[Replace with your logo]

Data Protection Control Framework

Document Ref.
Version: 1
Dated:
Document Author:
Document Owner:

Version 1 1 © Edevolution Solution

Revision History

Version Date Revision Author Summary of Changes

1 George Mathews

Distribution

Name Title

Approval

Name Position Signature Date

Version 1 2 © Edevolution Solution

Contents
1 Information Lifecycle ......................................................................................................................... 4
1.1 Notice .........................................................................................................................................................4
1.2 Choice ........................................................................................................................................................4
1.3 Consent ......................................................................................................................................................5
1.4 Collect ........................................................................................................................................................5
1.5 Use .............................................................................................................................................................5
1.6 Disclose ......................................................................................................................................................5
1.7 Store ...........................................................................................................................................................5
1.8 Dispose.......................................................................................................................................................5
1.9 Monitoring and Enforcement ....................................................................................................................5
2 Data Protection Control Framework Overview ................................................................................... 7
3 Management .................................................................................................................................. 12
3.1 Privacy Policy ...........................................................................................................................................12
3.2 Definition of Roles and Responsibilities ..................................................................................................13
3.3 Personal Data Identification and Classification ........................................................................................14
3.4 Risk Management ....................................................................................................................................15
3.5 Data Protection Impact Assessments.......................................................................................................16
3.6 Data Protection Incident and Breach Management ................................................................................17
3.7 Staff Competences ...................................................................................................................................19
3.8 Staff Awareness and Training...................................................................................................................20
3.9 Legal Review of Changes in Regulatory and/or Business Requirements..................................................21
4 Notice ............................................................................................................................................. 22
4.1 Privacy Statement ....................................................................................................................................22
5 Choice and Consent ......................................................................................................................... 23
5.1 Consent Framework .................................................................................................................................23
6 Collect ............................................................................................................................................ 25
6.1 Data Minimisation ....................................................................................................................................25
7 Use, Store and Dispose .................................................................................................................... 26
7.1 Purpose Limitation ...................................................................................................................................26
7.2 Data Protection Architecture (Data Protection by Design and Default) ..................................................27
7.3 Data Retention .........................................................................................................................................28
7.4 Disposal, Destruction and Anonymisation ...............................................................................................29
7.5 Use and Restriction ..................................................................................................................................30
8 Data Access and Data Quality ........................................................................................................... 31
8.1 Data Access Requests...............................................................................................................................31
8.2 Data Correction Requests ........................................................................................................................32
8.3 Data Deletion Requests............................................................................................................................33
8.4 Data Portability Requests .........................................................................................................................34
8.5 Accuracy and Completeness of Data ........................................................................................................35
9 Disclose .......................................................................................................................................... 36
9.1 Third Party Disclosure and Registration ...................................................................................................36
9.2 Third Party Agreements ...........................................................................................................................37
9.3 Data Transfers ..........................................................................................................................................39
10 Data Security .................................................................................................................................. 40

Version 1 3 © Edevolution Solution

 10.1 Information Security Program .............................................................................................................40
10.2 Identity and Access Management .......................................................................................................41
10.3 Secure Transmission............................................................................................................................42
10.4 Encryption and End-Point Security ......................................................................................................43
10.5 Logging of Access ................................................................................................................................44
11 Monitoring and Enforcement ........................................................................................................... 45
11.1 Review of Data Protection Compliance ...............................................................................................45
11.2 Periodic Monitoring on Data Protection Controls .................................................................................0

Version 1 4 © Edevolution Solution

1 Information Lifecycle

Figure 1 Information Lifecycle Model

The Information lifecycle model consists of 9 different phases:

1.1 Notice

The information lifecycle starts with informing the data subject about the usage of his personal data.
The entity provides notice about its data protection policies and procedures and identifies the
purposes for which personal information is collected, used, retained, and disclosed.

1.2 Choice

The entity describes the different choices available to the data subject with respect to the collection,
use, and disclosure of personal information by the entity.

1.3 Consent

The entity secures implicit or explicit consent of the data subject regarding the collection, use and
disclosure of the personal data.

1.4 Collect

Personal information is only collected by the entity for the purposes identified in the Notice phase.

Version 1 5 © Edevolution Solution

1.5 Use

The entity limits the use of personal information to the purposes identified in the Notice phase and
for which the data subject has provided implicit or explicit consent.

1.6 Disclose

The entity discloses personal information to third parties only for the purposes identified in the
Notice phase and with the implicit or explicit consent of the data subject.

1.7 Store

The entity stores personal information not longer than needed related to the purpose as defined in
the Notice phase or as required by laws and regulations. There is a possibility that personal data will
be re-used (secondary use) and flows back to the Use phase, only if the purposes for secondary use
are in line with those communicated in the Notice phase.

1.8 Dispose

The entity appropriately disposes personal information.

1.9 Monitoring and Enforcement

Management sets the course (e.g., data protection strategy, data protection policy, etc.) and controls
how personally identifiable information moves through the various stages of the information lifecycle
(incl. monitoring and enforcement). To ensure that business processes are accurate, complete, and
timely, there are generally three prerequisites for personal data in the various phases of the
information lifecycle.

✓ Data quality;
✓ Data access;
✓ Data security.

Finally, the information lifecycle model also presents the various external stakeholders with regard to
the different phases in the processing of personal data.

This stakeholders’ concerns are:

 Data Subjects
 Data Protection Authorities
 Governments;
 Third parties (or data processors).

Management determines the direction and regulates the flow of personally identifiable information
through the many phases of the information lifecycle (e.g., data protection strategy, data protection
policy, etc). (incl. monitoring and enforcement). In the various phases of the information lifecycle,
there are often three requirements for personal data in order to ensure that business processes are
accurate, complete, and timely.

Version 1 6 © Edevolution Solution

In the phases of the information lifecycle model, this gives a clear overview of the numerous data
protection control objectives. This methodology can greatly enhance the governance of personal
data within entities.

