Skip to main content

PRI-02: Data Privacy Notice

PRI 7 — High Identify

Mechanisms exist to: (1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; (2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed; (3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations; (4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice; (5) Periodically, review and update the content of the privacy notice, as necessary; and (6) Retain prior versions of the privacy notice, in accordance with data retention requirements.

Control Question: Does the organization: (1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; (2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed; (3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations; (4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice; (5) Periodically, review and update the content of the privacy notice, as necessary; and (6) Retain prior versions of the privacy notice, in accordance with data retention requirements?

General (12)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC2.3-POF7 P1.1 P1.1-POF1 P1.1-POF2 P1.1-POF3 P1.1-POF4 P1.1-POF5 P1.1-POF7
APEC Privacy Framework 2015 2 2(a) 2(b) 2(c) 2(d) 2(e)
CSA CCM 4 DSP-14
Generally Accepted Privacy Principles (GAPP) 2.1.1 2.2.1 2.2.2 2.2.3 3.1.0 3.1.1 3.1.2 4.1.0 4.1.1 4.2.4 5.1.0 5.1.1 6.1.0 7.1.0 7.1.1 8.1.0 8.1.1 9.1.0 9.1.1 10.1.0 10.1.1 10.2.3
ISO 27002 2022 5.34
ISO 27018 2014 A.2.1 A.2.2
ISO 29100 2024 6.3
NIST Privacy Framework 1.0 CM.PO-P1 CM.AW-P1
NIST 800-53 R4 TR-1 TR-2
NIST 800-53 R5 (source) PM-20(1) PT-5
NIST 800-53B R5 (privacy) (source) PM-20(1) PT-5
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) PRI-02
US (15)
Framework Mapping Values
US CERT RMM 1.2 COMM:SG1.SP1
US CMS MARS-E 2.0 TR-1 TR-2
US COPPA 6502
US Data Privacy Framework (DPF) II.1.a.i II.1.a.ii II.1.a.iii II.1.a.iv II.1.a.ix II.1.a.v II.1.a.vi II.1.a.vii II.1.a.viii II.1.a.x II.1.a.xi II.1.a.xii II.1.a.xiii II.1.b III.11.d.i III.11.d.ii III.14.b.ii
US FERPA (source) 1232g
US FIPPS 7 8
US HHS 45 CFR 155.260 155.260(a)(3)(iii)
US HIPAA Administrative Simplification 2013 (source) 164.520(a)(1) 164.520(a)(2)(i) 164.520(a)(2)(i)(A) 164.520(a)(2)(i)(B) 164.520(a)(2)(ii) 164.520(a)(2)(ii)(A) 164.520(a)(2)(ii)(B) 164.520(a)(2)(iii) 164.520(b)(1) 164.520(b)(1)(i) 164.520(b)(1)(ii) 164.520(b)(1)(ii)(A) 164.520(b)(1)(ii)(B) 164.520(b)(1)(ii)(C) 164.520(b)(1)(ii)(D) 164.520(b)(1)(ii)(E) 164.520(b)(1)(iv) 164.520(b)(1)(iv)(A) 164.520(b)(1)(iv)(B) 164.520(b)(1)(iv)(C) 164.520(b)(1)(iv)(D) 164.520(b)(1)(iv)(E) 164.520(b)(1)(iv)(F) 164.520(b)(1)(v) 164.520(b)(1)(v)(A) 164.520(b)(1)(v)(B) 164.520(b)(1)(v)(C) 164.520(b)(1)(vi) 164.520(b)(1)(vii) 164.520(b)(1)(viii) 164.520(b)(2)(i) 164.520(b)(2)(ii) 164.520(b)(3) 164.520(c) 164.520(c)(1)(i) 164.520(c)(1)(i)(A) 164.520(c)(1)(i)(B) 164.520(c)(1)(ii) 164.520(c)(1)(iii) 164.520(c)(1)(iv) 164.520(c)(1)(v) 164.520(c)(1)(v)(A) 164.520(c)(1)(v)(B)
