Skip to main content
PRI

Data Privacy

102 controls

Align data privacy practices with industry-recognized data privacy principles to implement appropriate administrative, technical and physical controls to protect regulated personal data throughout the lifecycle of systems, applications and services.

SCF # Control Name Weight NIST CSF Frameworks
PRI-01 Data Privacy Program 10 — Critical Govern 90
PRI-01.1 Chief Privacy Officer (CPO) 3 — Low Identify 39
PRI-01.2 Privacy Act Statements 2 — Low Identify 9
PRI-01.3 Dissemination of Data Privacy Program Information 5 — Medium Identify 21
PRI-01.4 Data Protection Officer (DPO) 7 — High Identify 18
PRI-01.5 Binding Corporate Rules (BCR) 5 — Medium Identify 9
PRI-01.6 Security of Personal Data (PD) 7 — High Protect 36
PRI-01.7 Limiting Personal Data (PD) Disclosures 7 — High Protect 14
PRI-01.8 Data Fiduciary 7 — High Protect 1
PRI-01.9 Personal Data (PD) Process Manager 5 — Medium Protect 1
PRI-01.10 Financial Incentives For Personal Data (PD) 3 — Low Protect 1
PRI-01.11 Reasonable Data Privacy Practices 9 — Critical Protect 5
PRI-02 Data Privacy Notice 7 — High Identify 65
PRI-02.1 Purpose Specification 7 — High Identify 64
PRI-02.2 Automated Data Management Processes 1 — Low Identify 11
PRI-02.3 Computer Matching Agreements (CMA) 1 — Low Identify 4
PRI-02.4 System of Records Notice (SORN) 1 — Low Identify 4
PRI-02.5 System of Records Notice (SORN) Review Process 1 — Low Identify 2
PRI-02.6 Privacy Act Exemptions 1 — Low Identify 2
PRI-02.7 Real-Time or Layered Notice 2 — Low Identify 2
PRI-02.8 Purpose Compatibility 4 — Medium Protect 2
PRI-02.9 Privacy Notice Formatting 4 — Medium Protect 1
PRI-02.10 Symmetry In Choice 4 — Medium Protect 1
PRI-02.11 Choice Architecture 4 — Medium Protect 1
PRI-02.12 Choice Architecture Testing 4 — Medium Protect 1
PRI-02.13 Notice of Right To Limit 4 — Medium Protect 1
PRI-02.14 Alternative Means To Deliver Privacy Notice 4 — Medium Protect 1
PRI-03 Choice & Consent 7 — High Identify 69
PRI-03.1 Tailored Consent 1 — Low Identify 13
PRI-03.2 Just-In-Time Notice & Updated Consent 1 — Low Identify 21
PRI-03.3 Prohibition of Selling, Processing and/or Sharing Personal Data (PD) 5 — Medium Identify 12
PRI-03.4 Revoke Consent 3 — Low Respond 14
PRI-03.5 Product or Service Delivery Restrictions 7 — High Identify 11
PRI-03.6 Authorized Agent 6 — Medium Protect 14
PRI-03.7 Active Participation By Data Subjects 3 — Low Protect 9
PRI-03.8 Global Privacy Control (GPC) 5 — Medium Protect 3
PRI-03.9 Continued Use of Personal Data (PD) 5 — Medium Protect 10
PRI-03.10 Cease Processing, Storing and/or Sharing Personal Data (PD) 6 — Medium Protect 4
PRI-03.11 Communicating Processing Changes 5 — Medium Protect 1
PRI-03.12 Data Subject Opt-In Consent 4 — Medium Protect 2
PRI-03.13 Parent or Guardian Opt-In Consent For Minors 6 — Medium Protect 2
PRI-04 Restrict Collection To Identified Purpose 7 — High Identify 65
PRI-04.1 Authority To Collect, Process, Store & Share Personal Data (PD) 7 — High Identify 65
PRI-04.2 Primary Sources 7 — High Identify 6
PRI-04.3 Identifiable Image Collection 7 — High Identify 1
PRI-04.4 Acquired Personal Data (PD) 6 — Medium Identify 3
PRI-04.5 Validate Collected Personal Data (PD) 1 — Low Identify 4
PRI-04.6 Re-Validate Collected Personal Data (PD) 1 — Low Identify 2
PRI-04.7 Personal Data (PD) Collection Methods 3 — Low Protect 2
PRI-05 Personal Data (PD) Retention & Disposal 8 — High Identify 116
PRI-05.1 Internal Use of Personal Data (PD) For Testing, Training and Research 8 — High Identify 55
