Authority Document - Unified Compliance

Back

Asia > Ministry of Law and Justice, Government of India

Digital Personal Data Protection Act, 2023, August 11, 2023

AD ID

0003679

AD STATUS

Digital Personal Data Protection Act, 2023, August 11, 2023

ORIGINATOR

Ministry of Law and Justice, Government of India

TYPE

Statutes (Bills or Acts)

AVAILABILITY

Free

SYNONYMS

Digital Personal Data Protection Act, 2023

EFFECTIVE

2023-08-11

ADDED

The document as a whole was last reviewed and released on 2023-11-15T00:00:00-0800.

URL

Click here

AD ID

0003679

AD STATUS

Free

ORIGINATOR

Ministry of Law and Justice, Government of India

TYPE

Statutes (Bills or Acts)

AVAILABILITY

SYNONYMS

Digital Personal Data Protection Act, 2023

EFFECTIVE

2023-08-11

ADDED

The document as a whole was last reviewed and released on 2023-11-15T00:00:00-0800.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Digital Personal Data Protection Act, 2023, August 11, 2023 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Digital Personal Data Protection Act, 2023, August 11, 2023 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 84 Mandated Controls - bold
62 Implied Controls - italic 569 Implementation

Number of Controls

715 Total

Audits and risk management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain an audit program. CC ID 00684	Establish/Maintain Documentation	Preventive
Assign the audit to impartial auditors. CC ID 07118 [The Significant Data Fiduciary shall— appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and § 10.(2)(b)]	Establish Roles	Preventive
Define what constitutes a threat to independence. CC ID 16824	Audits and Risk Management	Preventive
Determine if requested services create a threat to independence. CC ID 16823	Audits and Risk Management	Detective
Accept the attestation engagement when all preconditions are met. CC ID 13933	Business Processes	Preventive
Audit in scope audit items and compliance documents. CC ID 06730 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic audit; and § 10.(2)(c)(ii) The Significant Data Fiduciary shall— appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and § 10.(2)(b)]	Audits and Risk Management	Preventive
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001	Actionable Reports or Measurements	Preventive
Document any after the fact changes to the engagement file. CC ID 07002	Establish/Maintain Documentation	Preventive
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179	Establish/Maintain Documentation	Preventive
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180	Establish/Maintain Documentation	Preventive
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038	Records Management	Preventive
Conduct onsite inspections, as necessary. CC ID 16199	Testing	Preventive
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946	Audits and Risk Management	Detective
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932	Audits and Risk Management	Detective
Audit policies, standards, and procedures. CC ID 12927	Audits and Risk Management	Preventive
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011	Investigate	Detective
Audit information systems, as necessary. CC ID 13010	Investigate	Detective
Audit the potential costs of compromise to information systems. CC ID 13012	Investigate	Detective
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979	Testing	Detective
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983	Testing	Detective
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557	Audits and Risk Management	Detective
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977	Process or Activity	Detective
Edit the audit assertion for accuracy. CC ID 07030	Establish/Maintain Documentation	Preventive
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982	Establish/Maintain Documentation	Preventive
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Testing	Detective
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978	Process or Activity	Detective
Document test plans for auditing in scope controls. CC ID 06985	Testing	Detective
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981	Testing	Detective
Determine the effectiveness of in scope controls. CC ID 06984	Testing	Detective
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157	Audits and Risk Management	Detective
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and Risk Management	Detective
Observe processes to determine the effectiveness of in scope controls. CC ID 12155	Audits and Risk Management	Detective
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and Risk Management	Detective
Review documentation to determine the effectiveness of in scope controls. CC ID 16522	Process or Activity	Preventive
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144	Audits and Risk Management	Detective
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556	Audits and Risk Management	Detective
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555	Audits and Risk Management	Detective
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990	Testing	Detective
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996	Establish/Maintain Documentation	Preventive
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112	Testing	Preventive
Implement procedures that collect sufficient audit evidence. CC ID 07153	Audits and Risk Management	Preventive
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154	Audits and Risk Management	Preventive
Collect audit evidence sufficient to avoid misstatements. CC ID 07155	Audits and Risk Management	Preventive
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156	Audits and Risk Management	Preventive
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157	Audits and Risk Management	Preventive
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847	Communicate	Preventive
Provide transactional walkthrough procedures for external auditors. CC ID 00672	Testing	Preventive
Establish, implement, and maintain interview procedures. CC ID 16282	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the interview procedures. CC ID 16297	Human Resources Management	Preventive
Coordinate the scheduling of interviews. CC ID 16293	Process or Activity	Preventive
Create a schedule for the interviews. CC ID 16292	Process or Activity	Preventive
Identify interviewees. CC ID 16290	Process or Activity	Preventive
Conduct interviews, as necessary. CC ID 07188	Testing	Detective
Verify statements made by interviewees are correct. CC ID 16299	Behavior	Detective
Discuss unsolved questions with the interviewee. CC ID 16298	Process or Activity	Detective
Allow interviewee to respond to explanations. CC ID 16296	Process or Activity	Detective
Explain the requirements being discussed to the interviewee. CC ID 16294	Process or Activity	Detective
Explain the goals of the interview to the interviewee. CC ID 07189	Behavior	Detective
Explain the testing results to the interviewee. CC ID 16291	Process or Activity	Preventive
Withdraw from the audit, when defined conditions exist. CC ID 13885	Process or Activity	Corrective
Establish and maintain work papers, as necessary. CC ID 13891	Establish/Maintain Documentation	Preventive
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775	Establish/Maintain Documentation	Preventive
Include audit irregularities in the work papers. CC ID 16774	Establish/Maintain Documentation	Preventive
Include corrective actions in the work papers. CC ID 16771	Establish/Maintain Documentation	Preventive
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770	Establish/Maintain Documentation	Preventive
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768	Establish/Maintain Documentation	Preventive
Include justification for departing from mandatory requirements in the work papers. CC ID 13935	Establish/Maintain Documentation	Preventive
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518	Audits and Risk Management	Preventive
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998	Establish/Maintain Documentation	Preventive
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190	Establish/Maintain Documentation	Preventive
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026	Establish/Maintain Documentation	Preventive
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997	Establish/Maintain Documentation	Preventive
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152	Audits and Risk Management	Detective
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177	Audits and Risk Management	Preventive
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987	Testing	Detective
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000	Establish/Maintain Documentation	Preventive
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999	Establish/Maintain Documentation	Preventive
Investigate the nature and causes of identified in scope control deviations. CC ID 06986	Testing	Detective
Supervise interested personnel and affected parties participating in the audit. CC ID 07150	Monitor and Evaluate Occurrences	Preventive
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151	Establish Roles	Preventive
Respond to questions or clarification requests regarding the audit. CC ID 08902	Business Processes	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)]	Process or Activity	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Establish/Maintain Documentation	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Establish/Maintain Documentation	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Establish/Maintain Documentation	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)]	Establish/Maintain Documentation	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Communicate	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Establish/Maintain Documentation	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Establish/Maintain Documentation	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)]	Establish/Maintain Documentation	Preventive

Human Resources management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Establish Roles	Preventive
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 [The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be based in India; § 10.(2)(a)(ii) {be responsible} The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and § 10.(2)(a)(iii) The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— § 10.(2)(a) The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— represent the Significant Data Fiduciary under the provisions of this Act; § 10.(2)(a)(i)]	Human Resources Management	Preventive
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 [{act on behalf} The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed. § 6.(8)]	Human Resources Management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources Management	Preventive
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 [The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be the point of contact for the grievance redressal mechanism under the provisions of this Act; § 10.(2)(a)(iv)]	Human Resources Management	Preventive

Leadership and high level objectives

159

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Establish/Maintain Documentation	Preventive
Establish and maintain an Authority Document list. CC ID 07113	Establish/Maintain Documentation	Preventive
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— such other measures, consistent with the provisions of this Act, as may be prescribed. § 10.(2)(c)(iii)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a financial management program. CC ID 13228 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain funds transfer procedures. CC ID 16754	Establish/Maintain Documentation	Preventive
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761	Communicate	Preventive
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760	Business Processes	Preventive
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759	Business Processes	Preventive
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758	Business Processes	Preventive
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757	Investigate	Detective
Attach the required information to each funds transfer. CC ID 16756	Business Processes	Preventive
Verify all required information is attached to each funds transfer. CC ID 16755	Business Processes	Detective
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738	Business Processes	Preventive
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750	Testing	Preventive
Include communication protocols in the financial management program. CC ID 16763	Establish/Maintain Documentation	Preventive
Include ongoing monitoring in the financial management program. CC ID 16762	Process or Activity	Preventive
Employ tools to manage settlement and funding flows. CC ID 16743	Process or Activity	Preventive
Refrain from setting up anonymous financial accounts. CC ID 16721	Business Processes	Preventive
Identify and maintain positions in financial accounts. CC ID 16751	Business Processes	Preventive
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717	Establish/Maintain Documentation	Preventive
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694	Process or Activity	Preventive
Establish, implement, and maintain financial resource management procedures. CC ID 16642	Establish/Maintain Documentation	Preventive
Document the rationale for the amount of financial resources being held. CC ID 16688	Establish/Maintain Documentation	Preventive
Supplement financial resources, as necessary. CC ID 16685	Business Processes	Preventive
Establish, implement, and maintain collateral procedures. CC ID 16653	Establish/Maintain Documentation	Preventive
Include the use of appropriate models in the collateral procedures. CC ID 16687	Establish/Maintain Documentation	Preventive
Define the collateral requirements in the collateral procedures. CC ID 16686	Establish/Maintain Documentation	Preventive
Test the collateral requirements for appropriateness. CC ID 16681	Testing	Preventive
Limit the types of assets accepted as collateral. CC ID 16602	Business Processes	Preventive
Avoid the use of concentrated holdings of assets. CC ID 16651	Business Processes	Preventive
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644	Testing	Preventive
Include stress scenarios in the stress test plan. CC ID 16659	Testing	Preventive
Analyze the effectiveness of the stress test plan. CC ID 16657	Process or Activity	Detective
Perform stress testing in accordance with the stress test plan. CC ID 16652	Testing	Preventive
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630	Communicate	Preventive
Identify and document the financial resources available for use. CC ID 16643	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain credit loss procedures. CC ID 16683	Establish/Maintain Documentation	Preventive
Include the allocation of credit losses in the credit loss procedures. CC ID 16684	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a securities trading program. CC ID 16626	Business Processes	Preventive
Include fairness and equitability standards in the securities trading program. CC ID 16690	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the securities trading program. CC ID 16689	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a capital restoration plan. CC ID 16613	Establish/Maintain Documentation	Preventive
Include performance guarantees in the capital restoration plan. CC ID 16616	Establish/Maintain Documentation	Preventive
Include corrective actions taken in the capital restoration plan. CC ID 16612	Establish/Maintain Documentation	Preventive
Include required information in the capital restoration plan. CC ID 16609	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain valuation procedures. CC ID 16634	Establish/Maintain Documentation	Preventive
Include investment information in approval requests for investments. CC ID 16590	Business Processes	Preventive
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain lending policies. CC ID 16608	Establish/Maintain Documentation	Preventive
Align the lending policy with the organization's risk acceptance level. CC ID 16716	Process or Activity	Preventive
Include the requirements for risk assessments in the lending policy. CC ID 16730	Establish/Maintain Documentation	Preventive
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728	Establish/Maintain Documentation	Preventive
Include the requirements for feasibility studies in the lending policy. CC ID 16726	Establish/Maintain Documentation	Preventive
Include pricing structures in the lending policy. CC ID 16724	Establish/Maintain Documentation	Preventive
Include monitoring requirements in the lending policy. CC ID 16710	Establish/Maintain Documentation	Preventive
Include loan origination procedures in the lending policy. CC ID 16709	Establish/Maintain Documentation	Preventive
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708	Establish/Maintain Documentation	Preventive
Include loan requirements in the lending policy. CC ID 16706	Establish/Maintain Documentation	Preventive
Include appraisals and evaluations in the lending policy. CC ID 16705	Establish/Maintain Documentation	Preventive
Include terms and conditions in the lending policy. CC ID 16695	Establish/Maintain Documentation	Preventive
Include the scope and distribution of loans in the lending policy. CC ID 16693	Establish/Maintain Documentation	Preventive
Include geographic areas in the lending policy. CC ID 16691	Establish/Maintain Documentation	Preventive
Include underwriting guidelines in the lending policy. CC ID 16619	Establish/Maintain Documentation	Preventive
Include credit review in the underwriting guidelines. CC ID 16765	Establish/Maintain Documentation	Preventive
Include loan-to-value ratio limits in the lending policy. CC ID 16618	Establish/Maintain Documentation	Preventive
Include documentation requirements in the lending policy. CC ID 16617	Establish/Maintain Documentation	Preventive
Include the purpose of the loan in the loan documentation. CC ID 16747	Establish/Maintain Documentation	Preventive
Include the source of repayment in the loan documentation. CC ID 16746	Establish/Maintain Documentation	Preventive
Include approval requirements in the lending policy. CC ID 16615	Establish/Maintain Documentation	Preventive
Include reporting requirements in the lending policy. CC ID 16614	Establish/Maintain Documentation	Preventive
Include loan portfolio diversification standards in the lending policy. CC ID 16611	Establish/Maintain Documentation	Preventive
Include loan administration procedures in the lending policy. CC ID 16610	Establish/Maintain Documentation	Preventive
Include loan participation agreements in the loan administration procedures. CC ID 16745	Establish/Maintain Documentation	Preventive
Include termination procedures in the loan participation agreement. CC ID 16753	Establish/Maintain Documentation	Preventive
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752	Establish/Maintain Documentation	Preventive
Include servicing agreements in the loan administration procedures. CC ID 16744	Establish/Maintain Documentation	Preventive
Include claims processing in the loan administration procedures. CC ID 16742	Establish/Maintain Documentation	Preventive
Include forbearance management in the loan administration procedures. CC ID 16741	Establish/Maintain Documentation	Preventive
Include foreclosure management in the loan administration procedures. CC ID 16740	Establish/Maintain Documentation	Preventive
Include delinquency management in the loan administration procedures. CC ID 16739	Establish/Maintain Documentation	Preventive
Include customer due diligence in the loan administration procedures. CC ID 16736	Process or Activity	Preventive
Include the requirements for financial statements in the loan administration procedures. CC ID 16735	Establish/Maintain Documentation	Preventive
Include loan closing in the loan administration procedures. CC ID 16734	Establish/Maintain Documentation	Preventive
Include payoff statements in the loan administration procedures. CC ID 16733	Establish/Maintain Documentation	Preventive
Include payment processing in the loan administration procedures. CC ID 16732	Establish/Maintain Documentation	Preventive
Include loan reviews in the loan administration procedures. CC ID 16703	Establish/Maintain Documentation	Preventive
Include collections in the loan administration procedures. CC ID 16701	Establish/Maintain Documentation	Preventive
Include collateral inspections in the loan administration procedures. CC ID 16699	Establish/Maintain Documentation	Preventive
Include disbursements in the loan administration procedures. CC ID 16697	Establish/Maintain Documentation	Preventive
Review and approve lending policies. CC ID 16607	Business Processes	Preventive
Establish, implement, and maintain a dividend policy. CC ID 16569	Establish/Maintain Documentation	Preventive
Include compliance requirements in the dividend policy. CC ID 16570	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain margin systems. CC ID 16601	Business Processes	Preventive
Include valuation models in the margin system. CC ID 16663	Data and Information Management	Preventive
Include procedures for collecting price data in the margin system. CC ID 16662	Data and Information Management	Preventive
Include reliable sources for price data in the margin system. CC ID 16661	Data and Information Management	Preventive
Validate the margin system on a regular basis. CC ID 16660	Testing	Detective
Assess the properties of the margin model used in the margin system. CC ID 16658	Process or Activity	Detective
Monitor the performance of the margin system. CC ID 16655	Monitor and Evaluate Occurrences	Detective
Analyze the performance of the margin system. CC ID 16654	Process or Activity	Detective
Establish, implement, and maintain capital adequacy measures. CC ID 16568	Business Processes	Preventive
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564	Establish/Maintain Documentation	Preventive
Determine the amount of assets to be held in escrow. CC ID 16575	Investigate	Detective
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565	Communicate	Preventive
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279	Establish/Maintain Documentation	Preventive
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764	Establish/Maintain Documentation	Preventive
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692	Establish/Maintain Documentation	Preventive
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631	Establish/Maintain Documentation	Preventive
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640	Data and Information Management	Preventive
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650	Data and Information Management	Preventive
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639	Data and Information Management	Preventive
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645	Data and Information Management	Preventive
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638	Data and Information Management	Preventive
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637	Data and Information Management	Preventive
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636	Data and Information Management	Preventive
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635	Data and Information Management	Preventive
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633	Data and Information Management	Preventive
Include account information In the recordkeeping system for securities transactions. CC ID 16632	Data and Information Management	Preventive
Establish, implement, and maintain securities transaction notifications. CC ID 16600	Establish/Maintain Documentation	Preventive
Include the call date in the securities transaction notification. CC ID 16680	Establish/Maintain Documentation	Preventive
Include service charges and commissions in the securities transaction notification. CC ID 16702	Establish/Maintain Documentation	Preventive
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679	Establish/Maintain Documentation	Preventive
Include the call price in the securities transaction notification. CC ID 16678	Establish/Maintain Documentation	Preventive
Include debits and credits in the securities transaction notification. CC ID 16677	Establish/Maintain Documentation	Preventive
Include transactions in the securities transaction notification. CC ID 16676	Establish/Maintain Documentation	Preventive
Include the credit rating of securities in the securities transaction notification. CC ID 16674	Establish/Maintain Documentation	Preventive
Include yield information in the securities transaction notification. CC ID 16673	Establish/Maintain Documentation	Preventive
Include redemption information in the securities transaction notification. CC ID 16672	Establish/Maintain Documentation	Preventive
Include the price calculated from the yield in the securities transaction notification. CC ID 16669	Establish/Maintain Documentation	Preventive
Include the type of call in the securities transaction notification. CC ID 16668	Establish/Maintain Documentation	Preventive
Include an account statement in the securities transaction notification. CC ID 16666	Establish/Maintain Documentation	Preventive
Include the yield to maturity in the securities transaction notification. CC ID 16665	Establish/Maintain Documentation	Preventive
Include the execution price in the securities transaction notification. CC ID 16664	Establish/Maintain Documentation	Preventive
Include the organization's role in the securities transaction notification. CC ID 16646	Establish/Maintain Documentation	Preventive
Include the name of the broker in the securities transaction notification. CC ID 16647	Establish/Maintain Documentation	Preventive
Include the name of the customer in the securities transaction notification. CC ID 16625	Establish/Maintain Documentation	Preventive
Include the organization's name in the securities transaction notification. CC ID 16624	Establish/Maintain Documentation	Preventive
Include confirmations in the securities transaction notification. CC ID 16623	Establish/Maintain Documentation	Preventive
Include remunerations in the securities transaction notification. CC ID 16622	Establish/Maintain Documentation	Preventive
Include requested information in the securities transaction notification. CC ID 16641	Establish/Maintain Documentation	Preventive
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621	Communicate	Preventive
Include the execution date in the securities transaction notification. CC ID 16620	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain financial reports. CC ID 14770	Establish/Maintain Documentation	Preventive
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776	Establish/Maintain Documentation	Preventive
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779	Establish/Maintain Documentation	Preventive
Include the business need justification for lost value in the financial report. CC ID 15588	Establish/Maintain Documentation	Preventive
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342	Communicate	Preventive
Include financial statements in the financial report, as necessary. CC ID 14775	Establish/Maintain Documentation	Preventive
Include capital deductions and adjustments in the financial statement. CC ID 16667	Establish/Maintain Documentation	Preventive
Include earnings per share or loss per share in the financial statement. CC ID 16597	Establish/Maintain Documentation	Preventive
Include material contingencies in the financial statement. CC ID 16596	Establish/Maintain Documentation	Preventive
Include notes to financial statements in the financial report, as necessary. CC ID 14780	Establish/Maintain Documentation	Preventive
Include information on loans to small businesses and small farms in the call report. CC ID 16731	Establish/Maintain Documentation	Preventive
Include assets and liabilities in the call report. CC ID 16729	Establish/Maintain Documentation	Preventive
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727	Communicate	Preventive

