Business Procedures Manual

Fiscal Affairs Division

Current Date: Nov 13, 2024

« Return to Normal View  |  Print This Page


Section 12.0: Data Governance and Management

Section 12 Introduction

Last modified: June 18, 2021

In March 2019, the content on Data Governance and Management has been moved from the 中出少妇视频 Information Technology Handbook to the Business Procedures Manual. Compliance with this entire section is required for all 中出少妇视频 organizations by December 31, 2023.

Due to the criticality of some sections and dependencies between them, compliance deadlines for the sections have been tiered. 中出少妇视频 System Office (USO) staff will be working with the appointed campus representative to track implementation.

Phase I - Initial Publication

Tier 1: Due by December 31, 2020, except General Data Protection Regulation, which is now part of Phase II, Tier 2.

  • Section 12.3.1 Data System Documentation,
  • Section 12.4 Cybersecurity (including Safeguards, Classification, Access Procedures and Segregation and Separation of Duties)
  • Section 12.5.1 Regulatory Compliance.

Tier 2: Due by December 31, 2020

  • Section 12.2 Governance Structure
  • Section 12.3.4 Data Availability
  • Section 12.5.2 Training

Tier 3: Due by June 30, 2021, except adherence to the 中出少妇视频 document retention schedule, which should already be in place

  • Section 12.3.2 Data Elements and Data Definition Documentation
  • Section 12.3.3 Data Quality Control
  • Section 12.3.5 Data Life Cycle
  • Section 12.5.4 Monitor
  • Section 12.5.4 Audit

Phase II - Addition of Section 12.6 Data Privacy

Tier 1: Due by December 31, 2022

  • Section 12.6.4 Disassociation and De-identification
  • Section 12.6.5 Data Processing Awareness
  • Section 12.6.6 Communication

Tier 2: Due by December 31, 2023

  • Section 12.6.1 Data Inventory
  • Section 12.6.2 Data Risk Management
  • Section 12.6.3 Data Processing Documentation

Information is a strategic asset of all 中出少妇视频 System of Georgia (中出少妇视频) organizations and is critical to administration, planning and decision-making. Effective and responsible use of information requires that data is secure, well documented and accessible for use by authorized, trained personnel. To that end, this section of the Business Procedures Manual provides the data governance infrastructure and management practices that 中出少妇视频 organizations must have in place. Please note that these different components have interdependencies and should be considered as a whole.

Data Governance and Management Framework image Governance, Management, Cybersecurity, Compliance

The goal of this section is to provide guidance to 中出少妇视频 organizations in meeting the fundamental requirements for data governance and management to ensure data security, data privacy, effective use and compliance with relevant laws and policies. Technical requirements can be found in the 中出少妇视频 IT Handbook. 中出少妇视频 organizations may include additional roles, responsibilities, policies, and protocols as needed to fit local context or promote best practices. These provisions apply to information systems, products, and services maintained by, or on behalf of, 中出少妇视频 organizations.

12.1 Definitions

Last modified: August 26, 2021

This section provides definitions needed to interpret the remainder of Section 12 content.

Attribute Reference is a statement asserting a property of an individual without necessarily containing identity information. For example, the attribute 中出少妇视频渂irthday,中出少妇视频 a reference could be 中出少妇视频渙lder than 18中出少妇视频 or 中出少妇视频渂orn in December.中出少妇视频

Attribute Value is a statement asserting a property of an individual. For Example, the attribute 中出少妇视频渂irthday,中出少妇视频 a value could be 中出少妇视频12/01/1980中出少妇视频 or 中出少妇视频淒ecember 1, 1980.中出少妇视频

Incident is a violation or imminent threat of violation of computer security or data privacy policies, acceptable use policies, or standard computer or privacy security practices.

Data Actions are system, product, or service data life cycle operations, including, but not limited to collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal.

Data Domains are high-level categories of Institutional Data for the purpose of assigning accountability and responsibility for the data.