Version 1 7 © Edevolution Solution

2 Data Protection Control Framework Overview

The table below summarises the Data Protection Control Framework. It contains 95 controls in total, divided over 32 subjects in 9
Lifecycle phases

Lifecycle Phase Tag Topic Control Objective # Controls

The entity establishes and communicates a policy that states its objectives and responsibilities
PPO Data protection policy regarding data protection and is in line with accepted data protection principles and applicable 5
laws and regulations.

Definition of roles The entity establishes and implements clear roles and responsibilities regarding the
RRE 4
and responsibilities safeguarding of personal data and the achievement of data protection objectives.

The entity understands and documents which personal data is stored and processed and
Personal Data identifies and treats personal data appropriately.
PDI Identification and 4
classification Measures to safeguard personal data take into account the differences in sensitivity in personal
Management
data, leading to identification of risks and compliance with laws and regulations.

The entity systematically and periodically identifies, assesses, and mitigates factors that
RMA Risk management 4
endanger the achievement of data protection objectives.

Data protection The data protection-related impact of new products and services and their use within the entity
PIA 5
impact assessments is systematically identified, assessed and addressed.

Data protection The entity adequately detects and handles data protection-related incidents; data protection-
PIB incident and breach related incidents are responded to appropriately as to limit the consequences and to take 8
management measures to prevent future breaches.

Version 1 8 © Edevolution Solution

Lifecycle Phase Tag Topic Control Objective # Controls

Staff in positions with access to or control over personal data and personal data processes
SCO Staff competences 4
have the necessary data protection competences to adequately perform their duties.

Staff is sufficiently aware of data protection laws, regulations and organisational data
Staff awareness and
SAT protection policies and guidelines, and their individual responsibilities with regard to data 3
training
protection, and the entity engages in programs to establish and maintain awareness.

Legal review of
changes in regulatory Data protection risks associated with changes to the entity (structure and strategy) and to
LRC 1
and/or business regulatory requirements are adequately considered.
requirements

Data protection The entity transparently informs data subjects of the entity’s policy, requirements, and
Notice PST 2
statement practices regarding the collection, use, retention, disclosure and disposal of personal data.

Choice and The entity obtains data subject’s consent for processing personal data where required or
CFR Consent framework 4
Consent necessary.

Personal data is adequate, relevant, and limited to what is necessary in relation to the
Collect DMI Data minimisation 2
legitimate purposes for which it is processed.

Personal data is not disclosed, made available or otherwise used for other purposes than those
specified in the entity’s data protection statement except:
ULI Purpose limitation 2
a) with the consent of the data subject; or
Use, Store, and b) by the authority of law.
Dispose
Data protection
architecture (Data The entity takes into account solid data protection policies, principles, and/or applicable laws
PBD 3
protection by and regulations when designing or changing products, services, business systems or processes.
design and default

Version 1 9 © Edevolution Solution

Lifecycle Phase Tag Topic Control Objective # Controls

Personal data is retained no longer than the minimum time needed, as required by applicable
DRE Data retention 2
laws and regulations, or for the purposes for which it was collected.

Personal data is anonymised and/or disposed of within the entity where required. Identities
Disposal, destruction
DDA should not be identifiable and personal data should not be available once it is past its retention 2
and anonymisation
date.

Personal data is not used in case of the restriction of the data subject or in case of specific
URE Use and restriction legal restrictions by local government. Objections to processing by data subject will be handled 2
adequately.

Data subject access requests are responded to adequately, and data subjects are able to
DAR Data access requests 3
determine which personal data relating to her/him is processed and in what way.

Data subject correction requests are responded to adequately, and data subjects are able to
Data correction
DCR determine whether their personal data is correct/up-to-date, and are able to correct their 3
requests
personal data.
Data Access
and Data Data deletion Data deletion requests are responded to adequately and data subjects are able to have their
DDR 3
Quality requests personal data deleted if applicable criteria are met.

Data portability Data portability requests are responded to adequately and data subjects are able to have their
DPR 3
requests personal data transferred to another entity if applicable criteria are met.

Accuracy and Documented procedures for validation, editing and update of personal data assure accurate
ACD 2
completeness of data and complete personal data processing.

Version 1 10 © Edevolution Solution

Lifecycle Phase Tag Topic Control Objective # Controls

Third party
Personal data is not disclosed to third parties without a lawful basis or for other purposes than
TPD disclosure and 1
the data subject was informed about.
registration

Data protection considerations and requirements are adequately covered when procuring
Third party
Disclose TPA (personal data related) solutions or services from third parties resulting in appropriate 3
agreements
handling or protection of personal data.

Personal data is not transferred (i.e. movement, viewing, or printing of data in another
DTR Data transfers location) internationally to countries that have an inadequate legal data protection 2
regime.

Information security Personal data is adequately secured from accidental errors or loss, or from malicious acts such
ISP 7
program as hacking or deliberate theft, disclosure or loss.

Access rights are appropriately assigned, changed and withdrawn, thus decreasing the
Identity and access
IAM likelihood of unauthorised access to, or inappropriate handling of personal data, or data 1
management
breaches by internal employees, third parties or hackers.

Data Security Restricted access to personal data during transmission adequately prevents unauthorised
STR Secure transmission 1
disclosure, breach, altering or destruction of personal data.

Encryption and end- Encryption assures the prevention of a breach of personal data (accidental loss of personal
ENC 4
point security data, or malicious acts such as deliberate theft, disclosure or loss).

Access or access attempts to personal data by staff and third parties are logged and
LOG Logging of access 1
investigated to detect and prevent (attempts) to breach security of personal data.

Version 1 11 © Edevolution Solution

Lifecycle Phase Tag Topic Control Objective # Controls

Adequate oversight of the internal organisation and third parties ensures compliance with
Review of data
REV applicable data protection laws and regulatory requirements and decreases the risk of data 1
protection compliance
breaches or loss of personal data.
Monitoring and
Enforcement
Periodic monitoring Systematic and periodical assessments of data protection processes and controls assure
MON on data protection that they operate as designed, resulting in ongoing compliance with applicable laws and 3
controls regulatory requirements.