Operational management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Establish/Maintain Documentation	Preventive
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 [{technical measure} A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. § 8.(4)]	Process or Activity	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Establish/Maintain Documentation	Preventive
Include technical safeguards in the information security program. CC ID 12374 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)]	Establish/Maintain Documentation	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Establish/Maintain Documentation	Preventive
Include startup processes in operational control procedures. CC ID 00833	Establish/Maintain Documentation	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Establish/Maintain Documentation	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Establish/Maintain Documentation	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Process or Activity	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Establish/Maintain Documentation	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Establish/Maintain Documentation	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Establish/Maintain Documentation	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Establish/Maintain Documentation	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Establish/Maintain Documentation	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Establish/Maintain Documentation	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Establish/Maintain Documentation	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Establish/Maintain Documentation	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Establish/Maintain Documentation	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Establish/Maintain Documentation	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Establish/Maintain Documentation	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Establish/Maintain Documentation	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Records Management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Business Processes	Preventive
Provide support for information sharing activities. CC ID 15644	Process or Activity	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Business Processes	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Establish/Maintain Documentation	Corrective
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Communicate	Preventive
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Establish/Maintain Documentation	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Establish/Maintain Documentation	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{technical measure} A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. § 8.(4)]	Business Processes	Preventive
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Process or Activity	Preventive
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Process or Activity	Preventive
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Process or Activity	Preventive
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Process or Activity	Preventive
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Process or Activity	Preventive
Analyze the organizational culture. CC ID 12899	Process or Activity	Preventive
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Process or Activity	Detective
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Process or Activity	Detective
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Process or Activity	Detective
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Behavior	Preventive
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Business Processes	Preventive
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Business Processes	Preventive
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Business Processes	Preventive
Include skill development in the analysis of the organizational culture. CC ID 12913	Behavior	Preventive
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Behavior	Preventive
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Business Processes	Preventive
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Behavior	Preventive
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Behavior	Preventive
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747	Process or Activity	Corrective
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor. § 8.(1)]	Establish/Maintain Documentation	Preventive
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Communicate	Preventive
Review systems for compliance with organizational information security policies. CC ID 12004	Business Processes	Preventive
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815	Behavior	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Business Processes	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Establish/Maintain Documentation	Preventive
Share incident information with interested personnel and affected parties. CC ID 01212	Data and Information Management	Corrective
Report data loss event information to breach notification organizations. CC ID 01210 [In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. § 8.(6)]	Data and Information Management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Log Management	Detective
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Communicate	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Communicate	Preventive
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Behavior	Corrective

Privacy protection for information and data

363

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Privacy protection for information and data CC ID 00008	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Data and Information Management	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Establish/Maintain Documentation	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the personal data and the purpose for which the same is proposed to be processed; § 5.(1) ¶ 1(i)]	Establish/Maintain Documentation	Preventive
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– § 5.(2) ¶ 1(a) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— § 5.(1) ¶ 1]	Communicate	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Establish/Maintain Documentation	Preventive
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Communicate	Preventive
Notify data subjects about their privacy rights. CC ID 12989 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and § 5.(1) ¶ 1(ii) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and § 5.(2) ¶ 1(a)(ii)]	Communicate	Preventive
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Data and Information Management	Preventive
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)]	Behavior	Preventive
Define what is included in registration notices. CC ID 00386	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the registration notice. CC ID 16803	Establish Roles	Preventive
Include the verification method in the registration notice. CC ID 16798	Establish/Maintain Documentation	Preventive
Include the statutory authority in the registration notice. CC ID 16799	Establish/Maintain Documentation	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Establish/Maintain Documentation	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Establish/Maintain Documentation	Preventive
Include information about the dispute resolution body in the registration notice. CC ID 16800	Establish/Maintain Documentation	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Establish/Maintain Documentation	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Establish/Maintain Documentation	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Establish/Maintain Documentation	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625 [{shall not apply} {requirement} {Data Principal} {furnish} {information} Nothing contained in clause (b) or clause (c) of sub-section (1) shall apply in respect of the sharing of any personal data by the said Data Fiduciary with any other Data Fiduciary authorised by law to obtain such personal data, where such sharing is pursuant to a request made in writing by such other Data Fiduciary for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences. § 11.(2)]	Communicate	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Communicate	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Communicate	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Communicate	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Communicate	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Establish/Maintain Documentation	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Data and Information Management	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573 [A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data. § 8.(9) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)]	Business Processes	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602 [A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. § 12.(1)]	Process or Activity	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the personal data and the purpose for which the same has been processed; § 5.(2) ¶ 1(a)(i) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— any other information related to the personal data of such Data Principal and its processing, as may be prescribed. § 11.(1)(c) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data; § 11.(1)(a)]	Establish/Maintain Documentation	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and § 11.(1)(b)]	Data and Information Management	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Establish/Maintain Documentation	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Establish/Maintain Documentation	Preventive
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Establish/Maintain Documentation	Preventive
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Establish/Maintain Documentation	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and § 11.(1)(b)]	Establish/Maintain Documentation	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Establish/Maintain Documentation	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Establish/Maintain Documentation	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133	Establish/Maintain Documentation	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Establish/Maintain Documentation	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Establish/Maintain Documentation	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Establish/Maintain Documentation	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Establish/Maintain Documentation	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Establish/Maintain Documentation	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Establish/Maintain Documentation	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Establish/Maintain Documentation	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Establish/Maintain Documentation	Preventive
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860	Data and Information Management	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Communicate	Preventive
Establish, implement, and maintain a privacy policy. CC ID 06281	Establish/Maintain Documentation	Preventive
Document privacy policies in clearly written and easily understood language. CC ID 00376	Establish/Maintain Documentation	Detective
Write privacy notices in the official languages required by law. CC ID 16529 [The Data Fiduciary shall give the Data Principal the option to access the contents of the notice referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution. § 5.(3)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Establish/Maintain Documentation	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent. § 5.(2)(b)]	Data and Information Management	Preventive
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Business Processes	Preventive
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Business Processes	Preventive
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 [Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. § 6.(4)]	Data and Information Management	Preventive
Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880	Technical Security	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [{timely manner} If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. § 6.(6)]	Business Processes	Preventive
Allow consent requests to be provided in any official languages. CC ID 16530 [Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)]	Business Processes	Preventive
Give individuals the ability to change the uses of their personal data. CC ID 00469 [Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. § 6.(4)]	Data and Information Management	Preventive
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. § 6.(5)]	Data and Information Management	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Establish/Maintain Documentation	Preventive
Require data controllers to be accountable for their actions. CC ID 00470 [Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder. § 6.(10)]	Establish Roles	Preventive
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Human Resources Management	Preventive
Notify the supervisory authority. CC ID 00472	Behavior	Preventive
Establish, implement, and maintain approval applications. CC ID 16778	Establish/Maintain Documentation	Preventive
Define the requirements for approving or denying approval applications. CC ID 16780	Business Processes	Preventive
Submit approval applications to the supervisory authority. CC ID 16627	Communicate	Preventive
Include required information in the approval application. CC ID 16628	Establish/Maintain Documentation	Preventive
Extend the time limit for approving or denying approval applications. CC ID 16779	Business Processes	Preventive
Approve the approval application unless applicant has been convicted. CC ID 16603	Process or Activity	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Process or Activity	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Communicate	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Communicate	Corrective
Cooperate with Data Protection Authorities. CC ID 06870	Data and Information Management	Preventive
Submit a safe harbor self-certification letter. CC ID 06871	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract. § 8.(2)]	Establish/Maintain Documentation	Preventive
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Establish/Maintain Documentation	Preventive
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685	Establish/Maintain Documentation	Preventive
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Establish/Maintain Documentation	Preventive
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938	Establish/Maintain Documentation	Preventive
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937	Establish/Maintain Documentation	Preventive
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936	Establish/Maintain Documentation	Preventive
Include the duration of processing in the Data Processing Contract. CC ID 14935	Establish/Maintain Documentation	Preventive
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Establish/Maintain Documentation	Preventive
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679	Establish/Maintain Documentation	Preventive
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678	Establish/Maintain Documentation	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676	Establish/Maintain Documentation	Preventive
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686	Human Resources Management	Preventive
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670	Establish/Maintain Documentation	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{not be served} The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not–– exercise any of her rights in relation to such processing, § 8.(8) ¶ 1(b) {requirement} The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not–– approach the Data Fiduciary for the performance of the specified purpose; and § 8.(8) ¶ 1(a)]	Establish/Maintain Documentation	Preventive
Display or print the least amount of personal data necessary. CC ID 04643	Data and Information Management	Preventive
Redact confidential information from public information, as necessary. CC ID 06872	Data and Information Management	Preventive
Notify the data subject of the collection purpose. CC ID 00095	Behavior	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Data and Information Management	Preventive
Document the law that requires restricted data to be collected. CC ID 00103	Establish/Maintain Documentation	Preventive
Notify the data subject of the consequences for not providing personal data. CC ID 00104 [The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. § 6.(5)]	Behavior	Preventive
Notify the data subject of changes to personal data use. CC ID 00105	Behavior	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Establish/Maintain Documentation	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Establish/Maintain Documentation	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Establish/Maintain Documentation	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Establish/Maintain Documentation	Preventive
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Behavior	Preventive
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Establish/Maintain Documentation	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125	Data and Information Management	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Records Management	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Communicate	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414	Establish/Maintain Documentation	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the personal data and the purpose for which the same is proposed to be processed; § 5.(1) ¶ 1(i) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the personal data and the purpose for which the same has been processed; § 5.(2) ¶ 1(a)(i)]	Data and Information Management	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. § 12.(3) A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. § 12.(1)]	Establish/Maintain Documentation	Preventive
Submit personal data removal requests in writing. CC ID 11973	Records Management	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Establish/Maintain Documentation	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Records Management	Corrective
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Establish/Maintain Documentation	Preventive
Refrain from processing restricted data, as necessary. CC ID 12551	Records Management	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 [{requirement} {erase} {personal data} {correct} {complete} {update} In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply. § 17.(4)]	Process or Activity	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Data and Information Management	Preventive
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 [A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. § 9.(3)]	Data and Information Management	Preventive
Process restricted data lawfully and carefully. CC ID 00086 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; § 7.(d) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— § 4.(1) The provisions of this Act shall not apply in respect of the processing of personal data— necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed. § 17.(2)(b) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data. § 7.(b) ¶ 2 {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. § 17.(1)(f)]	Establish Roles	Preventive
Analyze requirements for processing personal data in contracts. CC ID 12550	Investigate	Detective
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Technical Security	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Data and Information Management	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Communicate	Corrective
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Records Management	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Data and Information Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Records Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Process or Activity	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Records Management	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Data and Information Management	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Establish/Maintain Documentation	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Data and Information Management	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Establish/Maintain Documentation	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Establish/Maintain Documentation	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Data and Information Management	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Data and Information Management	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Data and Information Management	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. § 7.(a) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or § 7.(b) ¶ 1(i) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— for which the Data Principal has given her consent; or § 4.(1)(a)]	Data and Information Management	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; § 7.(e) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; § 7.(c) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; § 7.(d) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. § 7.(i) The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, § 7.(b) ¶ 1(ii)]	Data and Information Management	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; § 7.(f)]	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; § 7.(g) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; § 7.(f)]	Data and Information Management	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Data and Information Management	Preventive
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— for certain legitimate uses. § 4.(1)(b)]	Data and Information Management	Preventive
Process traffic data in a controlled manner. CC ID 00130	Data and Information Management	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to providepan> or style="background-color:#CBD0E5;" class="term_secondary-verb">issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be <span style="background-color:#CBD0E5;" class="term_secondary-verb">prescribed, where–– § 7.(b) ¶ 1]	Data and Information Management	Preventive
Process personal data when it is publicly accessible. CC ID 00187	Data and Information Management	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Data and Information Management	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. § 9.(3)]	Business Processes	Preventive
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Communicate	Corrective
Process personal data for the purposes of employment. CC ID 16527 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. § 7.(i)]	Data and Information Management	Preventive
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; § 7.(e)]	Data and Information Management	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. § 17.(1)(f)]	Data and Information Management	Preventive
Process personal data in order to advance the public interest. CC ID 00191 [The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a)]	Data and Information Management	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192	Data and Information Management	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Data and Information Management	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Data and Information Management	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order. § 7.(h) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; § 7.(c) The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a)]	Data and Information Management	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Data and Information Management	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Data and Information Management	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Data and Information Management	Preventive
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [The provisions of sub-sections (1) and (3) shall not be applicable to processing of personal data of a child by such classes of Data Fiduciaries or for such purposes, and subject to such conditions, as may be prescribed. § 9.(4)]	Data and Information Management	Preventive
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Process or Activity	Preventive
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Data and Information Management	Preventive
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Data and Information Management	Preventive
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Data and Information Management	Preventive
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Data and Information Management	Preventive
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580	Data and Information Management	Preventive
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Data and Information Management	Preventive
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Data and Information Management	Preventive
Process personal data absent consent in order to perform a contract. CC ID 13586 [{requirement} {be outside} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India; § 17.(1)(d)]	Data and Information Management	Preventive
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Data and Information Management	Preventive
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Data and Information Management	Preventive
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Data and Information Management	Preventive
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Data and Information Management	Preventive
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [The provisions of this Act shall not apply in respect of the processing of personal data— necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed. § 17.(2)(b)]	Data and Information Management	Preventive
Process personal data absent consent when it is needed by law. CC ID 13577 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing of personal data is necessary for enforcing any legal right or claim; § 17.(1)(a) {judicial function} {quasi-judicial function} {regulatory function} {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing of personal data by any court or tribunal or any other body in India which is entrusted by law with the performance of any judicial or quasi-judicial or regulatory or supervisory function, where such processing is necessary for the performance of such function; § 17.(1)(b) {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India; § 17.(1)(c) {timely manner} If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. § 6.(6)]	Data and Information Management	Preventive
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Data and Information Management	Preventive
Process personal data absent consent when it is from publicly available information. CC ID 13576	Data and Information Management	Preventive
Process personal data absent consent to create a credit report. CC ID 15288	Data and Information Management	Preventive
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Data and Information Management	Preventive
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Data and Information Management	Preventive
Process personal data absent consent when produced for business purposes. CC ID 13563	Data and Information Management	Preventive
Process personal data absent consent for handling insurance claims. CC ID 13561	Data and Information Management	Preventive
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies or a reconstruction by way of demerger or otherwise of a company, or transfer of undertaking of one or more company to another company, or involving division of one or more companies, approved by a court or tribunal or other authority competent to do so by any law for the time being in force; and § 17.(1)(e)]	Data and Information Management	Preventive
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Data and Information Management	Preventive
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Data and Information Management	Preventive
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Data and Information Management	Preventive
Define the exceptions to disclosure absent consent. CC ID 00135	Establish/Maintain Documentation	Preventive
Define how a data subject may give consent. CC ID 00160 [Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement. § 6.(2)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [{refrain from serving} A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and § 8.(7)(a)]	Establish/Maintain Documentation	Preventive
Capture personal data removal requests. CC ID 13507	Communicate	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. § 12.(3)]	Records Management	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Process or Activity	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Process or Activity	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178	Data and Information Management	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed. § 9.(1)]	Data and Information Management	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Data and Information Management	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434 [{requirement} {erase} {personal data} {correct} {complete} {update} In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply. § 17.(4)]	Establish/Maintain Documentation	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Data and Information Management	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Data and Information Management	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Data and Information Management	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Data and Information Management	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Data and Information Management	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Data and Information Management	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Data and Information Management	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Data and Information Management	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Data and Information Management	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Process or Activity	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Data and Information Management	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Data and Information Management	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Data and Information Management	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Data and Information Management	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Data and Information Management	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Data and Information Management	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Data and Information Management	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Data and Information Management	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Data and Information Management	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Data and Information Management	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Data and Information Management	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Data and Information Management	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453	Data and Information Management	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Communicate	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Data and Information Management	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Process or Activity	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Establish/Maintain Documentation	Preventive
Use personal data for specified purposes. CC ID 11831 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. § 7.(a)]	Data and Information Management	Preventive
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012	Data and Information Management	Preventive
Document each individual's personal data collection consent preferences. CC ID 06945	Establish/Maintain Documentation	Preventive
Provide explicit consent that is clear and unambiguous. CC ID 00181 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)]	Data and Information Management	Preventive
Give special attention to collecting children's data. CC ID 00038 [A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child. § 9.(2)]	Data and Information Management	Preventive
Use simple understandable language to collect information from children. CC ID 00039	Behavior	Preventive
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Establish/Maintain Documentation	Preventive
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Data and Information Management	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Establish/Maintain Documentation	Preventive
Implement security measures to protect personal data. CC ID 13606 [A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. § 8.(5)]	Technical Security	Preventive
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder. § 13.(1)]	Data and Information Management	Preventive
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Behavior	Preventive
Implement procedures to file privacy rights violation complaints. CC ID 00476	Data and Information Management	Corrective
File privacy rights violation complaints in writing. CC ID 00477	Establish/Maintain Documentation	Corrective
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360	Establish/Maintain Documentation	Corrective
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359	Establish/Maintain Documentation	Preventive
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the manner in which the Data Principal may make a complaint to the Board, § 5.(2) ¶ 1(a)(iii) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the manner in which the Data Principal may make a complaint to the Board, § 5.(1) ¶ 1(iii)]	Behavior	Corrective
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807	Business Processes	Preventive
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Behavior	Corrective
Change or destroy any personal data that is incorrect. CC ID 00462 [A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— correct the inaccurate or misleading personal data; § 12.(2)(a) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— complete the incomplete personal data; and § 12.(2)(b) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— update the personal data. § 12.(2)(c)]	Data and Information Management	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Behavior	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Data and Information Management	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Data and Information Management	Corrective
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals. § 8.(10)]	Establish/Maintain Documentation	Preventive
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Establish/Maintain Documentation	Preventive
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Establish/Maintain Documentation	Preventive
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 [{time requirement} The Data Fiduciary or Consent Manager shall respond to any grievances referred to in sub-section (1) within such period as may be prescribed from the date of its receipt for all or any class of Data Fiduciaries. § 13.(2)]	Establish/Maintain Documentation	Preventive
Document unresolved challenges. CC ID 13568	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Establish/Maintain Documentation	Preventive
Notify individuals of their right to challenge personal data. CC ID 00457	Data and Information Management	Preventive
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Data and Information Management	Preventive
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Configuration	Preventive
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Human Resources Management	Preventive
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Data and Information Management	Preventive
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Communicate	Preventive
Investigate the disputed accuracy of personal data. CC ID 00461	Data and Information Management	Preventive
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Behavior	Corrective
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor. § 8.(7)(b)]	Behavior	Corrective
Notify third parties of unresolved challenges. CC ID 13559	Communicate	Preventive
Document disagreements as to whether personal data is complete and accurate. CC ID 06952	Establish/Maintain Documentation	Preventive
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954	Establish/Maintain Documentation	Preventive
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475	Data and Information Management	Corrective
Investigate privacy rights violation complaints. CC ID 00480	Behavior	Detective
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364	Business Processes	Corrective
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Behavior	Detective
Include the allegations against the organization in the notice of investigation. CC ID 13031	Establish/Maintain Documentation	Preventive
Investigate privacy rights violation complaints in private. CC ID 00492	Behavior	Detective
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Behavior	Detective
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Behavior	Detective
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481	Behavior	Preventive
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Behavior	Preventive
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Behavior	Preventive
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Behavior	Preventive
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Behavior	Preventive
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513	Communicate	Corrective
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495	Establish/Maintain Documentation	Corrective
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Behavior	Corrective
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [The Data Principal shall exhaust the opportunity of redressing her grievance under this section before approaching the Board. § 13.(3)]	Establish/Maintain Documentation	Detective
Order the organization to change to be in compliance with applicable law. CC ID 00499	Behavior	Corrective
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Behavior	Corrective
Award damages based on applicable law. CC ID 00501	Behavior	Corrective
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503	Data and Information Management	Corrective
Define the organization's liability based on the applicable law. CC ID 00504	Establish/Maintain Documentation	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Establish/Maintain Documentation	Preventive
Define the appeal process based on the applicable law. CC ID 00506 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)]	Establish/Maintain Documentation	Preventive
Define the fee structure for the appeal process. CC ID 16532 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)]	Process or Activity	Preventive
Define the time requirements for the appeal process. CC ID 16531 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)]	Process or Activity	Preventive
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544	Communicate	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Communicate	Preventive
Provide notice of proposed penalties. CC ID 06216	Establish/Maintain Documentation	Preventive
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Behavior	Preventive
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218	Testing	Detective
Establish, implement, and maintain a Customer Information Management program. CC ID 00084	Data and Information Management	Preventive
Establish, implement, and maintain customer data authentication procedures. CC ID 13187	Establish/Maintain Documentation	Preventive
Check the accuracy of restricted data. CC ID 00088 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2]	Data and Information Management	Preventive
Record restricted data correctly. CC ID 00089	Testing	Detective
Check that restricted data is complete. CC ID 00090 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2]	Data and Information Management	Preventive

