DSP-08: Data Privacy by Design and Default

Threats Addressed:

Info icon.

Control is new to this version of the control set.

Control Statement

Develop systems, products, and business practices based upon a principle of privacy by design and industry best practices. Ensure that systems' privacy settings are configured by default, according to all applicable laws and regulations.

Implementation Guidance

In line with privacy considerations by design and default principles, the default/out-of-the-box settings should align with the applicable regional privacy regulations.

Auditing Guidance

  1. Examine whether the organization's policy, standards, processes, and controls create a framework that fosters a culture and expectation of “data privacy through design.” Determine whether this content addresses the directive of the organization's culture and if practices reflect data privacy through design.
  2. Examine whether the organization's governance framework, documents, controls, and metrics satisfy the organization and whether its sub-processors comply with this requirement. Establish whether the organization has documented the roles and responsibilities involved.
  3. Review the organization's data breaches log, the security incidents log, and project change failure records for examples where this requirement was not followed correctly. Further, confirm that action plans were identified and carried out appropriately.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.