Version 1 12 © Edevolution Solution

3 Management

3.1 Privacy Policy

Control objective
The entity establishes and communicates a policy that states its objectives and responsibilities regarding
data protection and is in line with accepted data protection principles and applicable laws and regulations.

Information lifecycle phase: Management

Controls Evidence/Testing

A documented privacy policy, which has been communicated to

PPO01 internal employees and external stakeholders, has been established Controller/Processor
and is reviewed and approved annually by management.

Management expresses its (responsibility for) commitment to lawful

PPO02 Controller/Processor
data protection principles.

The privacy policy states the objectives of the entity regarding data
PPO03 Controller/Processor
protection.
a. For every instance of processing personal data, the entity
establishes alignment with legal data protection principles, and
documents the way in which adherence with these principles is Controller
achieved.
PPO04
b. For every instance of processing personal data, the entity makes
sure that documented instructions are in place for each
Processor
processing activity from contractual partners (controllers or
(other) processors)

The entity has established and documented the criteria that

PPO05 demonstrate lawful processing for each instance of personal data Controller/Processor
processing.

Related GDPR key elements:

• Data protection principles
• Lawfulness of processing
• Records of processing activities

Version 1 13 © Edevolution Solution

3.2 Definition of Roles and Responsibilities
Control objective
The entity establishes and implements clear roles and responsibilities regarding the safeguarding of
personal data and the achievement of data protection objectives.

Information lifecycle phase: Management

Controls Evidence/Testing

For every data processing operation, the entity establishes and

RRE01 Controller/Processor
documents whether it operates as controller or processor.
a. Where the entity operates as a controller, it establishes
agreements with processors that govern the data protection
responsibilities of the processor. If the entity operates as a joint Controller
controller, an arrangement with the other controller is in place.

b. Where the entity operates as a processor, agreements with

RRE02
the controller(s) are in place that govern the data protection
responsibilities of the processor. If processing is
subcontracted to another processor, agreements are in place Processor
that govern the data protection responsibilities of the
(sub)controller.

The entity assigns coordination, oversight and monitoring of data

protection to a designated person, such as a Data Protection
RRE03 Officer (DPO). The responsibility, authority, and accountability of Controller/Processor
the designated person are clearly documented and regularly
reviewed.

The roles and responsibilities of individual staff in safeguarding

RRE05 personal data and compliance with data protection principles are Controller/Processor
established and communicated.

Related GDPR key elements:

• Data protection principles
• Responsibilities of controller and processor
• Records of processing activities
• Data Protection Officer
• Transfers of personal data to third countries or international organisations

Version 1 14 © Edevolution Solution

3.3 Personal Data Identification and Classification
Control objective
The entity understands and documents which personal data is stored and processed and identifies and
treats personal data appropriately.

Measures to safeguard personal data take into account the differences in sensitivity in personal data,
leading to identification of risks and compliance with laws and regulations.

Information lifecycle phase: Management

Controls Evidence/Testing

The entity deploys a documented process to identify and document

processing of personal data and classifying that data as such. This
PDI01 Controller/Processor
includes processes, systems and third parties that handle personal
data.

The entity clearly distinguishes and documents processing of

PDI02 (a) personal data and Controller/Processor

(b) special categories of personal data.

The entity deploys a procedure to assess whether existing or

planned processing of personal data involves special categories of
PDI03 personal data. If so, it explicitly assesses and documents the Processor
lawfulness of (planned) processing and takes mitigating measures
to ensure secure and compliant processing.

a. The entity maintains and manages a systematic record of data

processing activities including the characteristics of these
activities (legitimate basis, purpose, categories of data and data Controller
subjects, recipients, security measures).
PDI04
b. The entity maintains and manages a systematic record of data
processing activities performed on behalf of each controller
Processor
including the characteristics of these activities (contact details
of controller, transfers, security measures).

Related GDPR key elements:

• Records of processing activities
• Data protection principles
• Security of processing

Version 1 15 © Edevolution Solution

3.4 Risk Management
Control objective
The entity systematically and periodically identifies, assesses, and mitigates factors that endanger the
achievement of data protection objectives.

Information lifecycle phase: Management

Controls Evidence/Testing

A process is in place to periodically:

a. identify the events and factors endangering data protection

objectives;
RMA01 Controller/Processor
b. assess the impact and probability of these events, and to
subsequently formulate adequate risk responses and control
measures.

When new or changed data protection risks are identified, the data
RMA02 protection risk assessment and the risk response strategies are Controller/Processor
reviewed and updated where needed.

Data protection risk acceptance criteria are established, approved,

RMA03 Controller/Processor
documented, and applied.

The entity plans and implements the controls that are

RMA04 necessary to mitigate data protection risk. Progress of Controller/Processor
implementation is monitored and measured.

Related GDPR key elements:

• Data Protection Impact Assessment

• Data Protection by Design / by Default

Version 1 16 © Edevolution Solution

3.5 Data Protection Impact Assessments
Control objective
The data protection-related impact of new products and services and their use within the entity is
systematically identified, assessed and addressed.

Information lifecycle phase: Management

Controls Evidence/Testing

The entity deploys a documented process to carry out an assessment of

PIA01 the impact on data protection regarding new or significantly changed Controller
processes, products and services (DPIA).

The DPIA takes into account:

a. the envisioned processing operations;

PIA02 b. their purpose, necessity, and proportionality; Controller

c. the risks they present to data subject data protection;

d. the measures to mitigate these risks.

All relevant stakeholders are involved in the DPIA, and specific guidelines
PIA03 of the supervisory authority regarding assessment criteria are adhered Controller
to.

The entity documents all systems and software that process personal
PIA04 Controller
data and a history of changes applied to them.

A change management process is established to implement approved

PIA05 data protection measures from the DPIA before the change is Controller
executed.

Related GDPR key elements:

• Data Protection Impact Assessment

Version 1 17 © Edevolution Solution

3.6 Data Protection Incident and Breach Management
Control objective
The entity adequately detects and handles data protection-related incidents; data protection-related
incidents are responded to appropriately as to limit the consequences and to take measures to prevent
future breaches.

