Data Security & Privacy Lifecycle Management
DSP domain controls.
Security and Privacy Policy and Procedures
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the classification, protection and handling of data throughout its lifecycle.
Secure Disposal
Apply industry accepted methods for the secure disposal of data from storage media.
Data Inventory
Create and maintain a data inventory, at least for any sensitive data and personal data.
Data Classification
Classify data according to its type and sensitivity level.
Data Flow Documentation
Create data flow documentation to identify what data is processed, stored or transmitted where.
Data Ownership and Stewardship
Document ownership and stewardship of all relevant documented personal and sensitive data.
Data Protection by Design and Default
Develop systems, products, and business practices based upon a principle of security by design and industry best practices.
Data Privacy by Design and Default
Develop systems, products, and business practices based upon a principle of privacy by design and industry best practices.
Data Protection Impact Assessment
Conduct a Data Protection Impact Assessment (DPIA) to evaluate the origin, nature, particularity and severity of risks upon the processing of personal data.
Sensitive Data Transfer
Define, implement and evaluate processes, procedures and technical measures that ensure any transfer of personal or sensitive data is protected.
Personal Data Access, Reversal, Rectification and Deletion
Define and implement, processes, procedures and technical measures to enable data subjects to request access to, modification, or deletion of their personal data.
Limitation of Purpose in Personal Data Processing
Define, implement and evaluate processes, procedures and technical measures to ensure that personal data is processed according to any and all applicable laws and regulations.
Personal Data Sub-processing
Define, implement and evaluate processes, procedures and technical measures for the transfer and sub-processing of personal data within the service supply chain.
Disclosure of Data Sub-processors
Define, implement and evaluate processes, procedures and technical measures to disclose the details of any personal or sensitive data access by sub-processors to the data owner.
Limitation of Production Data Use
Obtain authorization from data owners, and manage associated risk before replicating or using production data in non-production environments.
Data Retention and Deletion
Data retention, archiving and deletion is managed in accordance with business requirements, applicable laws and regulations.
Sensitive Data Protection
Define and implement, processes, procedures and technical measures to protect sensitive data throughout it's lifecycle.
Disclosure Notification
The CSP must have in place, and describe to CSCs the procedure to manage and respond to requests for disclosure of Personal Data by Law Enforcement Authorities.
Data Location
Define and implement, processes, procedures and technical measures to specify and document the physical locations of data, including any locations in which data is processed or backed up.