 |
CONTROL-P |
Data Processing Policies, Processes, and Procedures |
A data life cycle to manage data is aligned and implemented with the system development life cycle to manage systems. |
Policies, processes, and procedures are maintained and used to manage data processing (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) consistent with the organization’s risk strategy to protect individuals’ privacy. |
Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. |
| 46 |
46 |
CT.DM-P1 |
CONTROL-P |
Data Processing Management |
Data elements can be accessed for review. |
Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization). |
Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. |
| 47 |
47 |
CT.DM-P2 |
CONTROL-P |
Data Processing Management |
Data elements can be accessed for transmission or disclosure. |
Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization). |
Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. |
| 48 |
48 |
CT.DM-P3 |
CONTROL-P |
Data Processing Management |
Data elements can be accessed for alteration. |
Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization). |
Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. |
| 49 |
49 |
CT.DM-P4 |
CONTROL-P |
Data Processing Management |
Data elements can be accessed for deletion. |
Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization). |
Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. |
| 50 |
50 |
CT.DM-P5 |
CONTROL-P |
Data Processing Management |
Data are destroyed according to policy. |
Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization). |
Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. |