Information lifecycle phase: Management

Controls Evidence/Testing

A formal, comprehensive data protection incident and breach

management process has been implemented, which specifies the
following:

a. The responsibilities of staff members to inform the responsible

data protection officer or DPO in case of a data protection
incident or possible data breach;
b. The DPO (or, if applicable, security officer) assesses whether
the incident is data protection related. In case of a personal
data breach, the data protection officer documents the nature
PIB01 of the breach, the consequences, and the approximate number Controller/Processor
of data records and data subjects affected.
c. The DPO initiates and coordinates required actions, and
determines the required involvement of individuals and
stakeholders to be informed (such as the controller in case the
entity is a processor or the supervisory authority if the entity is
the controller).
d. The DPO monitors the progress of remediating actions and
reports to management (and, if applicable, informs the
controller and the supervisory authorities).

The process includes a clear escalation path, based on the type or

severity (or both) of the incident, up to legal counsel and executive
PIB02 Controller/Processor
management. The process addresses the criteria for contacting law
enforcement, regulatory, or other authorities.

a. The entity has a data protection breach notification policy that

ensures that the supervisory authority is timely notified of
Controller
the data breach if the breach is likely to result in a risk to the
rights and freedoms of natural persons.
PIB03
b. The entity has a data protection breach notification policy that
ensures that the respective controller of the processing Processor
activity involved is timely notified of a possible data breach.

Version 1 18 © Edevolution Solution

 a. In case of a data breach all required information regarding the
breach is collected and provided to the supervisory authority, Controller
including cause and mitigating measures.
PIB05 b. In case of a (possible) data breach all required information
regarding the breach is collected and provided to the controller
of the processing activity involved, including cause and Processor
mitigating measures.
The DPO has been assigned the overall responsibility for the
PIB06 breach notification process. The data protection officer documents Controller/Processor
all considerations made when determining the obligation to notify.

The breach management process outlines that the evaluation of

PIB07 incidents or breaches leads to remediations and improvements, Controller/Processor
and serve as input for staff data protection awareness programs.

The data protection incident and breach management process

outline the following:

a. after any major data protection incident or data breach, a formal

incident evaluation is conducted, where necessary involving
external expertise;
b. a periodic review of actual incidents is conducted and required
PIB08 improvements are identified based on the following: Controller/Processor
o incident root cause;
o incident patterns;
o changes in the internal control environment and
legislation;
a. results of the periodic review and progress of improvements are
reported to and reviewed by management.

The breach management process is reviewed at least every year

PIB09 and shortly after the implementation of significant system or Controller/Processor
procedural changes.

Related GDPR key elements:

• Personal data breach

Version 1 19 © Edevolution Solution

3.7 Staff Competences
Control objective
Staff in positions with access to or control over personal data and personal data processes have the
necessary data protection competences to adequately perform their duties.

Information lifecycle phase: Management

Controls Evidence/Testing

The entity documents the required data protection competences for

SCO01 staff that is involved in handling personal data. It also establishes Controller/Processor
how these competences can be achieved (e.g., training programs).

The entity documents the extent to which individual staff members

SCO02 possess these competences. A process is in place to bridge Controller/Processor
competence gaps.

The entity addresses data protection competences in its hiring and

onboarding process for staff to be involved in safeguarding personal
SCO03 Controller/Processor
data and compliance with data protection principles, and addresses data
protection performance in individual appraisals.

Management annually reviews the allocation of staff, budgets, and

SCO04 Controller/Processor
other resources to its data protection program.

Related GDPR key elements:

• Security of processing
• Data protection principles
• Data Protection Officer

Version 1 20 © Edevolution Solution

3.8 Staff Awareness and Training
Control objective
Staff is sufficiently aware of data protection laws, regulations and organisational data protection
policies and guidelines, and their individual responsibilities with regard to data protection, and the
entity engages in programs to establish and maintain awareness.

Information lifecycle phase: Management

Controls Evidence/Testing

A data protection and security awareness course are organised at

least annually for all employees. New employees, contractors, and
SAT01 others are required to complete a comparable training within the Controller/Processor
first month following employment in order to understand the data
protection policy of the entity and its implications.

In-depth (internal or external) data protection training is provided

based on the necessary data protection competences of staff (see
SCO). Training covers data protection and relevant security policies
and procedures, legal and regulatory considerations, incident
SAT02 Controller/Processor
response, and related topics. Such training is: required annually for
all employees who have access to personal data or are responsible
for protection of personal data tailored to the employee’s job
responsibilities and required competences.

Training and awareness courses are reviewed and updated to

SAT03 reflect current legislative, regulatory, industry, and entity policy and Controller/Processor
procedure requirements.

Related GDPR key elements:

• Security of processing

• Data protection principles

Version 1 21 © Edevolution Solution

3.9 Legal Review of Changes in Regulatory and/or Business Requirements
Control objective
Data protection risks associated with changes to the entity (structure and strategy) and to regulatory
requirements are adequately considered.

Information lifecycle phase: Management

Controls Evidence/Testing

The entity establishes a process to monitor, assess, and address

the impact on data protection requirements from changes in:

a. legal and regulatory requirements;

b. industry requirements, best practices and guidelines;
c. contracts, including service-level agreements with third parties
LRC01 (changes to the data protection and security related clauses in Controller/Processor
contracts are adequately reviewed and approved before they
are executed);
d. business operations and processes;
e. people assigned responsibility for data protection and security
matters;
f. technology (prior to implementation).

Related GDPR key elements:

• Data Protection Impact Assessment

• Lawfulness of processing

Version 1 22 © Edevolution Solution

4 Notice

4.1 Privacy Statement

Control objective
The entity transparently informs data subjects of the entity’s policy, requirements, and practices
regarding the collection, use, retention, disclosure and disposal of personal data.