Records management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Records management CC ID 00902	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain records management procedures. CC ID 11619	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2]	Establish Roles	Preventive
Compare each record's data input to its final form. CC ID 11813	Records Management	Detective
Sanitize user input in accordance with organizational standards. CC ID 16856	Process or Activity	Preventive
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924	Data and Information Management	Preventive
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659	Establish/Maintain Documentation	Preventive

Technical security

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Technical security CC ID 00508	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a digital identity management program. CC ID 13713	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. § 6.(7) A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder. § 14.(1)]	Establish/Maintain Documentation	Preventive
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802	Establish/Maintain Documentation	Preventive
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801	Establish/Maintain Documentation	Preventive
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800	Establish/Maintain Documentation	Preventive
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799	Establish/Maintain Documentation	Preventive

Third Party and supply chain oversight

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Third Party and supply chain oversight CC ID 08807	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a supply chain management program. CC ID 11742	Establish/Maintain Documentation	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Process or Activity	Detective
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. § 8.(5)]	Testing	Detective
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366	Testing	Detective
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432	Establish/Maintain Documentation	Preventive
Establish the third party's service continuity. CC ID 00797	Testing	Detective
Determine the adequacy of a third party's alternate site preparations. CC ID 06879	Testing	Detective
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264	Data and Information Management	Detective
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087	Testing	Detective

Common Controls and
mandates by Type 84 Mandated Controls - bold
62 Implied Controls - italic 569 Implementation

Number of Controls

715 Total

Actionable Reports or Measurements

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001	Audits and risk management	Preventive

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Define what constitutes a threat to independence. CC ID 16824	Audits and risk management	Preventive
Determine if requested services create a threat to independence. CC ID 16823	Audits and risk management	Detective
Audit in scope audit items and compliance documents. CC ID 06730 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic audit; and § 10.(2)(c)(ii) The Significant Data Fiduciary shall— appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and § 10.(2)(b)]	Audits and risk management	Preventive
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946	Audits and risk management	Detective
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932	Audits and risk management	Detective
Audit policies, standards, and procedures. CC ID 12927	Audits and risk management	Preventive
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557	Audits and risk management	Detective
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157	Audits and risk management	Detective
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and risk management	Detective
Observe processes to determine the effectiveness of in scope controls. CC ID 12155	Audits and risk management	Detective
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and risk management	Detective
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144	Audits and risk management	Detective
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556	Audits and risk management	Detective
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555	Audits and risk management	Detective
Implement procedures that collect sufficient audit evidence. CC ID 07153	Audits and risk management	Preventive
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154	Audits and risk management	Preventive
Collect audit evidence sufficient to avoid misstatements. CC ID 07155	Audits and risk management	Preventive
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156	Audits and risk management	Preventive
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157	Audits and risk management	Preventive
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518	Audits and risk management	Preventive
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152	Audits and risk management	Detective
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177	Audits and risk management	Preventive

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Verify statements made by interviewees are correct. CC ID 16299	Audits and risk management	Detective
Explain the goals of the interview to the interviewee. CC ID 07189	Audits and risk management	Detective
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Operational management	Preventive
Include skill development in the analysis of the organizational culture. CC ID 12913	Operational management	Preventive
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Operational management	Preventive
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Operational management	Preventive
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Operational management	Preventive
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815	Operational management	Preventive
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Corrective
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)]	Privacy protection for information and data	Preventive
Notify the supervisory authority. CC ID 00472	Privacy protection for information and data	Preventive
Notify the data subject of the collection purpose. CC ID 00095	Privacy protection for information and data	Preventive
Notify the data subject of the consequences for not providing personal data. CC ID 00104 [The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. § 6.(5)]	Privacy protection for information and data	Preventive
Notify the data subject of changes to personal data use. CC ID 00105	Privacy protection for information and data	Preventive
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Privacy protection for information and data	Preventive
Use simple understandable language to collect information from children. CC ID 00039	Privacy protection for information and data	Preventive
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Privacy protection for information and data	Preventive
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the manner in which the Data Principal may make a complaint to the Board, § 5.(2) ¶ 1(a)(iii) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the manner in which the Data Principal may make a complaint to the Board, § 5.(1) ¶ 1(iii)]	Privacy protection for information and data	Corrective
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Privacy protection for information and data	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Corrective
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Privacy protection for information and data	Corrective
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor. § 8.(7)(b)]	Privacy protection for information and data	Corrective
Investigate privacy rights violation complaints. CC ID 00480	Privacy protection for information and data	Detective
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Privacy protection for information and data	Detective
Investigate privacy rights violation complaints in private. CC ID 00492	Privacy protection for information and data	Detective
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Privacy protection for information and data	Detective
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Privacy protection for information and data	Detective
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481	Privacy protection for information and data	Preventive
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Privacy protection for information and data	Preventive
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Privacy protection for information and data	Corrective
Order the organization to change to be in compliance with applicable law. CC ID 00499	Privacy protection for information and data	Corrective
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Privacy protection for information and data	Corrective
Award damages based on applicable law. CC ID 00501	Privacy protection for information and data	Corrective
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Privacy protection for information and data	Preventive

Business Processes

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760	Leadership and high level objectives	Preventive
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759	Leadership and high level objectives	Preventive
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758	Leadership and high level objectives	Preventive
Attach the required information to each funds transfer. CC ID 16756	Leadership and high level objectives	Preventive
Verify all required information is attached to each funds transfer. CC ID 16755	Leadership and high level objectives	Detective
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738	Leadership and high level objectives	Preventive
Refrain from setting up anonymous financial accounts. CC ID 16721	Leadership and high level objectives	Preventive
Identify and maintain positions in financial accounts. CC ID 16751	Leadership and high level objectives	Preventive
Supplement financial resources, as necessary. CC ID 16685	Leadership and high level objectives	Preventive
Limit the types of assets accepted as collateral. CC ID 16602	Leadership and high level objectives	Preventive
Avoid the use of concentrated holdings of assets. CC ID 16651	Leadership and high level objectives	Preventive
Establish, implement, and maintain a securities trading program. CC ID 16626	Leadership and high level objectives	Preventive
Include investment information in approval requests for investments. CC ID 16590	Leadership and high level objectives	Preventive
Review and approve lending policies. CC ID 16607	Leadership and high level objectives	Preventive
Establish, implement, and maintain margin systems. CC ID 16601	Leadership and high level objectives	Preventive
Establish, implement, and maintain capital adequacy measures. CC ID 16568	Leadership and high level objectives	Preventive
Accept the attestation engagement when all preconditions are met. CC ID 13933	Audits and risk management	Preventive
Respond to questions or clarification requests regarding the audit. CC ID 08902	Audits and risk management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Operational management	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{technical measure} A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. § 8.(4)]	Operational management	Preventive
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Operational management	Preventive
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Operational management	Preventive
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Operational management	Preventive
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Operational management	Preventive
Review systems for compliance with organizational information security policies. CC ID 12004	Operational management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573 [A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data. § 8.(9) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)]	Privacy protection for information and data	Preventive
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Privacy protection for information and data	Preventive
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Privacy protection for information and data	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [{timely manner} If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. § 6.(6)]	Privacy protection for information and data	Preventive
Allow consent requests to be provided in any official languages. CC ID 16530 [Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)]	Privacy protection for information and data	Preventive
Define the requirements for approving or denying approval applications. CC ID 16780	Privacy protection for information and data	Preventive
Extend the time limit for approving or denying approval applications. CC ID 16779	Privacy protection for information and data	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. § 9.(3)]	Privacy protection for information and data	Preventive
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807	Privacy protection for information and data	Preventive
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364	Privacy protection for information and data	Corrective