PRI-05.2 Personal Data (PD) Accuracy & Integrity 5 — Medium Identify 38
PRI-05.3 Data Masking 8 — High Identify 17
PRI-05.4 Usage Restrictions of Personal Data (PD) 8 — High Identify 84
PRI-05.5 Inventory of Personal Data (PD) 8 — High Identify 20
PRI-05.6 Personal Data (PD) Inventory Automation Support 1 — Low Identify 5
PRI-05.7 Personal Data (PD) Categories 5 — Medium Identify 14
PRI-05.8 Personal Data (PD) Formats 4 — Medium Protect 1
PRI-06 Data Subject Empowerment 6 — Medium Identify 72
PRI-06.1 Correcting Inaccurate Personal Data (PD) 5 — Medium Respond 65
PRI-06.2 Notice of Correction or Processing Change 4 — Medium Respond 32
PRI-06.3 Appeal Adverse Decision 4 — Medium Respond 32
PRI-06.4 User Feedback Management 5 — Medium Respond 45
PRI-06.5 Right to Erasure 5 — Medium Respond 20
PRI-06.6 Data Portability 3 — Low Identify 17
PRI-06.7 Personal Data (PD) Exports 5 — Medium Identify 17
PRI-06.8 Data Subject Authentication 6 — Medium Protect 1
PRI-07 Information Sharing With Third Parties 9 — Critical Identify 54
PRI-07.1 Data Privacy Requirements for Contractors & Service Providers 10 — Critical Identify 56
PRI-07.2 Joint Processing of Personal Data (PD) 5 — Medium Identify 9
PRI-07.3 Obligation To Inform Third-Parties 5 — Medium Identify 9
PRI-07.4 Reject Unauthenticated or Untrustworthy Disclosure Requests 5 — Medium Identify 11
PRI-07.5 Justification To Reject Disclosure Requests 5 — Medium Identify 10
PRI-08 Testing, Training & Monitoring 8 — High Identify 18
PRI-09 Personal Data (PD) Lineage 5 — Medium Identify 7
PRI-10 Data Quality Management 5 — Medium Identify 20
PRI-10.1 Data Quality Automation 1 — Low Identify 3
PRI-10.2 Data Analytics Bias 5 — Medium Identify 1
PRI-11 Data Tagging 3 — Low Identify 4
PRI-12 Updating Personal Data (PD) Process 9 — Critical Identify 8
PRI-12.1 Enabling Data Subjects To Update Personal Data (PD) 4 — Medium Protect 3
PRI-13 Data Management Board 3 — Low Identify 7
PRI-14 Documenting Data Processing Activities 8 — High Identify 24
PRI-14.1 Accounting of Disclosures 8 — High Identify 23
PRI-14.2 Notification of Disclosure Request To Data Subject 5 — Medium Identify 4
PRI-15 Register As A Data Controller and/or Data Processor 3 — Low Identify 31
PRI-16 Potential Human Rights Abuses 10 — Critical Protect 5
PRI-17 Data Subject Communications 6 — Medium Protect 4
PRI-17.1 Conspicuous Link To Data Privacy Notice 4 — Medium Protect 1
PRI-17.2 Notice of Financial Incentive 2 — Low Identify 1
PRI-17.3 Data Subject Communications Documentation 5 — Medium Protect 2
PRI-17.4 Data Subject Communications Metrics 3 — Low Protect 1
PRI-17.5 Data Subject Communications Disclosure 3 — Low Protect 1
PRI-18 Data Controller Communications 7 — High Govern 2
PRI-19 Automated Decision-Making Technology (ADMT) For Data Subject Actions 6 — Medium Protect 0
PRI-19.1 Automated Decision-Making Technology (ADMT) Use Notification 6 — Medium Protect 1
PRI-19.2 Automated Decision-Making Technology (ADMT) Opt-Out Consent 6 — Medium Protect 1
PRI-19.3 Automated Decision-Making Technology (ADMT) Transparency 6 — Medium Protect 1
PRI-20 Data Brokers 7 — High Protect 1
PRI-21 Notice of Right To Opt-Out 6 — Medium Protect 2
PRI-21.1 Opt-Out Links 6 — Medium Protect 2
PRI-21.2 Alternative Out-Out Link 6 — Medium Protect 1

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage SCF Controls in SCF Connect

Streamline your compliance program with automated control tracking, evidence management, and framework mapping.

Get Started Free