US - CA CCPA 2025 7002(b)(5) 7003(a) 7004(a)(1) 7010(a) 7011(a) 7011(b) 7011(c) 7011(d) 7011(e) 7011(e)(1) 7011(e)(1)(A) 7011(e)(1)(B) 7011(e)(1)(C) 7011(e)(1)(D) 7011(e)(1)(E) 7011(e)(1)(F) 7011(e)(1)(G) 7011(e)(1)(H) 7011(e)(1)(I) 7011(e)(1)(J) 7011(e)(2) 7011(e)(2)(A) 7011(e)(2)(B) 7011(e)(2)(C) 7011(e)(2)(D) 7011(e)(2)(E) 7011(e)(2)(F) 7011(e)(2)(G) 7011(e)(2)(H) 7011(e)(3) 7011(e)(3)(A) 7011(e)(3)(B) 7011(e)(3)(C) 7011(e)(3)(D) 7011(e)(3)(E) 7011(e)(3)(F) 7011(e)(3)(G) 7011(e)(3)(H) 7011(e)(3)(I) 7011(e)(3)(J) 7011(e)(4) 7011(e)(5) 7012(f) 7012(g)(1) 7013(c) 7013(e) 7013(e)(1) 7013(e)(2) 7013(e)(3) 7013(g)(2) 7014(b) 7014(c) 7014(d) 7014(e)(1) 7014(e)(2) 7014(e)(3) 7014(g)(1) 7014(g)(2) 7014(h) 7025(g)(2) 7025(g)(2)(A) 7025(g)(2)(B) 7025(g)(2)(C) 7025(g)(2)(D) 7072(a)
US - CO Colorado Privacy Act 6-1-1305(2) 6-1-1308(1)(a) 6-1-1308(1)(a)(I) 6-1-1308(1)(a)(II) 6-1-1308(1)(a)(II) 6-1-1308(1)(a)(IV) 6-1-1308(1)(a)(V) 6-1-1308(1)(b) 6-1-105(1)(nnn)
US - IL BIPA 15(a)
US - OR CPA 5(1)(a) 5(4)(a) 5(4)(b) 5(4)(c) 5(4)(d) 5(4)(e) 5(4)(f) 5(4)(g) 5(4)(h) 5(4)(i)
US - TN TIPA 47-18-3204(a)(1) 47-18-3204(c) 47-18-3204(c)(1) 47-18-3204(c)(2) 47-18-3204(c)(3) 47-18-3204(c)(4) 47-18-3204(c)(5) 47-18-3204(d) 47-18-3204(e)(1)
US - TX CDPA 541.053(b) 541.055(c) 541.055(d) 541.102(a)(1) 541.102(a)(2) 541.102(a)(3) 541.102(a)(4) 541.102(a)(5) 541.102(a)(6) 541.102(b) 541.103 541.106(a)(2)
US - VA CDPA 2025 59.1-578.C 59.1-578.C.1 59.1-578.C.2 59.1-578.C.3 59.1-578.C.4 59.1-578.C.5 59.1-578.D 59.1-578.E 59.1-581.A.2
EMEA (19)
Framework Mapping Values
EMEA EU GDPR (source) 12.7 13.1(a) 13.1(b) 13.1(c) 13.1(d) 13.1(e) 13.2 13.2(a) 13.2(b) 13.2(c) 13.2(d) 13.2(e) 13.2(f) 13.3 14.1(a) 14.1(b) 14.1(c) 14.1(d) 14.1(e) 14.1(f) 14.2 14.2(a) 14.2(b) 14.2(c) 14.2(d) 14.2(e) 14.2(f) 14.2(g) 14.3(a) 14.3(b) 14.3(c) 14.4 14.5(a)
EMEA Belgium 9
EMEA Germany Sec 4 Sec 19
EMEA Italy 11 13 37
EMEA Kenya DPA 2019 25(e) 26(a) 29(a) 29(b) 29(c) 29(d) 29(e) 29(f) 29(g) 29(h)
EMEA Netherlands 8 27
EMEA Nigeria DPR 2019 2.5 2.5(a) 2.5(b) 2.5(c) 2.5(d) 2.5(e) 2.5(f) 2.5(g) 2.5(h) 2.5(i) 3.1(1) 3.1(7)(a) 3.1(7)(b) 3.1(7)(c) 3.1(7)(d) 3.1(7)(e) 3.1(7)(f) 3.1(7)(g) 3.1(7)(h) 3.1(7)(i) 3.1(7)(j) 3.1(7)(k) 3.1(7)(l) 3.1(7)(m) 3.1(7)(n) 3.1(9) 3.1(9)(a) 3.1(9)(b) 3.1(9)(c) 3.1(9)(d) 3.1(9)(e)
EMEA Norway 31
EMEA Poland 23
EMEA Qatar PDPPL 6.1 8.1 9.1 9.3 9.4 10 17.1 17.2 17.3 17.4 17.5
EMEA Russia 22
EMEA Saudi Arabia PDPL 12 13.2 13.4 13.5 13.6 4.1
EMEA Serbia 87/2018 5.1 6.1 12.2 12.3 12.4 12.5 12.6
EMEA South Africa 18
EMEA Spain 1720/2007 8
EMEA Sweden 26
EMEA Turkey 10
EMEA UK DEFSTAN 05-138 2406 2407
EMEA UK DPA Chapter29-Schedule1-Part1-Principles 8
APAC (10)
Framework Mapping Values
APAC Australia Privacy Act APP Part 5
APAC Australian Privacy Principles APP 1 APP 5
APAC China Privacy Law 7 17 17(1) 17(2) 17(3) 17(4) 27 39 48
APAC India DPDPA 2023 5(1)(i) 5(1)(ii) 5(1)(iii) 5(2)(a)(i) 5(2)(a)(ii) 5(2)(a)(iii) 6(10) 6(3)
APAC Japan APPI 15(1) 15(2)
APAC Malaysia 7
APAC New Zealand Privacy Act of 2020 Principle 3 P3-(1) P3-(1)(a) P3-(1)(b) P3-(1)(c) P3-(1)(d) P3-(1)(d)(i) P3-(1)(d)(ii) P3-(1)(e) P3-(1)(e)(i) P3-(1)(e)(ii) P3-(1)(f) P3-(1)(g) P3-(2) P3-(3) P3-(4) P3-(4)(a) P3-(4)(b) P3-(4)(b)(i) P3-(4)(b)(ii) P3-(4)(b)(iii) P3-(4)(b)(iv) P3-(4)(c) P3-(4)(d) P3-(4)(e) P3-(4)(e)(i) P3-(4)(e)(ii)
APAC Singapore 14
APAC South Korea 3 4
APAC Taiwan 5
Americas (9)
Framework Mapping Values
Americas Argentina PPL 6
Americas Brazil LGPD 6.2 6.6 8
Americas Canada PIPEDA Principle 2
Americas Chile 5
Americas Colombia 12
Americas Costa Rica 5
Americas Mexico 7 16 17 18
Americas Peru 7
Americas Uruguay 5 13