Communicate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761	Leadership and high level objectives	Preventive
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630	Leadership and high level objectives	Preventive
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565	Leadership and high level objectives	Preventive
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621	Leadership and high level objectives	Preventive
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342	Leadership and high level objectives	Preventive
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727	Leadership and high level objectives	Preventive
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847	Audits and risk management	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Audits and risk management	Preventive
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Operational management	Preventive
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Operational management	Preventive
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Preventive
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– § 5.(2) ¶ 1(a) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— § 5.(1) ¶ 1]	Privacy protection for information and data	Preventive
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Privacy protection for information and data	Preventive
Notify data subjects about their privacy rights. CC ID 12989 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and § 5.(1) ¶ 1(ii) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and § 5.(2) ¶ 1(a)(ii)]	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625 [{shall not apply} {requirement} {Data Principal} {furnish} {information} Nothing contained in clause (b) or clause (c) of sub-section (1) shall apply in respect of the sharing of any personal data by the said Data Fiduciary with any other Data Fiduciary authorised by law to obtain such personal data, where such sharing is pursuant to a request made in writing by such other Data Fiduciary for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences. § 11.(2)]	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Privacy protection for information and data	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Privacy protection for information and data	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Privacy protection for information and data	Preventive
Submit approval applications to the supervisory authority. CC ID 16627	Privacy protection for information and data	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Privacy protection for information and data	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Privacy protection for information and data	Corrective
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Privacy protection for information and data	Corrective
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Privacy protection for information and data	Corrective
Capture personal data removal requests. CC ID 13507	Privacy protection for information and data	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Preventive
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Privacy protection for information and data	Preventive
Notify third parties of unresolved challenges. CC ID 13559	Privacy protection for information and data	Preventive
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513	Privacy protection for information and data	Corrective
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544	Privacy protection for information and data	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Privacy protection for information and data	Preventive

Configuration

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Privacy protection for information and data	Preventive

Data and Information Management

162

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include valuation models in the margin system. CC ID 16663	Leadership and high level objectives	Preventive
Include procedures for collecting price data in the margin system. CC ID 16662	Leadership and high level objectives	Preventive
Include reliable sources for price data in the margin system. CC ID 16661	Leadership and high level objectives	Preventive
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640	Leadership and high level objectives	Preventive
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650	Leadership and high level objectives	Preventive
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639	Leadership and high level objectives	Preventive
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645	Leadership and high level objectives	Preventive
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638	Leadership and high level objectives	Preventive
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637	Leadership and high level objectives	Preventive
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636	Leadership and high level objectives	Preventive
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635	Leadership and high level objectives	Preventive
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633	Leadership and high level objectives	Preventive
Include account information In the recordkeeping system for securities transactions. CC ID 16632	Leadership and high level objectives	Preventive
Share incident information with interested personnel and affected parties. CC ID 01212	Operational management	Corrective
Report data loss event information to breach notification organizations. CC ID 01210 [In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. § 8.(6)]	Operational management	Corrective
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924	Records management	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Preventive
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Privacy protection for information and data	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Privacy protection for information and data	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and § 11.(1)(b)]	Privacy protection for information and data	Preventive
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860	Privacy protection for information and data	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent. § 5.(2)(b)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 [Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. § 6.(4)]	Privacy protection for information and data	Preventive
Give individuals the ability to change the uses of their personal data. CC ID 00469 [Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. § 6.(4)]	Privacy protection for information and data	Preventive
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. § 6.(5)]	Privacy protection for information and data	Preventive
Cooperate with Data Protection Authorities. CC ID 06870	Privacy protection for information and data	Preventive
Display or print the least amount of personal data necessary. CC ID 04643	Privacy protection for information and data	Preventive
Redact confidential information from public information, as necessary. CC ID 06872	Privacy protection for information and data	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Privacy protection for information and data	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125	Privacy protection for information and data	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the personal data and the purpose for which the same is proposed to be processed; § 5.(1) ¶ 1(i) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the personal data and the purpose for which the same has been processed; § 5.(2) ¶ 1(a)(i)]	Privacy protection for information and data	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Privacy protection for information and data	Preventive
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 [A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. § 9.(3)]	Privacy protection for information and data	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Privacy protection for information and data	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Privacy protection for information and data	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Privacy protection for information and data	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Privacy protection for information and data	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Privacy protection for information and data	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. § 7.(a) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or § 7.(b) ¶ 1(i) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— for which the Data Principal has given her consent; or § 4.(1)(a)]	Privacy protection for information and data	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; § 7.(e) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; § 7.(c) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; § 7.(d) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. § 7.(i) The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, § 7.(b) ¶ 1(ii)]	Privacy protection for information and data	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Privacy protection for information and data	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; § 7.(f)]	Privacy protection for information and data	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; § 7.(g) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; § 7.(f)]	Privacy protection for information and data	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Privacy protection for information and data	Preventive
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— for certain legitimate uses. § 4.(1)(b)]	Privacy protection for information and data	Preventive
Process traffic data in a controlled manner. CC ID 00130	Privacy protection for information and data	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to providepan> or style="background-color:#CBD0E5;" class="term_secondary-verb">issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be <span style="background-color:#CBD0E5;" class="term_secondary-verb">prescribed, where–– § 7.(b) ¶ 1]	Privacy protection for information and data	Preventive
Process personal data when it is publicly accessible. CC ID 00187	Privacy protection for information and data	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Privacy protection for information and data	Preventive
Process personal data for the purposes of employment. CC ID 16527 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. § 7.(i)]	Privacy protection for information and data	Preventive
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; § 7.(e)]	Privacy protection for information and data	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. § 17.(1)(f)]	Privacy protection for information and data	Preventive
Process personal data in order to advance the public interest. CC ID 00191 [The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a)]	Privacy protection for information and data	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192	Privacy protection for information and data	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Privacy protection for information and data	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Privacy protection for information and data	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order. § 7.(h) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; § 7.(c) The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a)]	Privacy protection for information and data	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Privacy protection for information and data	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Privacy protection for information and data	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Privacy protection for information and data	Preventive
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [The provisions of sub-sections (1) and (3) shall not be applicable to processing of personal data of a child by such classes of Data Fiduciaries or for such purposes, and subject to such conditions, as may be prescribed. § 9.(4)]	Privacy protection for information and data	Preventive
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Privacy protection for information and data	Preventive
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Privacy protection for information and data	Preventive
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Privacy protection for information and data	Preventive
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Privacy protection for information and data	Preventive
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580	Privacy protection for information and data	Preventive
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Privacy protection for information and data	Preventive
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Privacy protection for information and data	Preventive
Process personal data absent consent in order to perform a contract. CC ID 13586 [{requirement} {be outside} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India; § 17.(1)(d)]	Privacy protection for information and data	Preventive
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Privacy protection for information and data	Preventive
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Privacy protection for information and data	Preventive
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Privacy protection for information and data	Preventive
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Privacy protection for information and data	Preventive
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [The provisions of this Act shall not apply in respect of the processing of personal data— necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed. § 17.(2)(b)]	Privacy protection for information and data	Preventive
Process personal data absent consent when it is needed by law. CC ID 13577 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing of personal data is necessary for enforcing any legal right or claim; § 17.(1)(a) {judicial function} {quasi-judicial function} {regulatory function} {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing of personal data by any court or tribunal or any other body in India which is entrusted by law with the performance of any judicial or quasi-judicial or regulatory or supervisory function, where such processing is necessary for the performance of such function; § 17.(1)(b) {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India; § 17.(1)(c) {timely manner} If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. § 6.(6)]	Privacy protection for information and data	Preventive
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Privacy protection for information and data	Preventive
Process personal data absent consent when it is from publicly available information. CC ID 13576	Privacy protection for information and data	Preventive
Process personal data absent consent to create a credit report. CC ID 15288	Privacy protection for information and data	Preventive
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Privacy protection for information and data	Preventive
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Privacy protection for information and data	Preventive
Process personal data absent consent when produced for business purposes. CC ID 13563	Privacy protection for information and data	Preventive
Process personal data absent consent for handling insurance claims. CC ID 13561	Privacy protection for information and data	Preventive
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies or a reconstruction by way of demerger or otherwise of a company, or transfer of undertaking of one or more company to another company, or involving division of one or more companies, approved by a court or tribunal or other authority competent to do so by any law for the time being in force; and § 17.(1)(e)]	Privacy protection for information and data	Preventive
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Privacy protection for information and data	Preventive
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Privacy protection for information and data	Preventive
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Privacy protection for information and data	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178	Privacy protection for information and data	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed. § 9.(1)]	Privacy protection for information and data	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Privacy protection for information and data	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Privacy protection for information and data	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Privacy protection for information and data	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Privacy protection for information and data	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Privacy protection for information and data	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Privacy protection for information and data	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Privacy protection for information and data	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Privacy protection for information and data	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Privacy protection for information and data	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453	Privacy protection for information and data	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Preventive
Use personal data for specified purposes. CC ID 11831 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. § 7.(a)]	Privacy protection for information and data	Preventive
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012	Privacy protection for information and data	Preventive
Provide explicit consent that is clear and unambiguous. CC ID 00181 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)]	Privacy protection for information and data	Preventive
Give special attention to collecting children's data. CC ID 00038 [A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child. § 9.(2)]	Privacy protection for information and data	Preventive
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Privacy protection for information and data	Preventive
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder. § 13.(1)]	Privacy protection for information and data	Preventive
Implement procedures to file privacy rights violation complaints. CC ID 00476	Privacy protection for information and data	Corrective
Change or destroy any personal data that is incorrect. CC ID 00462 [A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— correct the inaccurate or misleading personal data; § 12.(2)(a) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— complete the incomplete personal data; and § 12.(2)(b) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— update the personal data. § 12.(2)(c)]	Privacy protection for information and data	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Corrective
Notify individuals of their right to challenge personal data. CC ID 00457	Privacy protection for information and data	Preventive
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Privacy protection for information and data	Preventive
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Privacy protection for information and data	Preventive
Investigate the disputed accuracy of personal data. CC ID 00461	Privacy protection for information and data	Preventive
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475	Privacy protection for information and data	Corrective
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503	Privacy protection for information and data	Corrective
Establish, implement, and maintain a Customer Information Management program. CC ID 00084	Privacy protection for information and data	Preventive
Check the accuracy of restricted data. CC ID 00088 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2]	Privacy protection for information and data	Preventive
Check that restricted data is complete. CC ID 00090 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2]	Privacy protection for information and data	Preventive
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264	Third Party and supply chain oversight	Detective

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign the audit to impartial auditors. CC ID 07118 [The Significant Data Fiduciary shall— appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and § 10.(2)(b)]	Audits and risk management	Preventive
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151	Audits and risk management	Preventive
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Preventive
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2]	Records management	Preventive
Include roles and responsibilities in the registration notice. CC ID 16803	Privacy protection for information and data	Preventive
Require data controllers to be accountable for their actions. CC ID 00470 [Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder. § 6.(10)]	Privacy protection for information and data	Preventive
Process restricted data lawfully and carefully. CC ID 00086 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; § 7.(d) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— § 4.(1) The provisions of this Act shall not apply in respect of the processing of personal data— necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed. § 17.(2)(b) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data. § 7.(b) ¶ 2 {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. § 17.(1)(f)]	Privacy protection for information and data	Preventive