Information lifecycle phase: Notice

Controls Evidence/Testing

The entity’s data protection statement:

a. describes the personal data obtained, the sources of such

information, the purposes for which it is collected and the
applicable lawfulness criteria;
PST01 Controller
b. describes the consequences, if any, of the data subject not
providing the requested information;
c. describes (if applicable) further processing;
d. provides information on data subject rights and the procedure to
e. exercise these rights (see also URE, DAR, DCR, DDR, DPR).

The data protection statement is:

a. easily accessible and (made) available for data subjects when

personal data is first collected from the data subject;
b. provided in a timely manner (that is, at or before the time
personal data is collected, or as soon as practical thereafter) to
PST02 enable individuals to decide whether or not to submit personal Controller
data to the entity;
c. clearly dated, to allow data subjects to determine whether the
notice has changed since the last time they read it or since the last
time they submitted personal data to the entity;
d. easily understood and readable.

Related GDPR key elements:

• Rights of the data subject
• Responsibilities of the controller/processor

• Data protection principles

Version 1 23 © Edevolution Solution

5 Choice and Consent

5.1 Consent Framework

Control objective
The entity obtains data subject’s consent for processing personal data where required or necessary.

Information lifecycle phase: Choice and consent

Controls Evidence/Testing

The entity’s data protection statement describes, in a clear and concise

manner, the following:

a. the choices available to the data subject regarding the collection,

use, and disclosure of personal data;
b. the process a data subject should follow to exercise these
choices (for example, checking an opt out box to decline
receiving marketing materials);
CFR01 c. the ability of, and process for, an individual to change contact Controller
preferences;
d. the consequences of failing to provide personal data required for a
transaction or service;
e. the consequences of refusing to provide personal data (for
example, transactions may not be processed);
f. the consequences of denying or withdrawing consent (for example,
opting out of receiving information about products and services may
result in not being made aware of sales promotions).

If processing is based on data subject’s consent, the entity:

a. obtains and documents a data subject’s consent in a timely

manner (that is, at or before the time personal data is collected or
soon after);
CFR02 Controller
b. confirms an individual’s preferences (in writing or electronically);
c. documents and manages changes to an individual’s preferences;
d. ensures that an individual’s preferences are implemented in a
timely fashion;
e. retains information to be able to demonstrate given consent.

The entity does not collect or process special categories of personal data,
unless it has a lawful basis to do.

If explicit consent of the data subject is the lawful basis for processing
special categories of personal data, the data subject has affirmatively
CFR03 Controller
agreed, through some action, to the use or disclosure of the special
categories of personal data. The entity obtains explicit consent directly
from the data subject and documents/retains evidence of the data
subject’s consent, for example, by requiring the individual to check a box
or sign a form.

Version 1 24 © Edevolution Solution

 In case of processing of personal data on the basis of data subject’s
CFR04 consent, the entity will facilitate the data subject in exercising its right to Controller
withdraw consent at any time.

Related GDPR key elements:

• Lawfulness of processing
• Conditions for consent

• Rights of the data subject

Version 1 25 © Edevolution Solution

6 Collect

6.1 Data Minimisation

Control objective
Personal data is adequate, relevant, and limited to what is necessary in relation to the legitimate purposes
for which it is processed.

Information lifecycle phase: Collect

Controls Evidence/Testing

The entity establishes a process and procedures to:

a. identify the extent to which personal data is essential for the

purposes of the entity’s processing, and to differentiate it from
DMI01 optional personal data; Controller
b. limit processing of personal data to the minimum extent
required by the processing purposes;
c. periodically review the continuing necessity of personal data in
d. the entity’s products and/or services.

The data protection policy states data minimisation as a data protection

DMI02 Controller
principle for the entity (see PPO).

Related GDPR key elements:

• Data protection principles

• Data protection by design and default

Version 1 26 © Edevolution Solution

7 Use, Store and Dispose

7.1 Purpose Limitation

Control objective
Personal data is not disclosed, made available or otherwise used for other purposes than those
specified in the entity’s data protection statement except:

a. with the consent of the data subject; or

b. by the authority of law.

Information lifecycle phase: Use, store and dispose

Controls Evidence/Testing

The entity establishes a process and procedures to:

a. limit disclosure and use of personal data to the legitimate

purposes as documented in the entity’s data protection policy
ULI01 Controller
and data protection statement;
b. continuously assure that disclosure and use of personal data in
agreement with the data subject’s consent and applicable laws
and regulations.

The data protection policy states that purpose limitation as a data

ULI02 Controller
protection principle for the entity (see PPO).

Related GDPR key elements:

• Data protection principles

• Data protection by design and default

Version 1 27 © Edevolution Solution

7.2 Data Protection Architecture (Data Protection by Design and Default)
Control objective
The entity takes into account solid data protection policies, principles, and/or applicable laws and
regulations when designing or changing products, services, business systems or processes.

Information lifecycle phase: Use, store and dispose

Controls Evidence/Testing

When developing, designing, selecting and using applications, services

and products that process personal data, the entity takes into account
the data protection principles and risks as early as possible in the design
phase. The risk of conflicts between the data protection design and the
PBD01 rights and freedoms of data subjects (and the entity’s data protection Controller
policy) is identified and addressed.

If the entity procures services of third parties in these activities, it will

require these third parties to deploy the same data protection risk
management activities.

Assessment of data protection risks is an inherent and documented

PBD02 element of the entity’s project methodology and/or design and Controller
development process.

Where the systems, services and products that process personal data
offer data protection related choices and options, the default setting
PBD03 Controller
for these choices and options will be as restrictive as possible in terms
of data protection.

Related GDPR key elements:

• Data protection by design and default

• Data protection principles

Version 1 28 © Edevolution Solution

7.3 Data Retention
Control objective
Personal data is retained no longer than the minimum time needed, as required by applicable laws and
regulations, or for the purposes for which it was collected.

