DSP: Data Security and Privacy Lifecycle Management

Controls

DSP-01: Security and Privacy Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the classification, protection and handling of data throughout its lifecycle, and according to all applicable laws and regulations, standards, and risk level. Review and update the policies and procedures at least annually.

DSP-02: Secure Disposal

Apply industry accepted methods for the secure disposal of data from storage media such that data is not recoverable by any forensic means.

DSP-03: Data Inventory

Create and maintain a data inventory, at least for any sensitive data and personal data.

DSP-05: Data Flow Documentation

Create data flow documentation to identify what data is processed, stored or transmitted where. Review data flow documentation at defined intervals, at least annually, and after any change.

DSP-08: Data Privacy by Design and Default

Develop systems, products, and business practices based upon a principle of privacy by design and industry best practices. Ensure that systems' privacy settings are configured by default, according to all applicable laws and regulations.

DSP-09: Data Protection Impact Assessment

Conduct a Data Protection Impact Assessment (DPIA) to evaluate the origin, nature, particularity and severity of the risks upon the processing of personal data, according to any applicable laws, regulations and industry best practices.

DSP-10: Sensitive Data Transfer

Define, implement and evaluate processes, procedures and technical measures that ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope as permitted by the respective laws and regulations.

DSP-13: Personal Data Sub-processing

Define, implement and evaluate processes, procedures and technical measures for the transfer and sub-processing of personal data within the service supply chain, according to any applicable laws and regulations.

DSP-14: Disclosure of Data Sub-processors

Define, implement and evaluate processes, procedures and technical measures to disclose the details of any personal or sensitive data access by sub-processors to the data owner prior to initiation of that processing.

DSP-18: Disclosure Notification

The CSP must have in place, and describe to CSCs the procedure to manage and respond to requests for disclosure of Personal Data by Law Enforcement Authorities according to applicable laws and regulations. The CSP must give special attention to the notification procedure to interested CSCs, unless otherwise prohibited, such as a prohibition under criminal…

DSP-19: Data Location

Define and implement, processes, procedures and technical measures to specify and document the physical locations of data, including any locations in which data is processed or backed up.