Establish/Maintain Documentation

294

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Preventive
Establish and maintain an Authority Document list. CC ID 07113	Leadership and high level objectives	Preventive
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— such other measures, consistent with the provisions of this Act, as may be prescribed. § 10.(2)(c)(iii)]	Leadership and high level objectives	Preventive
Establish, implement, and maintain a financial management program. CC ID 13228 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)]	Leadership and high level objectives	Preventive
Establish, implement, and maintain funds transfer procedures. CC ID 16754	Leadership and high level objectives	Preventive
Include communication protocols in the financial management program. CC ID 16763	Leadership and high level objectives	Preventive
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717	Leadership and high level objectives	Preventive
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725	Leadership and high level objectives	Preventive
Establish, implement, and maintain financial resource management procedures. CC ID 16642	Leadership and high level objectives	Preventive
Document the rationale for the amount of financial resources being held. CC ID 16688	Leadership and high level objectives	Preventive
Establish, implement, and maintain collateral procedures. CC ID 16653	Leadership and high level objectives	Preventive
Include the use of appropriate models in the collateral procedures. CC ID 16687	Leadership and high level objectives	Preventive
Define the collateral requirements in the collateral procedures. CC ID 16686	Leadership and high level objectives	Preventive
Identify and document the financial resources available for use. CC ID 16643	Leadership and high level objectives	Preventive
Establish, implement, and maintain credit loss procedures. CC ID 16683	Leadership and high level objectives	Preventive
Include the allocation of credit losses in the credit loss procedures. CC ID 16684	Leadership and high level objectives	Preventive
Include fairness and equitability standards in the securities trading program. CC ID 16690	Leadership and high level objectives	Preventive
Include roles and responsibilities in the securities trading program. CC ID 16689	Leadership and high level objectives	Preventive
Establish, implement, and maintain a capital restoration plan. CC ID 16613	Leadership and high level objectives	Preventive
Include performance guarantees in the capital restoration plan. CC ID 16616	Leadership and high level objectives	Preventive
Include corrective actions taken in the capital restoration plan. CC ID 16612	Leadership and high level objectives	Preventive
Include required information in the capital restoration plan. CC ID 16609	Leadership and high level objectives	Preventive
Establish, implement, and maintain valuation procedures. CC ID 16634	Leadership and high level objectives	Preventive
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576	Leadership and high level objectives	Preventive
Establish, implement, and maintain lending policies. CC ID 16608	Leadership and high level objectives	Preventive
Include the requirements for risk assessments in the lending policy. CC ID 16730	Leadership and high level objectives	Preventive
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728	Leadership and high level objectives	Preventive
Include the requirements for feasibility studies in the lending policy. CC ID 16726	Leadership and high level objectives	Preventive
Include pricing structures in the lending policy. CC ID 16724	Leadership and high level objectives	Preventive
Include monitoring requirements in the lending policy. CC ID 16710	Leadership and high level objectives	Preventive
Include loan origination procedures in the lending policy. CC ID 16709	Leadership and high level objectives	Preventive
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708	Leadership and high level objectives	Preventive
Include loan requirements in the lending policy. CC ID 16706	Leadership and high level objectives	Preventive
Include appraisals and evaluations in the lending policy. CC ID 16705	Leadership and high level objectives	Preventive
Include terms and conditions in the lending policy. CC ID 16695	Leadership and high level objectives	Preventive
Include the scope and distribution of loans in the lending policy. CC ID 16693	Leadership and high level objectives	Preventive
Include geographic areas in the lending policy. CC ID 16691	Leadership and high level objectives	Preventive
Include underwriting guidelines in the lending policy. CC ID 16619	Leadership and high level objectives	Preventive
Include credit review in the underwriting guidelines. CC ID 16765	Leadership and high level objectives	Preventive
Include loan-to-value ratio limits in the lending policy. CC ID 16618	Leadership and high level objectives	Preventive
Include documentation requirements in the lending policy. CC ID 16617	Leadership and high level objectives	Preventive
Include the purpose of the loan in the loan documentation. CC ID 16747	Leadership and high level objectives	Preventive
Include the source of repayment in the loan documentation. CC ID 16746	Leadership and high level objectives	Preventive
Include approval requirements in the lending policy. CC ID 16615	Leadership and high level objectives	Preventive
Include reporting requirements in the lending policy. CC ID 16614	Leadership and high level objectives	Preventive
Include loan portfolio diversification standards in the lending policy. CC ID 16611	Leadership and high level objectives	Preventive
Include loan administration procedures in the lending policy. CC ID 16610	Leadership and high level objectives	Preventive
Include loan participation agreements in the loan administration procedures. CC ID 16745	Leadership and high level objectives	Preventive
Include termination procedures in the loan participation agreement. CC ID 16753	Leadership and high level objectives	Preventive
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752	Leadership and high level objectives	Preventive
Include servicing agreements in the loan administration procedures. CC ID 16744	Leadership and high level objectives	Preventive
Include claims processing in the loan administration procedures. CC ID 16742	Leadership and high level objectives	Preventive
Include forbearance management in the loan administration procedures. CC ID 16741	Leadership and high level objectives	Preventive
Include foreclosure management in the loan administration procedures. CC ID 16740	Leadership and high level objectives	Preventive
Include delinquency management in the loan administration procedures. CC ID 16739	Leadership and high level objectives	Preventive
Include the requirements for financial statements in the loan administration procedures. CC ID 16735	Leadership and high level objectives	Preventive
Include loan closing in the loan administration procedures. CC ID 16734	Leadership and high level objectives	Preventive
Include payoff statements in the loan administration procedures. CC ID 16733	Leadership and high level objectives	Preventive
Include payment processing in the loan administration procedures. CC ID 16732	Leadership and high level objectives	Preventive
Include loan reviews in the loan administration procedures. CC ID 16703	Leadership and high level objectives	Preventive
Include collections in the loan administration procedures. CC ID 16701	Leadership and high level objectives	Preventive
Include collateral inspections in the loan administration procedures. CC ID 16699	Leadership and high level objectives	Preventive
Include disbursements in the loan administration procedures. CC ID 16697	Leadership and high level objectives	Preventive
Establish, implement, and maintain a dividend policy. CC ID 16569	Leadership and high level objectives	Preventive
Include compliance requirements in the dividend policy. CC ID 16570	Leadership and high level objectives	Preventive
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564	Leadership and high level objectives	Preventive
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279	Leadership and high level objectives	Preventive
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764	Leadership and high level objectives	Preventive
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692	Leadership and high level objectives	Preventive
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591	Leadership and high level objectives	Preventive
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631	Leadership and high level objectives	Preventive
Establish, implement, and maintain securities transaction notifications. CC ID 16600	Leadership and high level objectives	Preventive
Include the call date in the securities transaction notification. CC ID 16680	Leadership and high level objectives	Preventive
Include service charges and commissions in the securities transaction notification. CC ID 16702	Leadership and high level objectives	Preventive
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679	Leadership and high level objectives	Preventive
Include the call price in the securities transaction notification. CC ID 16678	Leadership and high level objectives	Preventive
Include debits and credits in the securities transaction notification. CC ID 16677	Leadership and high level objectives	Preventive
Include transactions in the securities transaction notification. CC ID 16676	Leadership and high level objectives	Preventive
Include the credit rating of securities in the securities transaction notification. CC ID 16674	Leadership and high level objectives	Preventive
Include yield information in the securities transaction notification. CC ID 16673	Leadership and high level objectives	Preventive
Include redemption information in the securities transaction notification. CC ID 16672	Leadership and high level objectives	Preventive
Include the price calculated from the yield in the securities transaction notification. CC ID 16669	Leadership and high level objectives	Preventive
Include the type of call in the securities transaction notification. CC ID 16668	Leadership and high level objectives	Preventive
Include an account statement in the securities transaction notification. CC ID 16666	Leadership and high level objectives	Preventive
Include the yield to maturity in the securities transaction notification. CC ID 16665	Leadership and high level objectives	Preventive
Include the execution price in the securities transaction notification. CC ID 16664	Leadership and high level objectives	Preventive
Include the organization's role in the securities transaction notification. CC ID 16646	Leadership and high level objectives	Preventive
Include the name of the broker in the securities transaction notification. CC ID 16647	Leadership and high level objectives	Preventive
Include the name of the customer in the securities transaction notification. CC ID 16625	Leadership and high level objectives	Preventive
Include the organization's name in the securities transaction notification. CC ID 16624	Leadership and high level objectives	Preventive
Include confirmations in the securities transaction notification. CC ID 16623	Leadership and high level objectives	Preventive
Include remunerations in the securities transaction notification. CC ID 16622	Leadership and high level objectives	Preventive
Include requested information in the securities transaction notification. CC ID 16641	Leadership and high level objectives	Preventive
Include the execution date in the securities transaction notification. CC ID 16620	Leadership and high level objectives	Preventive
Establish, implement, and maintain financial reports. CC ID 14770	Leadership and high level objectives	Preventive
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776	Leadership and high level objectives	Preventive
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779	Leadership and high level objectives	Preventive
Include the business need justification for lost value in the financial report. CC ID 15588	Leadership and high level objectives	Preventive
Include financial statements in the financial report, as necessary. CC ID 14775	Leadership and high level objectives	Preventive
Include capital deductions and adjustments in the financial statement. CC ID 16667	Leadership and high level objectives	Preventive
Include earnings per share or loss per share in the financial statement. CC ID 16597	Leadership and high level objectives	Preventive
Include material contingencies in the financial statement. CC ID 16596	Leadership and high level objectives	Preventive
Include notes to financial statements in the financial report, as necessary. CC ID 14780	Leadership and high level objectives	Preventive
Include information on loans to small businesses and small farms in the call report. CC ID 16731	Leadership and high level objectives	Preventive
Include assets and liabilities in the call report. CC ID 16729	Leadership and high level objectives	Preventive
Establish, implement, and maintain an audit program. CC ID 00684	Audits and risk management	Preventive
Document any after the fact changes to the engagement file. CC ID 07002	Audits and risk management	Preventive
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179	Audits and risk management	Preventive
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180	Audits and risk management	Preventive
Edit the audit assertion for accuracy. CC ID 07030	Audits and risk management	Preventive
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982	Audits and risk management	Preventive
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996	Audits and risk management	Preventive
Establish, implement, and maintain interview procedures. CC ID 16282	Audits and risk management	Preventive
Establish and maintain work papers, as necessary. CC ID 13891	Audits and risk management	Preventive
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775	Audits and risk management	Preventive
Include audit irregularities in the work papers. CC ID 16774	Audits and risk management	Preventive
Include corrective actions in the work papers. CC ID 16771	Audits and risk management	Preventive
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770	Audits and risk management	Preventive
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768	Audits and risk management	Preventive
Include justification for departing from mandatory requirements in the work papers. CC ID 13935	Audits and risk management	Preventive
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998	Audits and risk management	Preventive
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190	Audits and risk management	Preventive
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026	Audits and risk management	Preventive
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997	Audits and risk management	Preventive
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000	Audits and risk management	Preventive
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999	Audits and risk management	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Audits and risk management	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Audits and risk management	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Audits and risk management	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)]	Audits and risk management	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)]	Audits and risk management	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Audits and risk management	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Audits and risk management	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)]	Audits and risk management	Preventive
Establish, implement, and maintain a digital identity management program. CC ID 13713	Technical security	Preventive
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. § 6.(7) A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder. § 14.(1)]	Technical security	Preventive
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802	Technical security	Preventive
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801	Technical security	Preventive
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800	Technical security	Preventive
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799	Technical security	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Preventive
Include technical safeguards in the information security program. CC ID 12374 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)]	Operational management	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)]	Operational management	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Operational management	Preventive
Include startup processes in operational control procedures. CC ID 00833	Operational management	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Operational management	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Operational management	Corrective
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Operational management	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Operational management	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Operational management	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Operational management	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor. § 8.(1)]	Operational management	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Preventive
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Preventive
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925	Records management	Preventive
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659	Records management	Preventive
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Privacy protection for information and data	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the personal data and the purpose for which the same is proposed to be processed; § 5.(1) ¶ 1(i)]	Privacy protection for information and data	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Privacy protection for information and data	Preventive
Define what is included in registration notices. CC ID 00386	Privacy protection for information and data	Preventive
Include the verification method in the registration notice. CC ID 16798	Privacy protection for information and data	Preventive
Include the statutory authority in the registration notice. CC ID 16799	Privacy protection for information and data	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Privacy protection for information and data	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Privacy protection for information and data	Preventive
Include information about the dispute resolution body in the registration notice. CC ID 16800	Privacy protection for information and data	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Privacy protection for information and data	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Privacy protection for information and data	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Privacy protection for information and data	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the personal data and the purpose for which the same has been processed; § 5.(2) ¶ 1(a)(i) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— any other information related to the personal data of such Data Principal and its processing, as may be prescribed. § 11.(1)(c) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data; § 11.(1)(a)]	Privacy protection for information and data	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Privacy protection for information and data	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Preventive
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Privacy protection for information and data	Preventive
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Privacy protection for information and data	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and § 11.(1)(b)]	Privacy protection for information and data	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Privacy protection for information and data	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Privacy protection for information and data	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133	Privacy protection for information and data	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Privacy protection for information and data	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Privacy protection for information and data	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Privacy protection for information and data	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Privacy protection for information and data	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Privacy protection for information and data	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Privacy protection for information and data	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Privacy protection for information and data	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy policy. CC ID 06281	Privacy protection for information and data	Preventive
Document privacy policies in clearly written and easily understood language. CC ID 00376	Privacy protection for information and data	Detective
Write privacy notices in the official languages required by law. CC ID 16529 [The Data Fiduciary shall give the Data Principal the option to access the contents of the notice referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution. § 5.(3)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Preventive
Establish, implement, and maintain approval applications. CC ID 16778	Privacy protection for information and data	Preventive
Include required information in the approval application. CC ID 16628	Privacy protection for information and data	Preventive
Submit a safe harbor self-certification letter. CC ID 06871	Privacy protection for information and data	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract. § 8.(2)]	Privacy protection for information and data	Preventive
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Privacy protection for information and data	Preventive
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685	Privacy protection for information and data	Preventive
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Privacy protection for information and data	Preventive
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938	Privacy protection for information and data	Preventive
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937	Privacy protection for information and data	Preventive
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936	Privacy protection for information and data	Preventive
Include the duration of processing in the Data Processing Contract. CC ID 14935	Privacy protection for information and data	Preventive
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Privacy protection for information and data	Preventive
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679	Privacy protection for information and data	Preventive
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678	Privacy protection for information and data	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676	Privacy protection for information and data	Preventive
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670	Privacy protection for information and data	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{not be served} The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not–– exercise any of her rights in relation to such processing, § 8.(8) ¶ 1(b) {requirement} The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not–– approach the Data Fiduciary for the performance of the specified purpose; and § 8.(8) ¶ 1(a)]	Privacy protection for information and data	Preventive
Document the law that requires restricted data to be collected. CC ID 00103	Privacy protection for information and data	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Privacy protection for information and data	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Privacy protection for information and data	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Privacy protection for information and data	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Privacy protection for information and data	Preventive
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Privacy protection for information and data	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414	Privacy protection for information and data	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. § 12.(3) A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. § 12.(1)]	Privacy protection for information and data	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Privacy protection for information and data	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Privacy protection for information and data	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Privacy protection for information and data	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Privacy protection for information and data	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Privacy protection for information and data	Preventive
Define the exceptions to disclosure absent consent. CC ID 00135	Privacy protection for information and data	Preventive
Define how a data subject may give consent. CC ID 00160 [Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement. § 6.(2)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [{refrain from serving} A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and § 8.(7)(a)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Privacy protection for information and data	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434 [{requirement} {erase} {personal data} {correct} {complete} {update} In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply. § 17.(4)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Privacy protection for information and data	Preventive
Document each individual's personal data collection consent preferences. CC ID 06945	Privacy protection for information and data	Preventive
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Privacy protection for information and data	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Privacy protection for information and data	Preventive
File privacy rights violation complaints in writing. CC ID 00477	Privacy protection for information and data	Corrective
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360	Privacy protection for information and data	Corrective
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals. § 8.(10)]	Privacy protection for information and data	Preventive
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Privacy protection for information and data	Preventive
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Privacy protection for information and data	Preventive
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 [{time requirement} The Data Fiduciary or Consent Manager shall respond to any grievances referred to in sub-section (1) within such period as may be prescribed from the date of its receipt for all or any class of Data Fiduciaries. § 13.(2)]	Privacy protection for information and data	Preventive
Document unresolved challenges. CC ID 13568	Privacy protection for information and data	Preventive
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Privacy protection for information and data	Preventive
Document disagreements as to whether personal data is complete and accurate. CC ID 06952	Privacy protection for information and data	Preventive
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954	Privacy protection for information and data	Preventive
Include the allegations against the organization in the notice of investigation. CC ID 13031	Privacy protection for information and data	Preventive
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495	Privacy protection for information and data	Corrective
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [The Data Principal shall exhaust the opportunity of redressing her grievance under this section before approaching the Board. § 13.(3)]	Privacy protection for information and data	Detective
Define the organization's liability based on the applicable law. CC ID 00504	Privacy protection for information and data	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Privacy protection for information and data	Preventive
Define the appeal process based on the applicable law. CC ID 00506 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)]	Privacy protection for information and data	Preventive
Provide notice of proposed penalties. CC ID 06216	Privacy protection for information and data	Preventive
Establish, implement, and maintain customer data authentication procedures. CC ID 13187	Privacy protection for information and data	Preventive
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Preventive
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432	Third Party and supply chain oversight	Preventive

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include roles and responsibilities in the interview procedures. CC ID 16297	Audits and risk management	Preventive
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 [The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be based in India; § 10.(2)(a)(ii) {be responsible} The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and § 10.(2)(a)(iii) The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— § 10.(2)(a) The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— represent the Significant Data Fiduciary under the provisions of this Act; § 10.(2)(a)(i)]	Human Resources management	Preventive
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 [{act on behalf} The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed. § 6.(8)]	Human Resources management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Preventive
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 [The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be the point of contact for the grievance redressal mechanism under the provisions of this Act; § 10.(2)(a)(iv)]	Human Resources management	Preventive
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Privacy protection for information and data	Preventive
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686	Privacy protection for information and data	Preventive
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Privacy protection for information and data	Preventive

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757	Leadership and high level objectives	Detective
Determine the amount of assets to be held in escrow. CC ID 16575	Leadership and high level objectives	Detective
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011	Audits and risk management	Detective
Audit information systems, as necessary. CC ID 13010	Audits and risk management	Detective
Audit the potential costs of compromise to information systems. CC ID 13012	Audits and risk management	Detective
Analyze requirements for processing personal data in contracts. CC ID 12550	Privacy protection for information and data	Detective

Log Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Detective

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitor the performance of the margin system. CC ID 16655	Leadership and high level objectives	Detective
Supervise interested personnel and affected parties participating in the audit. CC ID 07150	Audits and risk management	Preventive

Process or Activity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include ongoing monitoring in the financial management program. CC ID 16762	Leadership and high level objectives	Preventive
Employ tools to manage settlement and funding flows. CC ID 16743	Leadership and high level objectives	Preventive
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694	Leadership and high level objectives	Preventive
Analyze the effectiveness of the stress test plan. CC ID 16657	Leadership and high level objectives	Detective
Align the lending policy with the organization's risk acceptance level. CC ID 16716	Leadership and high level objectives	Preventive
Include customer due diligence in the loan administration procedures. CC ID 16736	Leadership and high level objectives	Preventive
Assess the properties of the margin model used in the margin system. CC ID 16658	Leadership and high level objectives	Detective
Analyze the performance of the margin system. CC ID 16654	Leadership and high level objectives	Detective
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977	Audits and risk management	Detective
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978	Audits and risk management	Detective
Review documentation to determine the effectiveness of in scope controls. CC ID 16522	Audits and risk management	Preventive
Coordinate the scheduling of interviews. CC ID 16293	Audits and risk management	Preventive
Create a schedule for the interviews. CC ID 16292	Audits and risk management	Preventive
Identify interviewees. CC ID 16290	Audits and risk management	Preventive
Discuss unsolved questions with the interviewee. CC ID 16298	Audits and risk management	Detective
Allow interviewee to respond to explanations. CC ID 16296	Audits and risk management	Detective
Explain the requirements being discussed to the interviewee. CC ID 16294	Audits and risk management	Detective
Explain the testing results to the interviewee. CC ID 16291	Audits and risk management	Preventive
Withdraw from the audit, when defined conditions exist. CC ID 13885	Audits and risk management	Corrective
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)]	Audits and risk management	Preventive
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 [{technical measure} A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. § 8.(4)]	Operational management	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Preventive
Provide support for information sharing activities. CC ID 15644	Operational management	Preventive
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Operational management	Preventive
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Operational management	Preventive
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Operational management	Preventive
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Operational management	Preventive
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Operational management	Preventive
Analyze the organizational culture. CC ID 12899	Operational management	Preventive
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Operational management	Detective
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Operational management	Detective
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Operational management	Detective
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747	Operational management	Corrective
Sanitize user input in accordance with organizational standards. CC ID 16856	Records management	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602 [A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. § 12.(1)]	Privacy protection for information and data	Preventive
Approve the approval application unless applicant has been convicted. CC ID 16603	Privacy protection for information and data	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 [{requirement} {erase} {personal data} {correct} {complete} {update} In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply. § 17.(4)]	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Privacy protection for information and data	Preventive
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Preventive
Define the fee structure for the appeal process. CC ID 16532 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)]	Privacy protection for information and data	Preventive
Define the time requirements for the appeal process. CC ID 16531 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)]	Privacy protection for information and data	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Third Party and supply chain oversight	Detective