Information lifecycle phase: Use, store and dispose

Controls Evidence/Testing

The entity:

a. documents its retention policies and disposal procedures for

personal data;
b. ensures personal data is not kept beyond the established
retention time unless a justified business or legal reason for
doing so exists;
DRE01 Controller
c. for each instance of personal data processing, documents
applicable retention times;
d. discloses retention time policies to data subjects in its data
protection statement;
e. retains, stores, and disposes archived and backup copies of
records in accordance with its retention policies;
f. instructs processor(s) regarding data retention (periods)

Legal and contractual retention requirements are considered when

DRE02 establishing retention practices when they may be exceptions to normal Controller
policies.

Related GDPR key elements:

• Data protection principles

• Responsibilities of the controller/processor

Version 1 29 © Edevolution Solution

7.4 Disposal, Destruction and Anonymisation
Control objective:
Personal data is anonymised and/or disposed of within the entity where required. Identities should not be
identifiable and personal data should not be available once it is past its retention date.

Information lifecycle phase: Use, store and dispose

Controls Evidence/Testing

The entity has a documented process in place that ensures:

a. erasure or destruction of personal data records in accordance

with the retention policies, regardless of the nature of storage
media (for example, electronic, optical media, or paper based);
b. disposal of original, archived, backup and ad hoc or personal
copies of records in accordance with its destruction policies;
DDA01 c. adequate documentation of the disposal of personal data. Controller

The entity further:

a. within the limits of technology, locates and removes or reduces
specified personal data about an individual as required;
b. regularly and systematically destroys, erases, or anonymises
personal data that is no longer required to fulfill the identified
purposes or as required by laws and regulations.

Contractual requirements are considered when establishing disposal,

DDA02 destruction, and reduction practices if they may result in an exception to Controller
the entity’s normal policies.

Related GDPR key elements:

• Data protection principles
• Responsibilities of the controller/processor
• Security of processing
• Data protection by design and default

Version 1 30 © Edevolution Solution

7.5 Use and Restriction
Control objective
Personal data is not used in case of the restriction of the data subject or in case of specific legal
restrictions by local government. Objections to processing by data subject will be handled adequately.

Information lifecycle phase: Use, store and dispose

Controls Evidence/Testing

The entity has a process in place to adequately respond to data subjects

URE01 exercising their rights to restriction of processing or to object to Controller
processing.

The entity has established whether local member state law imposes any
URE02 restrictions on data processing (e.g., to safeguard national or public Controller
security) and is demonstrably compliant with these restrictions.

Related GDPR key elements:

• Data protection principles
• Lawfulness of processing
• Rights of the data subject

• Transfers of personal data to third countries or international organisations

Version 1 31 © Edevolution Solution

8 Data Access and Data Quality

8.1 Data Access Requests

Control objective
Data subject access requests are responded to adequately, and data subjects are able to determine
which personal data relating to her/him is processed and in what way.

Information lifecycle phase: Data access and data quality

Controls Evidence/Testing

Procedures are in place to adequately respond to data subject access

requests. In case the data subject exercises his/her right, the entity will
DAR01 inform the data subject of the nature of the personal data it processes Controller
and the characteristics of the processing (e.g., purpose, recipients,
retention times, the existence of automated decision making).

The entity has a process in place to timely provide to the data subject, in
DAR02 a commonly used electronic form, a copy of the personal data Controller
undergoing processing.

The entity verifies the identity of the requesting data subject before
DAR03 Controller
responding.

Related GDPR key elements:

• Security of processing
• Data protection by design and default

• Rights of the data subject

Version 1 32 © Edevolution Solution

8.2 Data Correction Requests
Control objective
Data subject correction requests are responded to adequately, and data subjects are able to determine
whether their personal data is correct/up-to-date and are able to correct their personal data.

Information lifecycle phase: Data access and data quality

Controls Evidence/Testing

Procedures are in place to adequately respond to data subject correction

DCR01 requests. In case the data subject exercises this right, the entity will Controller
rectify the personal data of the data subject without undue delay.

The entity verifies the identity of the requesting data subject before
DCR02 Controller
acting on the request.

The entity notifies third parties, to whom personal data has been
DCR03 Controller
disclosed, of necessary corrections in personal data.

Related GDPR key elements:

• Rights of the data subject

Version 1 33 © Edevolution Solution

8.3 Data Deletion Requests
Control objective
Data deletion requests are responded to adequately and data subjects are able to have their personal data
deleted if applicable criteria are met.

Information lifecycle phase: Data access and data quality

Controls Evidence/Testing

Procedures are in place to adequately respond to data subject deletion

requests (‘right to be forgotten’). In case the data subject exercises
his/her right, the entity will validate the grounds of the request against
DDR01 applicable criteria (e.g., processing is consent-based, unlawful Controller
processing, purpose no longer valid, legal requirements for retention).
Where a valid ground exists, the entity will erase the personal data
without undue delay.

If applicable, the entity notifies other controllers, to whom the personal

data has been passed on, of the data subject’s request to have personal
DDR02 Controller
data deleted. If the personal data are processed by a processor, the
entity instructs the processor to delete the data.

The entity verifies the identity of the requesting data subject before
DDR04 Controller
acting on the request.

Related GDPR key elements:

• Rights of the data subject

Version 1 34 © Edevolution Solution

8.4 Data Portability Requests
Control objective
Data portability requests are responded to adequately and data subjects are able to have their personal
data transferred to another entity if applicable criteria are met.

Information lifecycle phase: Data access and data quality

Controls Evidence/Testing

Procedures are in place to adequately respond to data subject portability

requests. In case the data subject exercises his/her right, the entity will
validate the grounds of the request against applicable criteria (e.g.,
DPR01 Controller
processing is consent-based, processing is carried out by automated
means). Where a valid ground exists, the entity will transfer the personal
data without undue delay.

If technically feasible, the entity will transfer the personal data directly to
DPR02 Controller
another (controlling) entity as instructed by the data subject.

The entity verifies the identity of the requesting data subject before
DPR04 Controller
acting on the request.

Related GDPR key elements:

• Rights of the data subject
• Right to data portability

Version 1 35 © Edevolution Solution

8.5 Accuracy and Completeness of Data
Control objective
Documented procedures for validation, editing and update of personal data ensure accurate and complete
personal data processing.

