PRI-01: Data Privacy Program
Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.
Control Question: Does the organization facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently?
General (27)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC1.3-POF6 CC2.3-POF7 CC8.1-POF17 CC8.1-POF18 P1.0 |
| APEC Privacy Framework 2015 | 1 9 |
| COBIT 2019 | APO04.01 APO13.02 |
| CSA CCM 4 | DSP-02 DSP-14 |
| CSA IoT SCF 2 | LGL-04 |
| ISO 27002 2022 | 5.1 5.34 |
| ISO 27017 2015 | 18.1.4 |
| ISO 27701 2025 | 4.4 5.1 6.1.1 6.1.1(a) 6.1.1(b) 6.1.3(h) 6.2 6.2(a) 6.2(b) 6.2(c) 6.2(d) 6.2(e) 6.2(f) 6.2(g) 6.3 7.1 7.4 7.5.1 7.5.1(a) 7.5.1(b) 7.5.2 7.5.3 |
| ISO 29100 2024 | 6.10 |
| NIST AI 100-1 (AI RMF) 1.0 | MAP 1.6 |
| NIST Privacy Framework 1.0 | GV.PO-P1 GV.PO-P5 GV.PO-P6 CT.PO-P2 CM.PO-P1 CM.AW-P2 PR.PO-P9 |
| NIST 800-53 R5 (source) | PM-18 PT-1 |
| NIST 800-53B R5 (privacy) (source) | PM-18 PT-1 |
| NIST 800-161 R1 | PM-18 PT-1 |
| NIST 800-161 R1 Flow Down | PM-18 PT-1 |
| NIST 800-161 R1 Level 1 | PM-18 PT-1 |
| NIST 800-161 R1 Level 2 | PM-18 PT-1 |
| NIST 800-161 R1 Level 3 | PT-1 |
| NIST CSF 2.0 (source) | GV.OC-03 |
| OECD Privacy Principles | 8 |
| Shared Assessments SIG 2025 | P.3 |
| TISAX ISA 6 | 7.1.2 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | PRI-01 |
| SCF CORE ESP Level 1 Foundational | PRI-01 |
| SCF CORE ESP Level 2 Critical Infrastructure | PRI-01 |
| SCF CORE ESP Level 3 Advanced Threats | PRI-01 |
| SCF CORE AI Model Deployment | PRI-01 |
US (14)
| Framework | Mapping Values |
|---|---|
| US Data Privacy Framework (DPF) | III.15.a |
| US FCA CRM | 609.930(d) |
| US FERPA (source) | 1232h |
| US FIPPS | 2 |
| US HHS 45 CFR 155.260 | 155.260(a)(3) |
| US HIPAA Administrative Simplification 2013 (source) | 164.502(a) 164.530(a)(1)(i) 164.530(i)(1) |
| US IRS 1075 | PM-18 PT-1 |
| US SSA EIESR 8.0 | 5.5 |
| US - CA CCPA 2025 | 7002(a) |
| US - CO Colorado Privacy Act | 6-1-1305(2) 6-1-1305(7) 6-1-1308(1)(c)(I) 6-1-1308(1)(c)(II) 6-1-1308(6) 6-1-105(1)(nnn) |
| US - NV NOGE Reg 5 | 5.260.1 |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.3(k) |
| US - TX CDPA | 541.101(a)(2) 541.101(b)(2) 541.204(c) |
| US - VA CDPA 2025 | 59.1-578.A.3 |
EMEA (26)
| Framework | Mapping Values |
|---|---|
| EMEA EU AI Act | 10.5 |
| EMEA EU GDPR (source) | 12.2 5.1(a) 9.1 |
| EMEA Austria | Sec 14 Sec 15 |
| EMEA Belgium | 4 |
| EMEA Germany | Inferred Expectation |
| EMEA Greece | Inferred Expectation |
| EMEA Hungary | Inferred Expectation |
| EMEA Ireland | Inferred Expectation |
| EMEA Israel | Inferred Expectation |
| EMEA Italy | Inferred Expectation |
| EMEA Kenya DPA 2019 | 30(1)(a) 30(1)(b)(i) 30(1)(b)(ii) 30(1)(b)(iii) 30(1)(b)(iv) 30(1)(b)(v) 30(1)(b)(vi) 30(1)(b)(vii) 30(1)(b)(viii) 30(2) 30(3) |
| EMEA Netherlands | Inferred Expectation |
| EMEA Nigeria DPR 2019 | 4.1(3) |
| EMEA Norway | Inferred Expectation |