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to: (1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; (2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed; (3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations; (4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice; (5) Periodically, review and update the content of the privacy notice, as necessary; and (6) Retain prior versions of the privacy notice, in accordance with data retention requirements.

Level 1 — Performed Informally

Privacy (PRI) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • No formal data privacy team exists. Privacy roles are assigned to existing IT / cybersecurity.
  • Formal roles and responsibilities for data privacy may exist.
  • No formal data privacy principles are identified for the organization.
  • An ad hoc approach to Data Protection Impact Assessment (DPIA) exists.
Level 2 — Planned & Tracked

Privacy (PRI) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Privacy management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and contractual data privacy obligations for Personal Data (PD) are properly identified and implemented across the enterprise.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for data privacy management.
  • A qualified individual is formally assigned as the Chief Privacy Officer (CPO), or similar role, to lead the organization's data privacy program. This individual may be assigned to multiple duties, including that as a Data Protection Officer (DPO).
  • The CPO, or similar role, identifies “data privacy principles” that systems, applications, services, processes and third-parties must adhere to, based on leading data privacy practices.
  • The CPO, or similar role, develops and ensures data privacy notices are published that include relevant purpose, notice and data privacy program information.
  • Administrative processes and technologies present data subjects with a data privacy notice in plain language that describes how PD is collected, stored, processed, transmitted, shared and used by the organization.
Level 3 — Well Defined