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038	Audits and risk management	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Preventive
Compare each record's data input to its final form. CC ID 11813	Records management	Detective
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Preventive
Submit personal data removal requests in writing. CC ID 11973	Privacy protection for information and data	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Privacy protection for information and data	Corrective
Refrain from processing restricted data, as necessary. CC ID 12551	Privacy protection for information and data	Preventive
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Privacy protection for information and data	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. § 12.(3)]	Privacy protection for information and data	Preventive

Technical Security

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880	Privacy protection for information and data	Preventive
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Privacy protection for information and data	Preventive
Implement security measures to protect personal data. CC ID 13606 [A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. § 8.(5)]	Privacy protection for information and data	Preventive

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750	Leadership and high level objectives	Preventive
Test the collateral requirements for appropriateness. CC ID 16681	Leadership and high level objectives	Preventive
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644	Leadership and high level objectives	Preventive
Include stress scenarios in the stress test plan. CC ID 16659	Leadership and high level objectives	Preventive
Perform stress testing in accordance with the stress test plan. CC ID 16652	Leadership and high level objectives	Preventive
Validate the margin system on a regular basis. CC ID 16660	Leadership and high level objectives	Detective
Conduct onsite inspections, as necessary. CC ID 16199	Audits and risk management	Preventive
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979	Audits and risk management	Detective
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983	Audits and risk management	Detective
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Audits and risk management	Detective
Document test plans for auditing in scope controls. CC ID 06985	Audits and risk management	Detective
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981	Audits and risk management	Detective
Determine the effectiveness of in scope controls. CC ID 06984	Audits and risk management	Detective
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990	Audits and risk management	Detective
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112	Audits and risk management	Preventive
Provide transactional walkthrough procedures for external auditors. CC ID 00672	Audits and risk management	Preventive
Conduct interviews, as necessary. CC ID 07188	Audits and risk management	Detective
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987	Audits and risk management	Detective
Investigate the nature and causes of identified in scope control deviations. CC ID 06986	Audits and risk management	Detective
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218	Privacy protection for information and data	Detective
Record restricted data correctly. CC ID 00089	Privacy protection for information and data	Detective
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. § 8.(5)]	Third Party and supply chain oversight	Detective
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366	Third Party and supply chain oversight	Detective
Establish the third party's service continuity. CC ID 00797	Third Party and supply chain oversight	Detective
Determine the adequacy of a third party's alternate site preparations. CC ID 06879	Third Party and supply chain oversight	Detective
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087	Third Party and supply chain oversight	Detective

Common Controls and
mandates by Classification 84 Mandated Controls - bold
62 Implied Controls - italic 569 Implementation

Number of Controls

715 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Withdraw from the audit, when defined conditions exist. CC ID 13885	Audits and risk management	Process or Activity
Update operating procedures that contribute to user errors. CC ID 06935	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747	Operational management	Process or Activity
Share incident information with interested personnel and affected parties. CC ID 01212	Operational management	Data and Information Management
Report data loss event information to breach notification organizations. CC ID 01210 [In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. § 8.(6)]	Operational management	Data and Information Management
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Behavior
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Privacy protection for information and data	Communicate
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Privacy protection for information and data	Records Management
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Privacy protection for information and data	Communicate
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Privacy protection for information and data	Communicate
Implement procedures to file privacy rights violation complaints. CC ID 00476	Privacy protection for information and data	Data and Information Management
File privacy rights violation complaints in writing. CC ID 00477	Privacy protection for information and data	Establish/Maintain Documentation
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360	Privacy protection for information and data	Establish/Maintain Documentation
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the manner in which the Data Principal may make a complaint to the Board, § 5.(2) ¶ 1(a)(iii) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the manner in which the Data Principal may make a complaint to the Board, § 5.(1) ¶ 1(iii)]	Privacy protection for information and data	Behavior
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Privacy protection for information and data	Behavior
Change or destroy any personal data that is incorrect. CC ID 00462 [A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— correct the inaccurate or misleading personal data; § 12.(2)(a) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— complete the incomplete personal data; and § 12.(2)(b) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— update the personal data. § 12.(2)(c)]	Privacy protection for information and data	Data and Information Management
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Behavior
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Data and Information Management
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Privacy protection for information and data	Behavior
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor. § 8.(7)(b)]	Privacy protection for information and data	Behavior
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475	Privacy protection for information and data	Data and Information Management
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364	Privacy protection for information and data	Business Processes
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513	Privacy protection for information and data	Communicate
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495	Privacy protection for information and data	Establish/Maintain Documentation
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Privacy protection for information and data	Behavior
Order the organization to change to be in compliance with applicable law. CC ID 00499	Privacy protection for information and data	Behavior
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Privacy protection for information and data	Behavior
Award damages based on applicable law. CC ID 00501	Privacy protection for information and data	Behavior
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503	Privacy protection for information and data	Data and Information Management

Detective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757	Leadership and high level objectives	Investigate
Verify all required information is attached to each funds transfer. CC ID 16755	Leadership and high level objectives	Business Processes
Analyze the effectiveness of the stress test plan. CC ID 16657	Leadership and high level objectives	Process or Activity
Validate the margin system on a regular basis. CC ID 16660	Leadership and high level objectives	Testing
Assess the properties of the margin model used in the margin system. CC ID 16658	Leadership and high level objectives	Process or Activity
Monitor the performance of the margin system. CC ID 16655	Leadership and high level objectives	Monitor and Evaluate Occurrences
Analyze the performance of the margin system. CC ID 16654	Leadership and high level objectives	Process or Activity
Determine the amount of assets to be held in escrow. CC ID 16575	Leadership and high level objectives	Investigate
Determine if requested services create a threat to independence. CC ID 16823	Audits and risk management	Audits and Risk Management
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946	Audits and risk management	Audits and Risk Management
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932	Audits and risk management	Audits and Risk Management
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011	Audits and risk management	Investigate
Audit information systems, as necessary. CC ID 13010	Audits and risk management	Investigate
Audit the potential costs of compromise to information systems. CC ID 13012	Audits and risk management	Investigate
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979	Audits and risk management	Testing
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983	Audits and risk management	Testing
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557	Audits and risk management	Audits and Risk Management
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977	Audits and risk management	Process or Activity
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Audits and risk management	Testing
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978	Audits and risk management	Process or Activity
Document test plans for auditing in scope controls. CC ID 06985	Audits and risk management	Testing
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981	Audits and risk management	Testing
Determine the effectiveness of in scope controls. CC ID 06984	Audits and risk management	Testing
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157	Audits and risk management	Audits and Risk Management
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and risk management	Audits and Risk Management
Observe processes to determine the effectiveness of in scope controls. CC ID 12155	Audits and risk management	Audits and Risk Management
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and risk management	Audits and Risk Management
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144	Audits and risk management	Audits and Risk Management
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556	Audits and risk management	Audits and Risk Management
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555	Audits and risk management	Audits and Risk Management
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990	Audits and risk management	Testing
Conduct interviews, as necessary. CC ID 07188	Audits and risk management	Testing
Verify statements made by interviewees are correct. CC ID 16299	Audits and risk management	Behavior
Discuss unsolved questions with the interviewee. CC ID 16298	Audits and risk management	Process or Activity
Allow interviewee to respond to explanations. CC ID 16296	Audits and risk management	Process or Activity
Explain the requirements being discussed to the interviewee. CC ID 16294	Audits and risk management	Process or Activity
Explain the goals of the interview to the interviewee. CC ID 07189	Audits and risk management	Behavior
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152	Audits and risk management	Audits and Risk Management
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987	Audits and risk management	Testing
Investigate the nature and causes of identified in scope control deviations. CC ID 06986	Audits and risk management	Testing
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Operational management	Process or Activity
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Operational management	Process or Activity
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Operational management	Process or Activity
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Log Management
Compare each record's data input to its final form. CC ID 11813	Records management	Records Management
Document privacy policies in clearly written and easily understood language. CC ID 00376	Privacy protection for information and data	Establish/Maintain Documentation
Analyze requirements for processing personal data in contracts. CC ID 12550	Privacy protection for information and data	Investigate
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Privacy protection for information and data	Data and Information Management
Investigate privacy rights violation complaints. CC ID 00480	Privacy protection for information and data	Behavior
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Privacy protection for information and data	Behavior
Investigate privacy rights violation complaints in private. CC ID 00492	Privacy protection for information and data	Behavior
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Privacy protection for information and data	Behavior
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Privacy protection for information and data	Behavior
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [The Data Principal shall exhaust the opportunity of redressing her grievance under this section before approaching the Board. § 13.(3)]	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218	Privacy protection for information and data	Testing
Record restricted data correctly. CC ID 00089	Privacy protection for information and data	Testing
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Third Party and supply chain oversight	Process or Activity
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. § 8.(5)]	Third Party and supply chain oversight	Testing
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366	Third Party and supply chain oversight	Testing
Establish the third party's service continuity. CC ID 00797	Third Party and supply chain oversight	Testing
Determine the adequacy of a third party's alternate site preparations. CC ID 06879	Third Party and supply chain oversight	Testing
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264	Third Party and supply chain oversight	Data and Information Management
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087	Third Party and supply chain oversight	Testing