Data Processing (“Processing”) refers to the collective set of data actions.

Data Processing Ecosystem is the relationship and dependency shared between groups of people involved in creating or deploying systems, products or services or any components that process data.

Data Subject is any person whose personal data is being collected, processed, or stored.

De-identification is the process used to prevent an individual中出少妇视频檚 (Data Subject) personal identity from being revealed. For example, data produced during human subject research might be de-identified to preserve privacy for research participants.

Disassociability is enabling the processing of data or events without association to individuals or devices beyond the operational requirements of the system.

Events, within the context of cybersecurity and data privacy, are questionable or suspicious activities that could threaten the security objectives concerning protected systems or data.

Information Systems (“Systems”) are the technology structure and software that carry out data processing.

Linkability is a possibility of logical association with other information about the individual.

Mission-Critical Systems are systems whose failure or malfunction will result in not achieving organizational goals and objectives. Criteria are a) contains confidential or sensitive data (i.e., personally identifiable information (PII) and other regulated information), or b) serves a critical and necessary function for daily operations, or c) a combination of both protected data and critical function.

Organizations are all 中出少妇视频 institutions and the 中出少妇视频 System Office (USO), which includes the Shared Services Center (SSC), the Georgia Public Library Service (GPLS), the Georgia Archives and the Georgia Film Academy.

Organizational Data (“Data”) are data by, or on behalf of, a 中出少妇视频 organization. Organizational Data are information that record facts, statistics or information, which is processed by offices of the organization. Data may be stored electronically or physically. Organizational data may reside in an organizational information system or a third-party system.

Principle of Least Privilege describes privileges to information resources permitting access to only what is necessary for the users to successfully perform their job requirements and assigned tasks.

12.2 Governance Structure

Last modified: August 26, 2021

This section describes the roles and responsibilities that 中出少妇视频 organizations must designate and document within their data governance structure.

A data governance structure is required at each 中出少妇视频 organization. The data governance structure will demonstrate accountabilities for the data assets of the organization to ensure proper processing.

The data governance structure documentation should identify the offices/positions (including incumbent) responsible for fulfilling the roles defined herein.

12.2.1 Governance and Organizational Structure

Last modified: August 26, 2021

Data Governance Committee

The Data Governance Committee is responsible for defining, implementing, and managing policies and procedures for data governance and data management functions. Specific responsibilities include, but are not necessarily limited to the following:

  • Defining data management roles and responsibilities contained in this section and other policy and procedure documentation;
  • Maintaining documentation pertaining to data governance and management policy and procedure in a centralized and accessible location for the participant organization’s staff;
  • Identifying the Data Governance and Management Committee structure and membership;
  • Ensuring that cybersecurity and data privacy control processes detailed in the Cybersecurity section are developed and operational;
  • Defining communications to instill data privacy values (set forth in section 12.6) within system, product or service development and operations (i.e., privacy by design); and,
  • Assisting the chairs of the functional and technical committees to ensure effectiveness.

Functional Data Governance Committees

Functional Data Governance Committees are responsible for collective decision making around substantive changes to organization data collection, maintenance, access, and use within their functional area. It is the role of the Functional Data Governance Committee to identify what the threshold is for decisions to require Committee consideration. At some organizations, e.g., smaller institutions, the global Data Governance Committee may also fulfill the roles of the Functional Data Governance Committee.

Technical Data Governance Committees

Technical Data Governance Committees are responsible for technical guidance to support the work of the other Data Governance Committees and for decision making about the feasibility of and methods for carrying out decisions of the Functional Data Governance Committees. At some organizations, e.g., smaller institutions, the technical data governance roles must still be fulfilled but organizationally may be embedded in other Data Governance Committees.