Privacy (PRI) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • A Chief Privacy Officer (CPO), or similar function with technical competence to address data privacy concerns, analyzes the organization's business strategy to develop and publish authoritative guidance on the organization's data privacy program.
  • A Privacy program, run by a CPO, or similar role, ensures that applicable statutory, regulatory and contractual data privacy obligations are properly identified and implemented to limit and secure Personal Data (PD) that the organization stores, transmits and processes.
  • As part of the organization's data privacy program, the CPO publishes a clear set of “data privacy principles”, based on leading data privacy practices, that systems, applications, services, processes and third-parties must adhere to.
  • A Project Management Office (PMO), or project management function, ensures both cybersecurity and data privacy principles are identified and implemented within ongoing or planned projects.
  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for cybersecurity-related data privacy practices.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for cybersecurity-related data privacy practices.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to data privacy.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program.
  • Data/process owners operationalize data privacy controls into the processes they control.
  • Third-party contracts included data protection requirements, including flow-down requirements to subcontractors.
  • Data Protection Officers (DPOs) are assigned to work closely with business units and project teams to ensure data privacy principles are being implemented.
  • CPO and DPO determine and document the legal authority that permits the collection, use, maintenance and sharing of PD, either generally or in support of a specific program or system need.
Level 4 — Quantitatively Controlled

Privacy (PRI) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

Privacy (PRI) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
  • Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.

Assessment Objectives

  1. PRI-02_A01 privacy notice(s) are developed and posted on all external-facing websites.
  2. PRI-02_A02 privacy notice(s) are developed and posted on all mobile applications.
  3. PRI-02_A03 privacy notice(s) are developed and posted on all other digital services.
  4. PRI-02_A04 the privacy notice(s) are written in plain language.
  5. PRI-02_A05 the privacy notice(s) are organized in a way that is easy to understand and navigate.
  6. PRI-02_A06 the privacy notice(s) provide the information needed by the public to make an informed decision about whether to interact with the organization.
  7. PRI-02_A07 the privacy notice(s) provide the information needed by the public to make an informed decision about how to interact with the organization.
  8. PRI-02_A08 the privacy notice(s) are updated whenever the organization makes a substantive change to the practices it describes.
  9. PRI-02_A09 the privacy notice(s) include a time/date stamp to inform the public of the date of the most recent changes.
  10. PRI-02_A10 the frequency at which a notice is provided to individuals after initial interaction with an organization is defined.
  11. PRI-02_A11 information to be included with the notice about the processing of Personal Data (PD) is defined.
  12. PRI-02_A12 a notice to individuals about the processing of Personal Data (PD) is provided such that the notice is available to individuals upon first interacting with an organization.
  13. PRI-02_A13 a notice to individuals about the processing of Personal Data (PD) is provided such that the notice is subsequently available to individuals frequency.
  14. PRI-02_A14 a notice to individuals about the processing of Personal Data (PD) is provided that is clear, easy-to-understand and expresses information about Personal Data (PD) processing in plain language.
  15. PRI-02_A15 a notice to individuals about the processing of Personal Data (PD) that identifies the authority that authorizes the processing of Personal Data (PD) is provided.
  16. PRI-02_A16 a notice to individuals about the processing of Personal Data (PD) that identifies the purpose for which Personal Data (PD) is to be processed is provided.
  17. PRI-02_A17 a notice to individuals about the processing of Personal Data (PD) which includes information is provided.

Evidence Requirements

E-PRI-08 Data Privacy Notice

Documented evidence of a publicly-accessible data privacy notice.

Privacy

Technology Recommendations

Micro/Small

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Small

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Medium

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Large

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Enterprise

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free