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Preventive

615

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain an Authority Document list. CC ID 07113	Leadership and high level objectives	Establish/Maintain Documentation
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— such other measures, consistent with the provisions of this Act, as may be prescribed. § 10.(2)(c)(iii)]	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a financial management program. CC ID 13228 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)]	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain funds transfer procedures. CC ID 16754	Leadership and high level objectives	Establish/Maintain Documentation
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761	Leadership and high level objectives	Communicate
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760	Leadership and high level objectives	Business Processes
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759	Leadership and high level objectives	Business Processes
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758	Leadership and high level objectives	Business Processes
Attach the required information to each funds transfer. CC ID 16756	Leadership and high level objectives	Business Processes
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738	Leadership and high level objectives	Business Processes
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750	Leadership and high level objectives	Testing
Include communication protocols in the financial management program. CC ID 16763	Leadership and high level objectives	Establish/Maintain Documentation
Include ongoing monitoring in the financial management program. CC ID 16762	Leadership and high level objectives	Process or Activity
Employ tools to manage settlement and funding flows. CC ID 16743	Leadership and high level objectives	Process or Activity
Refrain from setting up anonymous financial accounts. CC ID 16721	Leadership and high level objectives	Business Processes
Identify and maintain positions in financial accounts. CC ID 16751	Leadership and high level objectives	Business Processes
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717	Leadership and high level objectives	Establish/Maintain Documentation
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694	Leadership and high level objectives	Process or Activity
Establish, implement, and maintain financial resource management procedures. CC ID 16642	Leadership and high level objectives	Establish/Maintain Documentation
Document the rationale for the amount of financial resources being held. CC ID 16688	Leadership and high level objectives	Establish/Maintain Documentation
Supplement financial resources, as necessary. CC ID 16685	Leadership and high level objectives	Business Processes
Establish, implement, and maintain collateral procedures. CC ID 16653	Leadership and high level objectives	Establish/Maintain Documentation
Include the use of appropriate models in the collateral procedures. CC ID 16687	Leadership and high level objectives	Establish/Maintain Documentation
Define the collateral requirements in the collateral procedures. CC ID 16686	Leadership and high level objectives	Establish/Maintain Documentation
Test the collateral requirements for appropriateness. CC ID 16681	Leadership and high level objectives	Testing
Limit the types of assets accepted as collateral. CC ID 16602	Leadership and high level objectives	Business Processes
Avoid the use of concentrated holdings of assets. CC ID 16651	Leadership and high level objectives	Business Processes
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644	Leadership and high level objectives	Testing
Include stress scenarios in the stress test plan. CC ID 16659	Leadership and high level objectives	Testing
Perform stress testing in accordance with the stress test plan. CC ID 16652	Leadership and high level objectives	Testing
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630	Leadership and high level objectives	Communicate
Identify and document the financial resources available for use. CC ID 16643	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain credit loss procedures. CC ID 16683	Leadership and high level objectives	Establish/Maintain Documentation
Include the allocation of credit losses in the credit loss procedures. CC ID 16684	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a securities trading program. CC ID 16626	Leadership and high level objectives	Business Processes
Include fairness and equitability standards in the securities trading program. CC ID 16690	Leadership and high level objectives	Establish/Maintain Documentation
Include roles and responsibilities in the securities trading program. CC ID 16689	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a capital restoration plan. CC ID 16613	Leadership and high level objectives	Establish/Maintain Documentation
Include performance guarantees in the capital restoration plan. CC ID 16616	Leadership and high level objectives	Establish/Maintain Documentation
Include corrective actions taken in the capital restoration plan. CC ID 16612	Leadership and high level objectives	Establish/Maintain Documentation
Include required information in the capital restoration plan. CC ID 16609	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain valuation procedures. CC ID 16634	Leadership and high level objectives	Establish/Maintain Documentation
Include investment information in approval requests for investments. CC ID 16590	Leadership and high level objectives	Business Processes
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain lending policies. CC ID 16608	Leadership and high level objectives	Establish/Maintain Documentation
Align the lending policy with the organization's risk acceptance level. CC ID 16716	Leadership and high level objectives	Process or Activity
Include the requirements for risk assessments in the lending policy. CC ID 16730	Leadership and high level objectives	Establish/Maintain Documentation
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728	Leadership and high level objectives	Establish/Maintain Documentation
Include the requirements for feasibility studies in the lending policy. CC ID 16726	Leadership and high level objectives	Establish/Maintain Documentation
Include pricing structures in the lending policy. CC ID 16724	Leadership and high level objectives	Establish/Maintain Documentation
Include monitoring requirements in the lending policy. CC ID 16710	Leadership and high level objectives	Establish/Maintain Documentation
Include loan origination procedures in the lending policy. CC ID 16709	Leadership and high level objectives	Establish/Maintain Documentation
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708	Leadership and high level objectives	Establish/Maintain Documentation
Include loan requirements in the lending policy. CC ID 16706	Leadership and high level objectives	Establish/Maintain Documentation
Include appraisals and evaluations in the lending policy. CC ID 16705	Leadership and high level objectives	Establish/Maintain Documentation
Include terms and conditions in the lending policy. CC ID 16695	Leadership and high level objectives	Establish/Maintain Documentation
Include the scope and distribution of loans in the lending policy. CC ID 16693	Leadership and high level objectives	Establish/Maintain Documentation
Include geographic areas in the lending policy. CC ID 16691	Leadership and high level objectives	Establish/Maintain Documentation
Include underwriting guidelines in the lending policy. CC ID 16619	Leadership and high level objectives	Establish/Maintain Documentation
Include credit review in the underwriting guidelines. CC ID 16765	Leadership and high level objectives	Establish/Maintain Documentation
Include loan-to-value ratio limits in the lending policy. CC ID 16618	Leadership and high level objectives	Establish/Maintain Documentation
Include documentation requirements in the lending policy. CC ID 16617	Leadership and high level objectives	Establish/Maintain Documentation
Include the purpose of the loan in the loan documentation. CC ID 16747	Leadership and high level objectives	Establish/Maintain Documentation
Include the source of repayment in the loan documentation. CC ID 16746	Leadership and high level objectives	Establish/Maintain Documentation
Include approval requirements in the lending policy. CC ID 16615	Leadership and high level objectives	Establish/Maintain Documentation
Include reporting requirements in the lending policy. CC ID 16614	Leadership and high level objectives	Establish/Maintain Documentation
Include loan portfolio diversification standards in the lending policy. CC ID 16611	Leadership and high level objectives	Establish/Maintain Documentation
Include loan administration procedures in the lending policy. CC ID 16610	Leadership and high level objectives	Establish/Maintain Documentation
Include loan participation agreements in the loan administration procedures. CC ID 16745	Leadership and high level objectives	Establish/Maintain Documentation
Include termination procedures in the loan participation agreement. CC ID 16753	Leadership and high level objectives	Establish/Maintain Documentation
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752	Leadership and high level objectives	Establish/Maintain Documentation
Include servicing agreements in the loan administration procedures. CC ID 16744	Leadership and high level objectives	Establish/Maintain Documentation
Include claims processing in the loan administration procedures. CC ID 16742	Leadership and high level objectives	Establish/Maintain Documentation
Include forbearance management in the loan administration procedures. CC ID 16741	Leadership and high level objectives	Establish/Maintain Documentation
Include foreclosure management in the loan administration procedures. CC ID 16740	Leadership and high level objectives	Establish/Maintain Documentation
Include delinquency management in the loan administration procedures. CC ID 16739	Leadership and high level objectives	Establish/Maintain Documentation
Include customer due diligence in the loan administration procedures. CC ID 16736	Leadership and high level objectives	Process or Activity
Include the requirements for financial statements in the loan administration procedures. CC ID 16735	Leadership and high level objectives	Establish/Maintain Documentation
Include loan closing in the loan administration procedures. CC ID 16734	Leadership and high level objectives	Establish/Maintain Documentation
Include payoff statements in the loan administration procedures. CC ID 16733	Leadership and high level objectives	Establish/Maintain Documentation
Include payment processing in the loan administration procedures. CC ID 16732	Leadership and high level objectives	Establish/Maintain Documentation
Include loan reviews in the loan administration procedures. CC ID 16703	Leadership and high level objectives	Establish/Maintain Documentation
Include collections in the loan administration procedures. CC ID 16701	Leadership and high level objectives	Establish/Maintain Documentation
Include collateral inspections in the loan administration procedures. CC ID 16699	Leadership and high level objectives	Establish/Maintain Documentation
Include disbursements in the loan administration procedures. CC ID 16697	Leadership and high level objectives	Establish/Maintain Documentation
Review and approve lending policies. CC ID 16607	Leadership and high level objectives	Business Processes
Establish, implement, and maintain a dividend policy. CC ID 16569	Leadership and high level objectives	Establish/Maintain Documentation
Include compliance requirements in the dividend policy. CC ID 16570	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain margin systems. CC ID 16601	Leadership and high level objectives	Business Processes
Include valuation models in the margin system. CC ID 16663	Leadership and high level objectives	Data and Information Management
Include procedures for collecting price data in the margin system. CC ID 16662	Leadership and high level objectives	Data and Information Management
Include reliable sources for price data in the margin system. CC ID 16661	Leadership and high level objectives	Data and Information Management
Establish, implement, and maintain capital adequacy measures. CC ID 16568	Leadership and high level objectives	Business Processes
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565	Leadership and high level objectives	Communicate
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279	Leadership and high level objectives	Establish/Maintain Documentation
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764	Leadership and high level objectives	Establish/Maintain Documentation
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692	Leadership and high level objectives	Establish/Maintain Documentation
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631	Leadership and high level objectives	Establish/Maintain Documentation
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640	Leadership and high level objectives	Data and Information Management
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650	Leadership and high level objectives	Data and Information Management
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639	Leadership and high level objectives	Data and Information Management
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645	Leadership and high level objectives	Data and Information Management
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638	Leadership and high level objectives	Data and Information Management
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637	Leadership and high level objectives	Data and Information Management
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636	Leadership and high level objectives	Data and Information Management
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635	Leadership and high level objectives	Data and Information Management
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633	Leadership and high level objectives	Data and Information Management
Include account information In the recordkeeping system for securities transactions. CC ID 16632	Leadership and high level objectives	Data and Information Management
Establish, implement, and maintain securities transaction notifications. CC ID 16600	Leadership and high level objectives	Establish/Maintain Documentation
Include the call date in the securities transaction notification. CC ID 16680	Leadership and high level objectives	Establish/Maintain Documentation
Include service charges and commissions in the securities transaction notification. CC ID 16702	Leadership and high level objectives	Establish/Maintain Documentation
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679	Leadership and high level objectives	Establish/Maintain Documentation
Include the call price in the securities transaction notification. CC ID 16678	Leadership and high level objectives	Establish/Maintain Documentation
Include debits and credits in the securities transaction notification. CC ID 16677	Leadership and high level objectives	Establish/Maintain Documentation
Include transactions in the securities transaction notification. CC ID 16676	Leadership and high level objectives	Establish/Maintain Documentation
Include the credit rating of securities in the securities transaction notification. CC ID 16674	Leadership and high level objectives	Establish/Maintain Documentation
Include yield information in the securities transaction notification. CC ID 16673	Leadership and high level objectives	Establish/Maintain Documentation
Include redemption information in the securities transaction notification. CC ID 16672	Leadership and high level objectives	Establish/Maintain Documentation
Include the price calculated from the yield in the securities transaction notification. CC ID 16669	Leadership and high level objectives	Establish/Maintain Documentation
Include the type of call in the securities transaction notification. CC ID 16668	Leadership and high level objectives	Establish/Maintain Documentation
Include an account statement in the securities transaction notification. CC ID 16666	Leadership and high level objectives	Establish/Maintain Documentation
Include the yield to maturity in the securities transaction notification. CC ID 16665	Leadership and high level objectives	Establish/Maintain Documentation
Include the execution price in the securities transaction notification. CC ID 16664	Leadership and high level objectives	Establish/Maintain Documentation
Include the organization's role in the securities transaction notification. CC ID 16646	Leadership and high level objectives	Establish/Maintain Documentation
Include the name of the broker in the securities transaction notification. CC ID 16647	Leadership and high level objectives	Establish/Maintain Documentation
Include the name of the customer in the securities transaction notification. CC ID 16625	Leadership and high level objectives	Establish/Maintain Documentation
Include the organization's name in the securities transaction notification. CC ID 16624	Leadership and high level objectives	Establish/Maintain Documentation
Include confirmations in the securities transaction notification. CC ID 16623	Leadership and high level objectives	Establish/Maintain Documentation
Include remunerations in the securities transaction notification. CC ID 16622	Leadership and high level objectives	Establish/Maintain Documentation
Include requested information in the securities transaction notification. CC ID 16641	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621	Leadership and high level objectives	Communicate
Include the execution date in the securities transaction notification. CC ID 16620	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain financial reports. CC ID 14770	Leadership and high level objectives	Establish/Maintain Documentation
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776	Leadership and high level objectives	Establish/Maintain Documentation
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779	Leadership and high level objectives	Establish/Maintain Documentation
Include the business need justification for lost value in the financial report. CC ID 15588	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342	Leadership and high level objectives	Communicate
Include financial statements in the financial report, as necessary. CC ID 14775	Leadership and high level objectives	Establish/Maintain Documentation
Include capital deductions and adjustments in the financial statement. CC ID 16667	Leadership and high level objectives	Establish/Maintain Documentation
Include earnings per share or loss per share in the financial statement. CC ID 16597	Leadership and high level objectives	Establish/Maintain Documentation
Include material contingencies in the financial statement. CC ID 16596	Leadership and high level objectives	Establish/Maintain Documentation
Include notes to financial statements in the financial report, as necessary. CC ID 14780	Leadership and high level objectives	Establish/Maintain Documentation
Include information on loans to small businesses and small farms in the call report. CC ID 16731	Leadership and high level objectives	Establish/Maintain Documentation
Include assets and liabilities in the call report. CC ID 16729	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727	Leadership and high level objectives	Communicate
Establish, implement, and maintain an audit program. CC ID 00684	Audits and risk management	Establish/Maintain Documentation
Assign the audit to impartial auditors. CC ID 07118 [The Significant Data Fiduciary shall— appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and § 10.(2)(b)]	Audits and risk management	Establish Roles
Define what constitutes a threat to independence. CC ID 16824	Audits and risk management	Audits and Risk Management
Accept the attestation engagement when all preconditions are met. CC ID 13933	Audits and risk management	Business Processes
Audit in scope audit items and compliance documents. CC ID 06730 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic audit; and § 10.(2)(c)(ii) The Significant Data Fiduciary shall— appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and § 10.(2)(b)]	Audits and risk management	Audits and Risk Management
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001	Audits and risk management	Actionable Reports or Measurements
Document any after the fact changes to the engagement file. CC ID 07002	Audits and risk management	Establish/Maintain Documentation
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179	Audits and risk management	Establish/Maintain Documentation
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180	Audits and risk management	Establish/Maintain Documentation
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038	Audits and risk management	Records Management
Conduct onsite inspections, as necessary. CC ID 16199	Audits and risk management	Testing
Audit policies, standards, and procedures. CC ID 12927	Audits and risk management	Audits and Risk Management
Edit the audit assertion for accuracy. CC ID 07030	Audits and risk management	Establish/Maintain Documentation
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982	Audits and risk management	Establish/Maintain Documentation
Review documentation to determine the effectiveness of in scope controls. CC ID 16522	Audits and risk management	Process or Activity
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996	Audits and risk management	Establish/Maintain Documentation
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112	Audits and risk management	Testing
Implement procedures that collect sufficient audit evidence. CC ID 07153	Audits and risk management	Audits and Risk Management
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154	Audits and risk management	Audits and Risk Management
Collect audit evidence sufficient to avoid misstatements. CC ID 07155	Audits and risk management	Audits and Risk Management
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156	Audits and risk management	Audits and Risk Management
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157	Audits and risk management	Audits and Risk Management
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847	Audits and risk management	Communicate
Provide transactional walkthrough procedures for external auditors. CC ID 00672	Audits and risk management	Testing
Establish, implement, and maintain interview procedures. CC ID 16282	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the interview procedures. CC ID 16297	Audits and risk management	Human Resources Management
Coordinate the scheduling of interviews. CC ID 16293	Audits and risk management	Process or Activity
Create a schedule for the interviews. CC ID 16292	Audits and risk management	Process or Activity
Identify interviewees. CC ID 16290	Audits and risk management	Process or Activity
Explain the testing results to the interviewee. CC ID 16291	Audits and risk management	Process or Activity
Establish and maintain work papers, as necessary. CC ID 13891	Audits and risk management	Establish/Maintain Documentation
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775	Audits and risk management	Establish/Maintain Documentation
Include audit irregularities in the work papers. CC ID 16774	Audits and risk management	Establish/Maintain Documentation
Include corrective actions in the work papers. CC ID 16771	Audits and risk management	Establish/Maintain Documentation
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770	Audits and risk management	Establish/Maintain Documentation
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768	Audits and risk management	Establish/Maintain Documentation
Include justification for departing from mandatory requirements in the work papers. CC ID 13935	Audits and risk management	Establish/Maintain Documentation
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518	Audits and risk management	Audits and Risk Management
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998	Audits and risk management	Establish/Maintain Documentation
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190	Audits and risk management	Establish/Maintain Documentation
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026	Audits and risk management	Establish/Maintain Documentation
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997	Audits and risk management	Establish/Maintain Documentation
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177	Audits and risk management	Audits and Risk Management
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000	Audits and risk management	Establish/Maintain Documentation
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999	Audits and risk management	Establish/Maintain Documentation
Supervise interested personnel and affected parties participating in the audit. CC ID 07150	Audits and risk management	Monitor and Evaluate Occurrences
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151	Audits and risk management	Establish Roles
Respond to questions or clarification requests regarding the audit. CC ID 08902	Audits and risk management	Business Processes
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)]	Audits and risk management	Process or Activity
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Audits and risk management	Establish/Maintain Documentation
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Audits and risk management	Establish/Maintain Documentation
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Audits and risk management	Establish/Maintain Documentation
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)]	Audits and risk management	Establish/Maintain Documentation
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)]	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Audits and risk management	Communicate
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Audits and risk management	Establish/Maintain Documentation
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Audits and risk management	Establish/Maintain Documentation
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)]	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a digital identity management program. CC ID 13713	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. § 6.(7) A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder. § 14.(1)]	Technical security	Establish/Maintain Documentation
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802	Technical security	Establish/Maintain Documentation
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801	Technical security	Establish/Maintain Documentation
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800	Technical security	Establish/Maintain Documentation
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Establish Roles
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 [The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be based in India; § 10.(2)(a)(ii) {be responsible} The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and § 10.(2)(a)(iii) The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— § 10.(2)(a) The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— represent the Significant Data Fiduciary under the provisions of this Act; § 10.(2)(a)(i)]	Human Resources management	Human Resources Management
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 [{act on behalf} The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed. § 6.(8)]	Human Resources management	Human Resources Management
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Human Resources Management
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 [The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be the point of contact for the grievance redressal mechanism under the provisions of this Act; § 10.(2)(a)(iv)]	Human Resources management	Human Resources Management
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Establish/Maintain Documentation
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 [{technical measure} A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. § 8.(4)]	Operational management	Process or Activity
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Establish/Maintain Documentation
Include technical safeguards in the information security program. CC ID 12374 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain operational control procedures. CC ID 00831 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)]	Operational management	Establish/Maintain Documentation
Include assigning and approving operations in operational control procedures. CC ID 06382	Operational management	Establish/Maintain Documentation
Include startup processes in operational control procedures. CC ID 00833	Operational management	Establish/Maintain Documentation
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Establish/Maintain Documentation
Establish and maintain a data processing run manual. CC ID 00832	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Establish/Maintain Documentation
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Process or Activity
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Establish/Maintain Documentation
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Establish/Maintain Documentation
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Establish/Maintain Documentation
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Establish/Maintain Documentation
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Establish/Maintain Documentation
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Establish/Maintain Documentation
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Establish/Maintain Documentation
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Establish/Maintain Documentation
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Establish/Maintain Documentation
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Establish/Maintain Documentation
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Establish/Maintain Documentation
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Establish/Maintain Documentation
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Records Management
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Business Processes
Provide support for information sharing activities. CC ID 15644	Operational management	Process or Activity
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Operational management	Business Processes
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Operational management	Communicate
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Operational management	Establish/Maintain Documentation
Establish and maintain a job schedule exceptions list. CC ID 00835	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Operational management	Establish/Maintain Documentation
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{technical measure} A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. § 8.(4)]	Operational management	Business Processes
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Operational management	Process or Activity
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Operational management	Process or Activity
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Operational management	Process or Activity
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Operational management	Process or Activity
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Operational management	Process or Activity
Analyze the organizational culture. CC ID 12899	Operational management	Process or Activity
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Operational management	Behavior
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Operational management	Business Processes
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Operational management	Business Processes
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Operational management	Business Processes
Include skill development in the analysis of the organizational culture. CC ID 12913	Operational management	Behavior
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Operational management	Behavior
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Operational management	Business Processes
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Operational management	Behavior
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Operational management	Behavior
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor. § 8.(1)]	Operational management	Establish/Maintain Documentation
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Operational management	Communicate
Review systems for compliance with organizational information security policies. CC ID 12004	Operational management	Business Processes
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815	Operational management	Behavior
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Business Processes
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Establish/Maintain Documentation
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Communicate
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Communicate
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Establish/Maintain Documentation
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2]	Records management	Establish Roles
