Skip to main content

PRI-15: Register As A Data Controller and/or Data Processor

PRI 3 — Low Identify

Mechanisms exist to register as a data controller and/or data processor, including registering databases containing Personal Data (PD) with the appropriate Data Authority, when necessary.

Control Question: Does the organization register as a data controller and/or data processor, including registering databases containing Personal Data (PD) with the appropriate Data Authority, when necessary?

General (2)
Framework Mapping Values
TISAX ISA 6 9.3.1
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) PRI-15
US (1)
Framework Mapping Values
US - VT Act 171 of 2018 2446(a) 2446(a)(1) 2446(a)(2) 2446(a)(3) 2446(a)(3)(A) 2446(a)(3)(B) 2446(a)(3)(B)(i) 2446(a)(3)(B)(ii) 2446(a)(3)(B)(iii) 2446(a)(3)(C) 2446(a)(3)(D) 2446(a)(3)(E) 2446(a)(3)(F) 2446(a)(3)(G)
EMEA (17)
Framework Mapping Values
EMEA Austria Sec 16 Sec 17
EMEA Belgium 17
EMEA Germany Sec 4d Sec 4e
EMEA Greece 6
EMEA Hungary 65 66
EMEA Ireland 17
EMEA Israel 8 9
EMEA Italy 26 37
EMEA Kenya DPA 2019 18(1) 18(2) 18(2)(a) 18(2)(b) 18(2)(c) 18(2)(d) 19(1) 19(2) 19(2)(a) 19(2)(b) 19(2)(c) 19(2)(d) 19(2)(e) 19(2)(f) 19(2)(g) 19(3) 19(4) 19(5) 19(6) 19(7) 20
EMEA Netherlands 30
EMEA Norway 33
EMEA Poland 40
EMEA Russia 23
EMEA Spain 1720/2007 60
EMEA Sweden 36
EMEA Switzerland 11
EMEA Turkey 16
APAC (5)
Framework Mapping Values
APAC Hong Kong Sec 15
APAC Malaysia 14 15
APAC Philippines 46 47 48
APAC Singapore 39
APAC South Korea 32
Americas (6)
Framework Mapping Values
Americas Argentina PPL 21
Americas Argentina Reg 132-2018 21.1 21.2 21.3 24
Americas Colombia 25
Americas Costa Rica 21
Americas Peru 29
Americas Uruguay 6 29

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to register databases containing Personal Data (PD) with the appropriate Data Authority, when necessary.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to register databases containing Personal Data (PD) with the appropriate Data Authority, when necessary.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to register databases containing Personal Data (PD) with the appropriate Data Authority, when necessary.

Level 3 — Well Defined

Privacy (PRI) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • A Chief Privacy Officer (CPO), or similar function with technical competence to address data privacy concerns, analyzes the organization's business strategy to develop and publish authoritative guidance on the organization's data privacy program.
  • A Privacy program, run by a CPO, or similar role, ensures that applicable statutory, regulatory and contractual data privacy obligations are properly identified and implemented to limit and secure Personal Data (PD) that the organization stores, transmits and processes.
  • As part of the organization's data privacy program, the CPO publishes a clear set of “data privacy principles”, based on leading data privacy practices, that systems, applications, services, processes and third-parties must adhere to.
  • A Project Management Office (PMO), or project management function, ensures both cybersecurity and data privacy principles are identified and implemented within ongoing or planned projects.
  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for cybersecurity-related data privacy practices.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for cybersecurity-related data privacy practices.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to data privacy.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program.
  • Data/process owners operationalize data privacy controls into the processes they control.
  • Third-party contracts included data protection requirements, including flow-down requirements to subcontractors.
  • Data Protection Officers (DPOs) are assigned to work closely with business units and project teams to ensure data privacy principles are being implemented.
  • CPO and DPO determine and document the legal authority that permits the collection, use, maintenance and sharing of PD, either generally or in support of a specific program or system need.
Level 4 — Quantitatively Controlled

Privacy (PRI) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to register databases containing Personal Data (PD) with the appropriate Data Authority, when necessary.

Assessment Objectives

  1. PRI-15_A01 a list of Data Authorities that require database registration is created and maintained.
  2. PRI-15_A02 as required by a law or regulation, databases containing Personal Data (PD) are registered with the appropriate Data Authority.

Evidence Requirements

E-PRI-03 Data Authority Registrations

Documented evidence of registrations made with applicable data authorities for privacy-related data processing.

Privacy

Technology Recommendations

Micro/Small

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Small

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Medium

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Large

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Enterprise

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free