| EMEA Poland | Inferred Expectation |
| EMEA Qatar PDPPL | 2 3 8.1 |
| EMEA Russia | Inferred Expectation |
| EMEA Saudi Arabia PDPL | 11.2 |
| EMEA Serbia 87/2018 | 5.1 59 59.1 59.2 59.3 59.4 59.5 59.6 59.7 59.8 59.9 59.10 59.11 |
| EMEA South Africa | 19 20 60 |
| EMEA Spain 1720/2007 | Inferred Expectation |
| EMEA Spain CCN-STIC 825 | 8.7.1 [MP.INFO.1] |
| EMEA Sweden | Inferred Expectation |
| EMEA Switzerland | Inferred Expectation |
| EMEA Turkey | Inferred Expectation |
| EMEA UK DPA | Inferred Expectation |
APAC (13)
| Framework | Mapping Values |
|---|---|
| APAC Australia Privacy Act | Inferred Expectation |
| APAC Australian Privacy Principles | APP 1 |
| APAC China DNSIP | Inferred Expectation |
| APAC China Privacy Law | 7 16 51 51(1) 51(2) 51(3) 51(4) 51(5) 51(6) 58 58(1) 58(2) 58(3) 58(4) 59 |
| APAC Hong Kong | Inferred Expectation |
| APAC India ITR | Inferred Expectation |
| APAC Japan APPI | 24(3) 26(1) 26(1)(i) 26(1)(ii) 26(2) 26(3) 26(4) 26-2(1) 26-2(1)(i) 26-2(1)(ii) 26-2(2) 26-2(3) 36 37 38 39 51(1) 51(2) 52(1) 53(2) 53(3) 53(1) 53(2) 53(3) 53(4) 54 55 |
| APAC Japan ISMAP | 18.1.4 |
| APAC Malaysia | 23 |
| APAC Philippines | Inferred Expectation |
| APAC Singapore | 12 |
| APAC South Korea | 3 30 |
| APAC Taiwan | Inferred Expectation |
Americas (10)
| Framework | Mapping Values |
|---|---|
| Americas Argentina PPL | 2 |
| Americas Bahamas | 6 |
| Americas Brazil LGPD | 6.8 6.10 50 |
| Americas Canada PIPEDA | Principle 1 Principle 8 |
| Americas Chile | Inferred Expectation |
| Americas Colombia | 4 |
| Americas Costa Rica | 10 |
| Americas Mexico | 6 14 30 |
| Americas Peru | 12 31 |
| Americas Uruguay | 5 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to facilitate the implementation and operation of data privacy controls.
Level 1 — Performed Informally
Privacy (PRI) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.
- Formal roles and responsibilities for data privacy may exist.
- No formal data privacy principles are identified for the organization.
- An ad hoc approach to Data Protection Impact Assessment (DPIA) exists.
- Compliance efforts are not tied into an enterprise-wide cybersecurity and/ or data privacy program.
Level 2 — Planned & Tracked
Privacy (PRI) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Privacy management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and contractual data privacy obligations for Personal Data (PD) are properly identified and implemented across the enterprise.
- IT/cybersecurity personnel identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for data privacy management.
- A qualified individual is formally assigned as the Chief Privacy Officer (CPO), or similar role, to lead the organization's data privacy program. This individual may be assigned to multiple duties, including that as a Data Protection Officer (DPO).