Data Owner

Each 中出少妇视频 organization is responsible for all data processed by offices of the organization. As the chief executive officer, the president of the 中出少妇视频 institution, the Chancellor of the 中出少妇视频, or the head of other 中出少妇视频 organizations is identified as the data owner. The 中出少妇视频 organization data owner has ultimate responsibility for submission of organizational data to the USO.

Data owners have the responsibility for the identification, appointment and accountability of data trustees. Data owners will inform the 中出少妇视频 organization中出少妇视频檚 Data Governance Committee of their data trustee appointments including office, name and contact information of the incumbent.

Data Trustees

Data trustees, designated by the data owner, are executives of the 中出少妇视频 organizations who have overall responsibility for the data processed in their data area(s). 中出少妇视频 organization data trustees have overall responsibility for accuracy and timeliness of submission of data to the USO. These positions/offices would normally be cabinet-level positions reporting directly to the entity data owner.

Responsibilities of the data trustees include, but are not necessarily limited to:

  • Ensuring that data accessed and used by units reporting to them is done so in ways consistent with the mission of the office and 中出少妇视频 organization;
  • Appointing data stewards within each functional area for which they are responsible. The data trustees will inform the 中出少妇视频 organization中出少妇视频檚 Data Governance Committee of their data stewards中出少妇视频 appointments, including office, name and contact information of the incumbent;
  • Participating as a member of the Data Governance Committee; and,
  • Communicating unresolved concerns about data (such as data quality, cybersecurity, data privacy, access, etc.) to the data owner.

Data Stewards

Data stewards, designated by the data trustees, are personnel responsible for the data processed, and the technology used to do so if applicable, in their data area(s). Data stewards recommend policies to the data trustees and establish procedures and guidelines concerning the access to, completeness, accuracy, privacy, and integrity of the data for which they are responsible. Individually, data stewards act as advisors to the data trustees and have management responsibilities for data administration issues in their functional areas. Data stewards have responsibility for accuracy and timeliness of submission of data to the 中出少妇视频 system office in their area. Depending on the size and complexity of a functional department/division, it may be necessary, and beneficial, for a designated data steward to identify associate data stewards to manage and implement the stewardship process.

Responsibilities of the data stewards include, but are not necessarily limited to:

  • Developing standard definitions for data elements created and/or used within the functional unit. The data definition will extend to include metadata definitions as well as the root data element definition;
  • Ensuring data quality standards are in place and met;
  • Inventorying and identifying the data as unrestricted, sensitive or confidential, for functional data within their area(s) of supervision/direction and communicate it to those responsible for ensuring data is handled according to its appropriate classification; (See 12.4.2 Classification)
  • Establishing authorization procedures with the 中出少妇视频 organization中出少妇视频檚 Data Governance Committee and/or chief information officer (CIO) to facilitate appropriate data access as defined by institutional/office data policy and ensuring security for that data. Authorization documentation must be maintained;
  • Working with the 中出少妇视频 organization中出少妇视频檚 Data Governance Committee, identifying and resolving issues related to stewardship of data elements, when used individually or collectively, that cross multiple units or divisions. For example, the individual data element 中出少妇视频淪ocial Security Number中出少妇视频 may have more than one data steward since it is collected or used in multiple systems.
  • Participating as a member of the Functional Data Governance Committee(s) as appointed by the data trustee.
  • Communicating concerns about data (such as data quality, security, access, etc.) to the data trustees.

Chief Information Officer (CIO)/Chief Information Security Officer (CISO)

Responsibilities of the CIO and CISO are to ensure that technical infrastructure is in place to support the data needs and assets, including availability, delivery, access, and security across their operational scope.


12.3 Data Management

Last modified: March 21, 2019

This section contains data management requirements for data system documentation, data elements and data definition documentation, data quality and data availability.

12.3.1 Data System Documentation

Last modified: June 9, 2021

This subsection defines documentation about 中出少妇视频 organization data systems. Documentation is required to ensure proper accounting of the organization中出少妇视频檚 data systems, the relationships among them, the architecture of the individual systems, and the data within them. This documentation also fosters proper use.

