ID.DE-P: Data Processing Ecosystem Risk Management

Description

The organization’s priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem. The organization has established and implemented the processes to identify, assess, and manage privacy risks within the data processing ecosystem.

Framework Subcategories

ID.DE-P1: Data processing ecosystem risk management policies, processes, and procedures are identified, established, assessed, managed, and agreed to by organizational stakeholders

[csf.tools Note: Subcategories do not have detailed descriptions.]

ID.DE-P2: Data processing ecosystem parties (e.g., service providers, customers, partners, product manufacturers, application developers) are identified, prioritized, and assessed using a privacy risk assessment process

[csf.tools Note: Subcategories do not have detailed descriptions.]

ID.DE-P3: Contracts with data processing ecosystem parties are used to implement appropriate measures designed to meet the objectives of an organization’s privacy program.

[csf.tools Note: Subcategories do not have detailed descriptions.]

ID.DE-P4: Interoperability frameworks or similar multi-party approaches are used to manage data processing ecosystem privacy risks

[csf.tools Note: Subcategories do not have detailed descriptions.]

ID.DE-P5: Data processing ecosystem parties are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual, interoperability framework, or other obligations

[csf.tools Note: Subcategories do not have detailed descriptions.]