PRI-14: Documenting Data Processing Activities
Mechanisms exist to document Personal Data (PD) processing activities that covers collection, receiving, processing, storage, transmission, sharing, updating and/or disposal actions with sufficient detail to demonstrate conformity with applicable statutory, regulatory and contractual requirements.
Control Question: Does the organization document Personal Data (PD) processing activities that covers collection, receiving, processing, storage, transmission, sharing, updating and/or disposal actions with sufficient detail to demonstrate conformity with applicable statutory, regulatory and contractual requirements?
General (15)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.3 P8.1-POF4 P8.1-POF5 |
| COSO 2017 | Principle 15 |
| Generally Accepted Privacy Principles (GAPP) | 10.2.3 10.2.5 |
| ISO 27018 2014 | A.5.2 |
| NIST Privacy Framework 1.0 | CM.AW-P4 CM.AW-P6 CM.AW-P7 |
| NIST 800-37 R2 | M-5 |
| NIST 800-53 R4 | AR-6 |
| NIST 800-53 R5 (source) | PM-27 |
| NIST 800-53B R5 (privacy) (source) | PM-27 |
| NIST 800-161 R1 | PM-27 |
| NIST 800-161 R1 Level 2 | PM-27 |
| NIST 800-161 R1 Level 3 | PM-27 |
| Shared Assessments SIG 2025 | L.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | PRI-14 |
| SCF CORE AI Model Deployment | PRI-14 |
US (3)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | COMP:SG3.SP2 MON:SG2.SP3 MON:SG2.SP4 |
| US CMS MARS-E 2.0 | AR-6 |
| US - TX CDPA | 541.052(f)(1) |
EMEA (5)
| Framework | Mapping Values |
|---|---|
| EMEA EU AI Act | 10.5(f) |
| EMEA EU GDPR (source) | 30.1 30.1(a) 30.1(b) 30.1(c) 30.1(d) 30.1(e) 30.1(f) 30.1(g) 30.2 30.2(a) 30.2(b) 30.2(c) 30.2(d) 30.3 |
| EMEA Qatar PDPPL | 6.2 |
| EMEA Saudi Arabia PDPL | 31 31.1 31.2 31.3 31.4 31.5 31.6 31.6 |
| EMEA Serbia 87/2018 | 47 47.x 48 52 52.1 52.2 52.3 52.4 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Brazil LGPD | 38 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to document Personal Data (PD) processing activities that covers collection, receiving, processing, storage, transmission, sharing, updating and/or disposal actions with sufficient detail to demonstrate conformity with applicable statutory, regulatory and contractual requirements.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to document Personal Data (PD) processing activities that covers collection, receiving, processing, storage, transmission, sharing, updating and/or disposal actions with sufficient detail to demonstrate conformity with applicable statutory, regulatory and contractual requirements.
Level 2 — Planned & Tracked
Privacy (PRI) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Privacy management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and contractual data privacy obligations for Personal Data (PD) are properly identified and implemented across the enterprise.
- IT/cybersecurity personnel identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for data privacy management.
- A qualified individual is formally assigned as the Chief Privacy Officer (CPO), or similar role, to lead the organization's data privacy program. This individual may be assigned to multiple duties, including that as a Data Protection Officer (DPO).
- The CPO, or similar role, identifies “data privacy principles” that systems, applications, services, processes and third-parties must adhere to, based on leading data privacy practices.
- IT/cybersecurity personnel develop and publish processes to identify and record the method under which PD is updated and the frequency that such updates occur.
Level 3 — Well Defined
Privacy (PRI) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- A Chief Privacy Officer (CPO), or similar function with technical competence to address data privacy concerns, analyzes the organization's business strategy to develop and publish authoritative guidance on the organization's data privacy program.
- A Privacy program, run by a CPO, or similar role, ensures that applicable statutory, regulatory and contractual data privacy obligations are properly identified and implemented to limit and secure Personal Data (PD) that the organization stores, transmits and processes.
- As part of the organization's data privacy program, the CPO publishes a clear set of “data privacy principles”, based on leading data privacy practices, that systems, applications, services, processes and third-parties must adhere to.
- A Project Management Office (PMO), or project management function, ensures both cybersecurity and data privacy principles are identified and implemented within ongoing or planned projects.
- The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for cybersecurity-related data privacy practices.
- The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for cybersecurity-related data privacy practices.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to data privacy.
- A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program.
- Data/process owners operationalize data privacy controls into the processes they control.
- Third-party contracts included data protection requirements, including flow-down requirements to subcontractors.
- Data Protection Officers (DPOs) are assigned to work closely with business units and project teams to ensure data privacy principles are being implemented.
- CPO and DPO determine and document the legal authority that permits the collection, use, maintenance and sharing of PD, either generally or in support of a specific program or system need.
Level 4 — Quantitatively Controlled
Privacy (PRI) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to document Personal Data (PD) processing activities that covers collection, receiving, processing, storage, transmission, sharing, updating and/or disposal actions with sufficient detail to demonstrate conformity with applicable statutory, regulatory and contractual requirements.
Assessment Objectives
- PRI-14_A01 privacy reports are defined.
- PRI-14_A02 privacy oversight bodies are defined.
- PRI-14_A03 officials responsible for monitoring privacy program compliance are defined.
- PRI-14_A04 the frequency for reviewing and updating privacy reports is defined.
- PRI-14_A05 privacy reports are developed.
- PRI-14_A06 privacy reports are disseminated to oversight bodies to demonstrate accountability with statutory, regulatory and policy privacy mandates.
- PRI-14_A07 privacy reports are disseminated to officials.
- PRI-14_A08 privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance.
- PRI-14_A09 privacy reports are reviewed / updated frequently.
Technology Recommendations
Micro/Small
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management
Small
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management
Medium
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management
Large
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management
Enterprise
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management