中出少妇视频 organizations must maintain a listing of mission-critical data systems along with information essential to the effective loading, maintenance, use of, as well as reporting from those systems. This should include at a minimum:

  • Function and purpose of the system;
  • Who the data trustee and steward responsible for the system are;
  • Who administers the system from a technical perspective;
  • Any methods being applied to sustain data quality;
  • Any important relationships and/or dependencies in business practice and reporting between systems;
  • Any special life cycle requirements;
  • User and technical guidelines for proper use and reporting;
  • Process flow diagram(s); and,
  • Contingency documentation.

12.3.2 Data Elements and Data Definition Documentation

Last modified: August 26, 2021

For all data systems, there must be a mechanism to access documentation of the system中出少妇视频檚 table structure and data elements. In addition, for systems that are part of routine data collection and reporting, data element dictionaries should be maintained that include:

  • Data definitions;
  • Metadata including data sources and cybersecurity classifications;
  • Business practices where applicable;
  • Any validations or quality checks applied against the elements;
  • Change history; and,
  • Valid values.

12.3.3 Data Quality Control

Last modified: March 21, 2019

中出少妇视频 organizations must ensure that information is of the highest possible quality to facilitate effective decision-making. Data quality refers to the accuracy, timeliness, comparability, usability, completeness and relevance of data. Data quality requires 中出少妇视频 organizations to appropriately collect, store, process and manage data, whether electronic or physical. As part of data governance, 中出少妇视频 organizations must communicate, prioritize and practice data quality. Just as institutions maximize their financial resources and facility assets, 中出少妇视频 organizations should invest in the quality of their data holdings.

For all data essential to operation and reporting, each 中出少妇视频 organization should:

  • Document and promulgate data standards and definitions to ensure accurate data entry or data creation;
  • Assess collected data to ensure accuracy, completeness, and adherence to standards at a minimum on an annual basis; and,
  • Regularly consult data users or stakeholders to ensure data usability and relevance.

12.3.4 Data Availability

Last modified: June 9, 2021

This subsection details minimum requirements for 中出少妇视频 organizations concerning the availability of data resources. Assets of the 中出少妇视频 should be available commensurate with their operational importance. For all data domains and their respective data systems, the organization should document and socialize to data users the expectations and processes around the availability of each data resource including, but not limited to:

  • The periods of time data is available;
  • Expectations for 中出少妇视频渦ptime中出少妇视频 (percent of time data is available) if appropriate;
  • Modes of access (types of devices, etc.) that are provided for;
  • Communications plan, including planned and unplanned system downtime; and,
  • Method for users to report an unexpected lack of availability of data or data systems.

12.3.5 Data Lifecycle

Last modified: June 9, 2021

Organizations should ensure their data retention and destruction efforts comply with the 中出少妇视频 Records Retention Schedules referenced at .

Where organizations decide to maintain data longer than indicated in the 中出少妇视频 Records Retention Schedules, documented considerations must include justification for maintaining the data longer than required, compliance with other policies and regulations, and associated risks and costs.


12.4 Cybersecurity

Last modified: June 9, 2021

Cybersecurity refers to preventative methods used to protect information and information systems, products and services from unauthorized access, compromise or attack. Cybersecurity requires an understanding of potential threats and utilizes strategies that include, for example, identity management, risk management and incident management.

12.4.1 Safeguards

Last modified: June 9, 2021

Shared information is a powerful tool and loss or misuse can be costly, if not illegal. The purpose of this section is to ensure that cybersecurity safeguards are established, in place, effective and adhered to in order to reduce risk. This applies to all users of 中出少妇视频 information resources.