- The CPO, or similar role, identifies “data privacy principles” that systems, applications, services, processes and third-parties must adhere to, based on leading data privacy practices.
Level 3 — Well Defined
Privacy (PRI) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- A Chief Privacy Officer (CPO), or similar function with technical competence to address data privacy concerns, analyzes the organization's business strategy to develop and publish authoritative guidance on the organization's data privacy program.
- A Privacy program, run by a CPO, or similar role, ensures that applicable statutory, regulatory and contractual data privacy obligations are properly identified and implemented to limit and secure Personal Data (PD) that the organization stores, transmits and processes.
- As part of the organization's data privacy program, the CPO publishes a clear set of “data privacy principles”, based on leading data privacy practices, that systems, applications, services, processes and third-parties must adhere to.
- A Project Management Office (PMO), or project management function, ensures both cybersecurity and data privacy principles are identified and implemented within ongoing or planned projects.
- The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for cybersecurity-related data privacy practices.
- The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for cybersecurity-related data privacy practices.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to data privacy.
- A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program.
- Data/process owners operationalize data privacy controls into the processes they control.
- Third-party contracts included data protection requirements, including flow-down requirements to subcontractors.
- Data Protection Officers (DPOs) are assigned to work closely with business units and project teams to ensure data privacy principles are being implemented.
- CPO and DPO determine and document the legal authority that permits the collection, use, maintenance and sharing of PD, either generally or in support of a specific program or system need.
Level 4 — Quantitatively Controlled
Privacy (PRI) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the implementation and operation of data privacy controls.
Assessment Objectives
- PRI-01_A01 an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed.
- PRI-01_A02 the privacy program plan includes a description of the structure of the privacy program.
- PRI-01_A03 the privacy program plan includes a description of the resources dedicated to the privacy program.
- PRI-01_A04 the privacy program plan provides an overview of the requirements for the privacy program.
- PRI-01_A05 the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program.
- PRI-01_A06 the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program.
- PRI-01_A07 the privacy program plan includes the role of the senior organization official for privacy.
- PRI-01_A08 the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities.
- PRI-01_A09 the privacy program plan describes management commitment.
- PRI-01_A10 the privacy program plan describes compliance.
- PRI-01_A11 the privacy program plan describes the strategic goals and objectives of the privacy program.
- PRI-01_A12 the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy.
- PRI-01_A13 the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image and reputation), organizational assets, individuals, other organizations and the Nation.
- PRI-01_A14 the privacy program plan is disseminated.
- PRI-01_A15 the frequency of updates to the privacy program plan is defined.
- PRI-01_A16 the privacy program plan is updated per an organization-defined frequency.
- PRI-01_A17 the privacy program plan is updated to address changes in federal privacy laws and policies.
- PRI-01_A18 the privacy program plan is updated to address organizational changes.
- PRI-01_A19 the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments.
- PRI-01_A20 data privacy operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
- PRI-01_A21 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support data privacy operations.
- PRI-01_A22 responsibility and authority for the performance of data privacy-related activities are assigned to designated personnel.
- PRI-01_A23 personnel performing data privacy-related activities have the skills and knowledge needed to perform their assigned duties.
Evidence Requirements
- E-GOV-02 Charter - Data Privacy Program
-
Documented evidence of a charter to establish and resource the organization's data privacy program.
Cybersecurity & Data Protection Management - E-GOV-08 Cybersecurity & Data Protection Policies
-
Documented evidence of an appropriately-scoped cybersecurity & data protection policies. Policies are high-level statements of management intent from an organization's executive leadership that are designed to influence decisions and guide the organization to achieve the desired outcomes. Policies are enforced by standards and further implemented by procedures to establish actionable and accountable requirements.
Cybersecurity & Data Protection Management
Technology Recommendations
Micro/Small
- Data privacy program
Small
- Data privacy program
Medium
- Data privacy program
Large
- Data privacy program
Enterprise
- Data privacy program