Information lifecycle phase: Data Access and data quality

Controls Evidence/Testing

The entity has procedures in place to:

a. edit and validate personal data as it is collected, created,

maintained, and updated;

b. record the date when the personal data is obtained or updated;

c. specify when the personal data is no longer valid;

d. specify when and how the personal data is to be updated and the
ACD01 source for the update (for example, annual reconfirmation of Controller
information held and methods for individuals to proactively update
personal data);

e. indicate how to verify the accuracy and completeness of personal

data obtained directly from an individual, received from a third
party, or disclosed to a third party;

f. ensure personal data processed is sufficiently accurate and

complete to make decisions.

The entity undertakes periodic assessments to check the accuracy of

ACD02 personal data records and to correct them, as necessary, to fulfill the Controller
stated purpose.

Related GDPR key elements:

• Security of processing

Version 1 36 © Edevolution Solution

9 Disclose

9.1 Third Party Disclosure and Registration

Control objective
Personal data is not disclosed to third parties without a lawful basis or for other purposes than the data
subject was informed about.

Information lifecycle phase: Disclose

Controls Evidence/Testing

The entity has procedures in place to:

a. prevent the disclosure of personal data to third parties if there is no

lawful basis to do so and/or the data subject has not been
informed;

b. document the nature and extent of personal data disclosed to

third parties;

c. monitor whether disclosure to third parties is in continuous

compliance with the entity’s data protection policies and
TPD01 Controller
procedures, or is specifically allowed or required by law or
regulation;

d. document any third-party disclosures for legal reasons;

e. notify data subjects and obtain their consent prior to disclosing

personal data to a third party for purposes not identified in the
data protection notice;

f. monitor that personal data is only provided to third parties for

purposes specified in the data protection notice.

Related GDPR key elements:

• Security of processing

• Lawfulness of processing

Version 1 37 © Edevolution Solution

9.2 Third Party Agreements
Control objective
Data protection considerations and requirements are adequately covered when procuring (personal data
related) solutions or services from third parties resulting in appropriate handling or protection of
personal data.

Information lifecycle phase: Disclose

Controls Evidence/Testing
a. If the entity procures solutions from third parties/suppliers or
outsources processes to service providers, and processing of
personal data is (partially) contracted, the entity enters into
formal agreements that require from the third-party due care
and a level of protection of personal data equivalent to that of
Controller
the entity. In doing so, the entity limits the third party’s use of
personal data to purposes established by the entity.
TPA01
b. The entity ensures that subcontracting the processing of
personal data to another processor is only done after prior
authorisation of the controller. If the controller approves, the
entity enters into formal agreements that require from the
Processor
third-party due care and a level of protection of personal data
equivalent to that of the entity.

The entity ensures that the agreements will also address the following
obligations of the third party:

a. confidentiality and non-disclosure;

b. security requirements;

c. cooperation in responding to data subject requests and data

subject rights execution;
TPA02 Controller/Processor
d. information provision (e.g., in case of planned subcontracting);

e. information provision and cooperation in case of data breaches;

f. retention periods and data deletion;

g. no further subcontracting without permission of the entity;

h. liabilities and indemnifications.

The entity evaluates the performance and compliance of third

parties using one or more of the following approaches (in ascending
order of assurance and depending on the risk profile of the third
party):
TPA03 Controller/Processor
a. the third party responds to a questionnaire about its practices;

b. the third party self-certifies that its practices meet the entity’s
requirements based on internal audit reports or other
procedures;

Version 1 38 © Edevolution Solution

 c. the entity performs a periodic on-site evaluation of the
third party;

d. The entity engages in an audit or assurance assessment

provided by an independent auditor.

Related GDPR key elements:

• Responsibilities of controller / processor

• Security of processing

Version 1 39 © Edevolution Solution

9.3 Data Transfers
Control objective:
Personal data is not transferred (i.e., movement, viewing, or printing of data in another location)
internationally to countries that have an inadequate legal data protection regime.

Information lifecycle phase: Disclose

Controls Evidence/Testing

The entity has established any instances where personal data under
its responsibility is being transferred to and processed in third
DTR01 Controller/Processor
countries that possibly insufficiently guarantee the data protection
rights of data subjects.

The entity only transfers personal data to third countries, for which
a. an Adequacy Decision from the European Commission has been
issued, or
DTR02 Controller/Processor
b. a set of appropriate safeguards (e.g., binding corporate
rules or adopted standard data protection clauses) has been
implemented.

Related GDPR key elements:

• Transfers of personal data to third countries or international organisations

Version 1 40 © Edevolution Solution

10 Data Security

10.1 Information Security Program

Control objective
Personal data is adequately secured from accidental errors or loss, or from malicious acts such as hacking
or deliberate theft, disclosure or loss.

Information Lifecycle phase: Data security

Controls Evidence/Testing

The entity has taken appropriate technical and organisational measures

to ensure security of personal data. Security comprises confidentiality,
ISP01 Controller/Processor
integrity, and availability of personal data. Also refer to IAM, STR, ENC,
LOG.

Security of personal data is explicitly addressed in the entity’s

ISP02 information security policies and the information security management Controller/Processor
system.

The appropriateness of security measures regarding personal data is

established in periodic risk assessments in which all relevant
ISP03 Controller/Processor
stakeholders take part and in which actual and planned personal data
processing is assessed.

The entity has a documented policy on encryption and

ISP04 pseudonymisation of personal data and systematically verifies Controller/Processor
adherence to the policy (also refer to ENC).

The entity regularly tests, assesses and evaluates the effectiveness of

technical and organisational security measures to ensure an adequate
ISP05 Controller/Processor
level of personal data security and to identify and initiate
improvements.

The entity has an active stance towards deploying a code of conduct

ISP06 (from associations or industry bodies) and/or certifications to Controller/Processor
demonstrate an appropriate level of personal data security.

The entity’s security program prevents access to personal data in

computers, media, and paper-based information that are no longer
ISP07 in active use by the organisation (for example, computers, media, Controller/Processor
and paper-based information in storage, sold, or otherwise
disposed of).