Safeguards include the policies, procedures, requirements, and practices that are necessary for maintaining a secure environment for the storage and dissemination of information. The objective of 中出少妇视频 organizations is to protect information from inadvertent or intentional damage as well as unauthorized disclosures or use. The benefits of safeguards include identification of fraud, security vulnerabilities, unforeseen threats and minimization of potential impacts. Other benefits include audit compliance, service level monitoring, performance measuring, limiting liability and capacity planning. The 中出少妇视频 recognizes that cybersecurity:

  • Is everyone中出少妇视频檚 responsibility;
  • Is a cornerstone of maintaining public trust;
  • Should be risk-based and cost-efficient;
  • Should align with 中出少妇视频 priorities, industry best practices and government requirements; and,
  • Should be applied holistically, regardless of medium.

中出少妇视频 organizations must designate trained cybersecurity representatives whose role includes:

  • Communicating cybersecurity policies to all employees and contractors; and,
  • Reporting deviations from policies and procedures.

中出少妇视频 organizations must:

  • Develop procedures and processes that support compliance with Board of Regents (BOR) and 中出少妇视频 policies and procedures. Organizational procedures and processes may be more specific than BOR and 中出少妇视频 policies and procedures but shall in no case be less than the minimum requirements; and,
  • Develop strategic and operational control guidance of hardware, software and telecommunications facilities; and,
  • Re-evaluate cybersecurity and data privacy risk on an ongoing basis and as key factors, including the organization中出少妇视频檚 business environment, governance, data processing and systems/products/services change.

中出少妇视频 organizations must develop reporting processes to support investigation of and response to suspicious activities and follow 中出少妇视频 guidelines for reporting or investigating acts of suspected malfeasance that involve organizational data as noted in the BOR 中出少妇视频 System of Georgia Ethics Policy.


12.4.2 Classification

Last modified: August 26, 2021

Because 中出少妇视频 data must be given appropriate protection from unauthorized use, access, disclosure, modification, loss or deletion, each 中出少妇视频 organization must classify each record. When classifying a collection of data, the most restrictive classification of any of the individual elements should be used based on the following classification structure or similar schema required by regulations governing specific data domains:

  • Unrestricted/Public Information is information maintained by a 中出少妇视频 organization that is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws. Some level of control is required to prevent unauthorized modification or destruction of public information.
  • Sensitive Information is information maintained by a 中出少妇视频 organization that requires special precautions to protect from unauthorized use, access and disclosure guarding against improper information modification, loss or destruction. Sensitive information is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws but is not necessarily intended for public consumption.
  • Confidential Information is information maintained by a 中出少妇视频 organization that is subject to authorized restrictions on information access and disclosure, including, without limitation, the protection of personal privacy and proprietary information. (44 USC Sec 3542) Confidential classified documents are exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws.

Note: The Open Records Act is located at .

In addition, Personal Information may occur in unrestricted/public, sensitive, and/or confidential information. It is information that identifies or describes an individual and must be considered in the classification structure. Please refer to the IT Handbook for further information and guidance. Information classification must be part of the information technology risk management program, as detailed in the IT Handbook.


12.4.3 Access Procedures

Last modified: August 26, 2021

This section promotes secure and appropriate access to 中出少妇视频 information systems, and to the data used, processed, stored, maintained and/or transmitted in and through those systems. It is essential that access to and use of the 中出少妇视频中出少妇视频檚 information systems and data are properly secured and protected against cybersecurity and data privacy threats and dangers.

All users are required to adhere to the following rules in order to process data acquired from 中出少妇视频 information systems. These rules also apply to any contractors or non-中出少妇视频 persons who acquire access to 中出少妇视频 systems in any format, and on any device.

Procedures:

  • 中出少妇视频 organizations shall identify and categorize information systems that process or store confidential or sensitive information, or are critical systems. The suggested responsible party is the data trustee or designee.

  • 中出少妇视频 organizations will identify the data trustee and data steward for each critical system or systems containing confidential or sensitive information. A list of these systems and the associated trustee and steward shall be made available upon request.

  • 中出少妇视频 organizations will maintain a current list of users granted access to information systems. Only authorized users should be allowed physical, electronic or other access to information systems.