Sanitize user input in accordance with organizational standards. CC ID 16856	Records management	Process or Activity
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924	Records management	Data and Information Management
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925	Records management	Establish/Maintain Documentation
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659	Records management	Establish/Maintain Documentation
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Data and Information Management
Establish and maintain privacy notices, as necessary. CC ID 13443	Privacy protection for information and data	Establish/Maintain Documentation
Include the personal data collection categories in the privacy notice. CC ID 13457 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the personal data and the purpose for which the same is proposed to be processed; § 5.(1) ¶ 1(i)]	Privacy protection for information and data	Establish/Maintain Documentation
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– § 5.(2) ¶ 1(a) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— § 5.(1) ¶ 1]	Privacy protection for information and data	Communicate
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Privacy protection for information and data	Establish/Maintain Documentation
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Privacy protection for information and data	Communicate
Notify data subjects about their privacy rights. CC ID 12989 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and § 5.(1) ¶ 1(ii) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and § 5.(2) ¶ 1(a)(ii)]	Privacy protection for information and data	Communicate
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Privacy protection for information and data	Data and Information Management
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)]	Privacy protection for information and data	Behavior
Define what is included in registration notices. CC ID 00386	Privacy protection for information and data	Establish/Maintain Documentation
Include roles and responsibilities in the registration notice. CC ID 16803	Privacy protection for information and data	Establish Roles
Include the verification method in the registration notice. CC ID 16798	Privacy protection for information and data	Establish/Maintain Documentation
Include the statutory authority in the registration notice. CC ID 16799	Privacy protection for information and data	Establish/Maintain Documentation
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Privacy protection for information and data	Establish/Maintain Documentation
Include a purpose specification description in the registration notice. CC ID 00388	Privacy protection for information and data	Establish/Maintain Documentation
Include information about the dispute resolution body in the registration notice. CC ID 16800	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject category being processed in the registration notice. CC ID 00389	Privacy protection for information and data	Establish/Maintain Documentation
Include the time period for data processing in the registration notice. CC ID 00390	Privacy protection for information and data	Establish/Maintain Documentation
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from providing information to the data subject, as necessary. CC ID 12625 [{shall not apply} {requirement} {Data Principal} {furnish} {information} Nothing contained in clause (b) or clause (c) of sub-section (1) shall apply in respect of the sharing of any personal data by the said Data Fiduciary with any other Data Fiduciary authorised by law to obtain such personal data, where such sharing is pursuant to a request made in writing by such other Data Fiduciary for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences. § 11.(2)]	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Privacy protection for information and data	Communicate
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Privacy protection for information and data	Communicate
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Privacy protection for information and data	Data and Information Management
Provide the data subject with the data protection officer's contact information. CC ID 12573 [A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data. § 8.(9) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)]	Privacy protection for information and data	Business Processes
Provide the data subject with information about the right to erasure. CC ID 12602 [A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. § 12.(1)]	Privacy protection for information and data	Process or Activity
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the personal data and the purpose for which the same has been processed; § 5.(2) ¶ 1(a)(i) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— any other information related to the personal data of such Data Principal and its processing, as may be prescribed. § 11.(1)(c) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data; § 11.(1)(a)]	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and § 11.(1)(b)]	Privacy protection for information and data	Data and Information Management
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Establish/Maintain Documentation
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Privacy protection for information and data	Establish/Maintain Documentation
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Privacy protection for information and data	Establish/Maintain Documentation
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and § 11.(1)(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Privacy protection for information and data	Establish/Maintain Documentation
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure date in the disclosure accounting record. CC ID 07133	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Privacy protection for information and data	Establish/Maintain Documentation
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Privacy protection for information and data	Establish/Maintain Documentation
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Privacy protection for information and data	Establish/Maintain Documentation
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Privacy protection for information and data	Establish/Maintain Documentation
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Privacy protection for information and data	Establish/Maintain Documentation
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Privacy protection for information and data	Establish/Maintain Documentation
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860	Privacy protection for information and data	Data and Information Management
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Privacy protection for information and data	Communicate
Establish, implement, and maintain a privacy policy. CC ID 06281	Privacy protection for information and data	Establish/Maintain Documentation
Write privacy notices in the official languages required by law. CC ID 16529 [The Data Fiduciary shall give the Data Principal the option to access the contents of the notice referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution. § 5.(3)]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Privacy protection for information and data	Establish/Maintain Documentation
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent. § 5.(2)(b)]	Privacy protection for information and data	Data and Information Management
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Privacy protection for information and data	Business Processes
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Privacy protection for information and data	Business Processes
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 [Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. § 6.(4)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880	Privacy protection for information and data	Technical Security
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [{timely manner} If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. § 6.(6)]	Privacy protection for information and data	Business Processes
Allow consent requests to be provided in any official languages. CC ID 16530 [Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)]	Privacy protection for information and data	Business Processes
Give individuals the ability to change the uses of their personal data. CC ID 00469 [Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. § 6.(4)]	Privacy protection for information and data	Data and Information Management
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. § 6.(5)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Establish/Maintain Documentation
Require data controllers to be accountable for their actions. CC ID 00470 [Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder. § 6.(10)]	Privacy protection for information and data	Establish Roles
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Privacy protection for information and data	Human Resources Management
Notify the supervisory authority. CC ID 00472	Privacy protection for information and data	Behavior
Establish, implement, and maintain approval applications. CC ID 16778	Privacy protection for information and data	Establish/Maintain Documentation
Define the requirements for approving or denying approval applications. CC ID 16780	Privacy protection for information and data	Business Processes
Submit approval applications to the supervisory authority. CC ID 16627	Privacy protection for information and data	Communicate
Include required information in the approval application. CC ID 16628	Privacy protection for information and data	Establish/Maintain Documentation
Extend the time limit for approving or denying approval applications. CC ID 16779	Privacy protection for information and data	Business Processes
Approve the approval application unless applicant has been convicted. CC ID 16603	Privacy protection for information and data	Process or Activity
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Privacy protection for information and data	Process or Activity
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Privacy protection for information and data	Communicate
Cooperate with Data Protection Authorities. CC ID 06870	Privacy protection for information and data	Data and Information Management
Submit a safe harbor self-certification letter. CC ID 06871	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract. § 8.(2)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Privacy protection for information and data	Establish/Maintain Documentation
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938	Privacy protection for information and data	Establish/Maintain Documentation
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936	Privacy protection for information and data	Establish/Maintain Documentation
Include the duration of processing in the Data Processing Contract. CC ID 14935	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686	Privacy protection for information and data	Human Resources Management
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{not be served} The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not–– exercise any of her rights in relation to such processing, § 8.(8) ¶ 1(b) {requirement} The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not–– approach the Data Fiduciary for the performance of the specified purpose; and § 8.(8) ¶ 1(a)]	Privacy protection for information and data	Establish/Maintain Documentation
Display or print the least amount of personal data necessary. CC ID 04643	Privacy protection for information and data	Data and Information Management
Redact confidential information from public information, as necessary. CC ID 06872	Privacy protection for information and data	Data and Information Management
Notify the data subject of the collection purpose. CC ID 00095	Privacy protection for information and data	Behavior
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Privacy protection for information and data	Data and Information Management
Document the law that requires restricted data to be collected. CC ID 00103	Privacy protection for information and data	Establish/Maintain Documentation
Notify the data subject of the consequences for not providing personal data. CC ID 00104 [The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. § 6.(5)]	Privacy protection for information and data	Behavior
Notify the data subject of changes to personal data use. CC ID 00105	Privacy protection for information and data	Behavior
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Privacy protection for information and data	Establish/Maintain Documentation
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Privacy protection for information and data	Behavior
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Privacy protection for information and data	Establish/Maintain Documentation
Dispose of media and restricted data in a timely manner. CC ID 00125	Privacy protection for information and data	Data and Information Management
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Records Management
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Communicate
Establish, implement, and maintain data access procedures. CC ID 00414	Privacy protection for information and data	Establish/Maintain Documentation
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the personal data and the purpose for which the same is proposed to be processed; § 5.(1) ¶ 1(i) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the personal data and the purpose for which the same has been processed; § 5.(2) ¶ 1(a)(i)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. § 12.(3) A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. § 12.(1)]	Privacy protection for information and data	Establish/Maintain Documentation
Submit personal data removal requests in writing. CC ID 11973	Privacy protection for information and data	Records Management
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from processing restricted data, as necessary. CC ID 12551	Privacy protection for information and data	Records Management
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 [{requirement} {erase} {personal data} {correct} {complete} {update} In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply. § 17.(4)]	Privacy protection for information and data	Process or Activity
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 [A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. § 9.(3)]	Privacy protection for information and data	Data and Information Management
Process restricted data lawfully and carefully. CC ID 00086 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; § 7.(d) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— § 4.(1) The provisions of this Act shall not apply in respect of the processing of personal data— necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed. § 17.(2)(b) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data. § 7.(b) ¶ 2 {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. § 17.(1)(f)]	Privacy protection for information and data	Establish Roles
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Privacy protection for information and data	Technical Security
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Data and Information Management
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Privacy protection for information and data	Records Management
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Privacy protection for information and data	Data and Information Management
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Privacy protection for information and data	Records Management
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Privacy protection for information and data	Process or Activity
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Privacy protection for information and data	Records Management
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Privacy protection for information and data	Data and Information Management
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Privacy protection for information and data	Establish/Maintain Documentation
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Privacy protection for information and data	Data and Information Management
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Privacy protection for information and data	Establish/Maintain Documentation
Define and implement valid authorization control requirements. CC ID 06258	Privacy protection for information and data	Establish/Maintain Documentation
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Privacy protection for information and data	Data and Information Management
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Privacy protection for information and data	Data and Information Management
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Privacy protection for information and data	Data and Information Management
Process personal data after the data subject has granted explicit consent. CC ID 00180 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. § 7.(a) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or § 7.(b) ¶ 1(i) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— for which the Data Principal has given her consent; or § 4.(1)(a)]	Privacy protection for information and data	Data and Information Management
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; § 7.(e) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; § 7.(c) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; § 7.(d) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. § 7.(i) The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, § 7.(b) ¶ 1(ii)]	Privacy protection for information and data	Data and Information Management
Process personal data relating to criminal offenses when required by law. CC ID 00237	Privacy protection for information and data	Data and Information Management
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; § 7.(f)]	Privacy protection for information and data	Data and Information Management
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; § 7.(g) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; § 7.(f)]	Privacy protection for information and data	Data and Information Management
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Privacy protection for information and data	Data and Information Management
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— for certain legitimate uses. § 4.(1)(b)]	Privacy protection for information and data	Data and Information Management
Process traffic data in a controlled manner. CC ID 00130	Privacy protection for information and data	Data and Information Management
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to providepan> or style="background-color:#CBD0E5;" class="term_secondary-verb">issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be <span style="background-color:#CBD0E5;" class="term_secondary-verb">prescribed, where–– § 7.(b) ¶ 1]	Privacy protection for information and data	Data and Information Management
Process personal data when it is publicly accessible. CC ID 00187	Privacy protection for information and data	Data and Information Management
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. § 9.(3)]	Privacy protection for information and data	Business Processes
Process personal data for the purposes of employment. CC ID 16527 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. § 7.(i)]	Privacy protection for information and data	Data and Information Management
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; § 7.(e)]	Privacy protection for information and data	Data and Information Management
Process personal data for debt collection or benefit payments. CC ID 00190 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. § 17.(1)(f)]	Privacy protection for information and data	Data and Information Management
Process personal data in order to advance the public interest. CC ID 00191 [The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a)]	Privacy protection for information and data	Data and Information Management
Process personal data for surveys, archives, or scientific research. CC ID 00192	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Privacy protection for information and data	Data and Information Management
Process personal data for academic purposes or religious purposes. CC ID 00194	Privacy protection for information and data	Data and Information Management
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order. § 7.(h) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; § 7.(c) The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a)]	Privacy protection for information and data	Data and Information Management
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Privacy protection for information and data	Data and Information Management
Follow legal obligations while processing personal data. CC ID 04794	Privacy protection for information and data	Data and Information Management
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [The provisions of sub-sections (1) and (3) shall not be applicable to processing of personal data of a child by such classes of Data Fiduciaries or for such purposes, and subject to such conditions, as may be prescribed. § 9.(4)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Privacy protection for information and data	Process or Activity
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to perform a contract. CC ID 13586 [{requirement} {be outside} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India; § 17.(1)(d)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [The provisions of this Act shall not apply in respect of the processing of personal data— necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed. § 17.(2)(b)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is needed by law. CC ID 13577 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing of personal data is necessary for enforcing any legal right or claim; § 17.(1)(a) {judicial function} {quasi-judicial function} {regulatory function} {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing of personal data by any court or tribunal or any other body in India which is entrusted by law with the performance of any judicial or quasi-judicial or regulatory or supervisory function, where such processing is necessary for the performance of such function; § 17.(1)(b) {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India; § 17.(1)(c) {timely manner} If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. § 6.(6)]	Privacy protection for information and data	Data and Information Management
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is from publicly available information. CC ID 13576	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to create a credit report. CC ID 15288	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when produced for business purposes. CC ID 13563	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for handling insurance claims. CC ID 13561	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies or a reconstruction by way of demerger or otherwise of a company, or transfer of undertaking of one or more company to another company, or involving division of one or more companies, approved by a court or tribunal or other authority competent to do so by any law for the time being in force; and § 17.(1)(e)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Privacy protection for information and data	Data and Information Management
Define the exceptions to disclosure absent consent. CC ID 00135	Privacy protection for information and data	Establish/Maintain Documentation
Define how a data subject may give consent. CC ID 00160 [Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement. § 6.(2)]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [{refrain from serving} A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and § 8.(7)(a)]	Privacy protection for information and data	Establish/Maintain Documentation
Capture personal data removal requests. CC ID 13507	Privacy protection for information and data	Communicate
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. § 12.(3)]	Privacy protection for information and data	Records Management
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Privacy protection for information and data	Process or Activity
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178	Privacy protection for information and data	Data and Information Management
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed. § 9.(1)]	Privacy protection for information and data	Data and Information Management
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data request denial procedures. CC ID 00434 [{requirement} {erase} {personal data} {correct} {complete} {update} In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply. § 17.(4)]	Privacy protection for information and data	Establish/Maintain Documentation
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Privacy protection for information and data	Data and Information Management
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Privacy protection for information and data	Data and Information Management
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Data and Information Management
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Process or Activity
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Data and Information Management
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Data and Information Management
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Privacy protection for information and data	Data and Information Management
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Privacy protection for information and data	Data and Information Management
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Data and Information Management
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Privacy protection for information and data	Data and Information Management
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453	Privacy protection for information and data	Data and Information Management
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Communicate
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Data and Information Management
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Process or Activity
Establish, implement, and maintain a personal data collection program. CC ID 06487	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use policy. CC ID 00076	Privacy protection for information and data	Establish/Maintain Documentation
Use personal data for specified purposes. CC ID 11831 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. § 7.(a)]	Privacy protection for information and data	Data and Information Management
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012	Privacy protection for information and data	Data and Information Management
Document each individual's personal data collection consent preferences. CC ID 06945	Privacy protection for information and data	Establish/Maintain Documentation
Provide explicit consent that is clear and unambiguous. CC ID 00181 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)]	Privacy protection for information and data	Data and Information Management
Give special attention to collecting children's data. CC ID 00038 [A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child. § 9.(2)]	Privacy protection for information and data	Data and Information Management
Use simple understandable language to collect information from children. CC ID 00039	Privacy protection for information and data	Behavior
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Privacy protection for information and data	Establish/Maintain Documentation
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Privacy protection for information and data	Establish/Maintain Documentation
Implement security measures to protect personal data. CC ID 13606 [A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. § 8.(5)]	Privacy protection for information and data	Technical Security
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder. § 13.(1)]	Privacy protection for information and data	Data and Information Management
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Privacy protection for information and data	Behavior
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807	Privacy protection for information and data	Business Processes
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals. § 8.(10)]	Privacy protection for information and data	Establish/Maintain Documentation
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Privacy protection for information and data	Establish/Maintain Documentation
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 [{time requirement} The Data Fiduciary or Consent Manager shall respond to any grievances referred to in sub-section (1) within such period as may be prescribed from the date of its receipt for all or any class of Data Fiduciaries. § 13.(2)]	Privacy protection for information and data	Establish/Maintain Documentation
Document unresolved challenges. CC ID 13568	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Privacy protection for information and data	Establish/Maintain Documentation
Notify individuals of their right to challenge personal data. CC ID 00457	Privacy protection for information and data	Data and Information Management
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Privacy protection for information and data	Data and Information Management
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Privacy protection for information and data	Configuration
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Privacy protection for information and data	Human Resources Management
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Privacy protection for information and data	Data and Information Management
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Privacy protection for information and data	Communicate
Investigate the disputed accuracy of personal data. CC ID 00461	Privacy protection for information and data	Data and Information Management
Notify third parties of unresolved challenges. CC ID 13559	Privacy protection for information and data	Communicate
Document disagreements as to whether personal data is complete and accurate. CC ID 06952	Privacy protection for information and data	Establish/Maintain Documentation
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954	Privacy protection for information and data	Establish/Maintain Documentation
Include the allegations against the organization in the notice of investigation. CC ID 13031	Privacy protection for information and data	Establish/Maintain Documentation
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481	Privacy protection for information and data	Behavior
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Privacy protection for information and data	Behavior
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Privacy protection for information and data	Behavior
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Privacy protection for information and data	Behavior
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Privacy protection for information and data	Behavior
Define the organization's liability based on the applicable law. CC ID 00504	Privacy protection for information and data	Establish/Maintain Documentation
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Privacy protection for information and data	Establish/Maintain Documentation
Define the appeal process based on the applicable law. CC ID 00506 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)]	Privacy protection for information and data	Establish/Maintain Documentation
Define the fee structure for the appeal process. CC ID 16532 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)]	Privacy protection for information and data	Process or Activity
Define the time requirements for the appeal process. CC ID 16531 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)]	Privacy protection for information and data	Process or Activity
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544	Privacy protection for information and data	Communicate
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Privacy protection for information and data	Communicate
Provide notice of proposed penalties. CC ID 06216	Privacy protection for information and data	Establish/Maintain Documentation
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Privacy protection for information and data	Behavior
Establish, implement, and maintain a Customer Information Management program. CC ID 00084	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain customer data authentication procedures. CC ID 13187	Privacy protection for information and data	Establish/Maintain Documentation
Check the accuracy of restricted data. CC ID 00088 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2]	Privacy protection for information and data	Data and Information Management
Check that restricted data is complete. CC ID 00090 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Establish/Maintain Documentation
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432	Third Party and supply chain oversight	Establish/Maintain Documentation