Related GDPR key elements:

• Security of processing

Version 1 41 © Edevolution Solution

10.2 Identity and Access Management
Control objective
Access rights are appropriately assigned, changed and withdrawn, thus decreasing the likelihood of
unauthorised access to, or inappropriate handling of personal data, or data breaches by internal
employees, third parties or hackers.

Information lifecycle phase: Data security

Controls Evidence/Testing

Systems and procedures are in place to:

a. establish the level and nature of access that will be provided to

users, based on the sensitivity of the personal data and the
user’s legitimate business needs to access the personal data;
b. identify and authenticate users, for example, by user name and
IAM01 password, certificate, external token, or biometrics before Controller/Processor
access is granted to systems handling personal data;
c. require enhanced security measures for remote access, such as
additional or dynamic passwords, callback procedures, digital
certificates, secure ID cards, virtual private network (VPN), or
properly configured firewalls;
d. implement intrusion detection and monitoring systems.

Related GDPR key elements:

• Security of processing

Version 1 42 © Edevolution Solution

10.3 Secure Transmission
Control objective
Restricted access to personal data during transmission adequately prevents unauthorised disclosure,
breach, altering or destruction of personal data.

Information lifecycle phase: Data security

Controls Evidence/Testing

Systems and procedures are in place to:

a. define minimum levels of security for transmission of personal

data;
b. employ industry standard encryption technology for transfer and
STR01 receipt of personal data; Controller/Processor
c. assess and approve external network connections;
d. protect personal data in both hardcopy and electronic forms sent by
mail, courier, or other physical means;
e. encrypt personal data collected and transmitted wirelessly and
f. protect wireless networks from unauthorized access.

Related GDPR key elements:

• Security of processing
• Personal data breach

Version 1 43 © Edevolution Solution

10.4 Encryption and End-Point Security
Control objective
Encryption assures the prevention of a breach of personal data (accidental loss of personal data, or
malicious acts such as deliberate theft, disclosure or loss).

Information lifecycle phase: Data security

Controls Evidence/Testing

Policies and procedures prohibit the storage of personal data on portable

ENC01 media or devices unless a business need exists and such storage is Controller/Processor
approved by management.

Policies, systems, and procedures are in place to protect personal data

accessed or stored on devices such as:

a. laptop computers, PDAs, smart- phones and similar devices;

b. computers and other devices used by employees while, for
ENC02 example, traveling and working at home; Controller/Processor
c. USB drives, CDs and DVDs, magnetic tape, or other portable
media.
Such information is encrypted, password protected, physically protected,
and subject to the entity’s access, retention and destruction policies.

Procedures and systems exist for creation, transfer, storage, and disposal
ENC03 Controller/Processor
of media containing personal data used for backup and recovery.

Procedures exist to report loss or potential misuse of media containing

personal data (also refer to DPIA). Upon termination of employee- or
ENC04 third-party contracts, procedures provide for the return or destruction
Controller/Processor
of portable media and devices used to access and store personal data,
and of printed and other copies of such information.

Related GDPR key elements:

• Security of processing

• Personal Data Breach

Version 1 44 © Edevolution Solution

10.5 Logging of Access
Control objective
Access or access attempts to personal data by staff and third parties are logged and investigated to
detect and prevent (attempts) to breach security of personal data.

Information lifecycle phase: Data security

Controls Evidence/Testing

Systems and procedures are in place to:

a. manage logical and physical access to personal data, including

hard copy, archive- and backup copies;

b. log and monitor access (attempts) to systems with personal data in

LOG01 a logfile with a level of detail and retention time sufficient for the Controller/Processor
purposes of analysis and investigation;

c. prevent the unauthorised or accidental destruction or loss of

personal data;

d. investigate breaches and attempts to gain unauthorized access.

Related GDPR key elements:

• Security of processing
• Personal Data Breach

Version 1 45 © Edevolution Solution

11 Monitoring and Enforcement

11.1 Review of Data Protection Compliance

Control objective
Adequate oversight of the internal organisation and third parties ensures compliance with applicable
data protection laws and regulatory requirements and decreases the risk of data breaches or loss of
personal data.

Information Lifecycle phase: Monitoring and enforcement

Controls Evidence/Testing

Systems and procedures are in place to:

a. annually review compliance with data protection policies and

procedures, commitments and applicable laws, regulations,
service level agreements, standards adopted by the entity, and
other contracts;

b. document periodic reviews, for example, internal audit plans,

audit reports, compliance checklists, and management sign-offs;
REV01 Controller/Processor
c. report the results of the compliance review and
recommendations for improvement to management, and
implement a remediation plan;

d. monitor the resolution of issues and vulnerabilities noted in the

compliance review to ensure that appropriate corrective action is
taken on a timely basis (including revision of data protection
policies and procedures, where necessary).

Related GDPR key elements:

• Lawfulness of processing

Version 1 46 © Edevolution Solution

 11.2 Periodic Monitoring on Data Protection Controls
Control objective
Systematic and periodical assessments of data protection processes and controls assure that they operate
as designed, resulting in ongoing compliance with applicable laws and regulatory requirements.

Information lifecycle phase: Monitoring and enforcement

Controls Evidence/Testing

Management of the entity reviews the following to ensure operational

effectiveness of data protection controls:

a. control outputs, control reports and deviations;

b. trend analysis;

c. training attendance and evaluations;

MON01 d. complaints and their resolutions; Controller/Processor

e. internal reviews;

f. internal and external audit reports;

g. independent audit/assurance reports covering data protection

controls at organisations;

h. other evidence of control effectiveness.

The selection of controls to be monitored, reviewed and/or audited and

the frequency and extent with which this is performed are based on the
MON02
sensitivity of the personal data involved and the risks of possible Controller/Processor
exposure or loss.

The entity deploys a process that ensures that monitoring leads

MON03 Controller/Processor
to remediation of shortcomings and continuous improvement.

Related GDPR key elements:

• Lawfulness of processing

Version 1 49 © Edevolution Solution