  • 中出少妇视频 organizations will define both administrative and technical access controls. The suggested responsible parties are Human Resources (HR), the data trustee and data steward.

  • Access controls must include, but are not limited to:

    • Documented procedures to grant, review, deactivate, update or terminate account access;
    • Ensure appropriate resources are available and maintained to adequately authenticate and verify authorized access; and,
    • Ensure appropriate resources are available and maintained to prevent and detect unauthorized use.
  • Data trustees, data stewards and users share the responsibility of preventing unauthorized access to 中出少妇视频 organizations中出少妇视频 information systems.

  • Data stewards will analyze user roles and determine the level of access required to perform a job function. The level of authorized access must be based on Principle of Least Privilege.

  • HR and/or the supervisor will notify the data steward of personnel status changes in job function, status, transfers, referral privileges or affiliation.

  • Access to an information system must be reviewed regularly. Data stewards must review user access to the information system every six months and document findings.

Data trustee or designee will ensure that a business process exists to update information system access no more than five business days after terminations and no more than 30 days after other personnel status changes.


12.4.4 Segregation and Separation of Duties

Last modified: March 22, 2019

In addition to having a well-organized and defined data governance structure, 中出少妇视频 organizations must ensure that its organizational structure, job duties, and business processes include an adequate system of separation of duties (SOD) taking into account a cost-benefit and risk analysis. SOD is fundamental to reducing the risk of loss of confidentiality, integrity and availability of information. To accomplish SOD, duties are divided among different individuals to reduce the risk of error or inappropriate action. For example, the employee or office responsible for safeguarding an asset should be someone other than the employee or office that maintains accounting records for that asset. In general, responsibility for related transactions should be divided among employees so that one employee中出少妇视频檚 work serves as a check on the work of other employees. When duties are separated, there must be collusion between employees for assets/data to be used inappropriately without detection.

While electronic processes enhance accuracy and efficiency, they also can blur SOD. 中出少妇视频 organizations must evaluate and establish well-documented controls to deter an individual or an office from having the authority (or the ability) to perform conflicting functions both outside and within technology information systems.


12.5 Compliance

Last modified: June 4, 2021

Meeting the provisions of Section 12 on Data Governance and Management requires active measures by 中出少妇视频 organizations to ensure ongoing compliance. These include ensuring compliance with external regulations in addition to the provisions in this section through regular training, monitoring and auditing.

12.5.1 Regulatory Compliance

Last modified: September 23, 2021

Closely managing data content is necessary to ensure compliance with federal, state and local regulations as well as grants and contract specifications. Each 中出少妇视频 organization is responsible for clearly understanding and managing data and data privacy to ensure sensitive and confidential data is appropriately classified and safeguarded. Each 中出少妇视频 organization must have policies and procedures to ensure that appropriate organizational personnel has a working knowledge of:

  • Georgia中出少妇视频檚 Open Records Act OCGA 搂 50-18-70
  • Family Education Rights and Privacy Act (FERPA)
  • U.S. Department of Health and Human Services Health Information Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA)
  • General Data Protection Regulation (GDPR)
  • Specific research data requirements
  • Other applicable regulations

12.5.2 Training

Last modified: June 9, 2021

The purpose of this section is to ensure that appropriate individuals at each 中出少妇视频 organization receive training on the data governance policies, procedures, and roles developed in compliance with preceding requirements in this Data Governance and Management section.

Organizations must:

  • Provide role specific training to all individuals within the data governance structure, including data users and all those subject to data governance policies;
  • Ensure individuals understand their roles and the larger governance structure, responsibilities, and applicable policies and procedures;
  • Provide training to individuals as they enter these roles, when there are substantive changes to training and at regular intervals over time to ensure up-to-date understanding;
  • Update training materials as changes to policy and procedure require;
  • Document participation in training and audit training participation at regular intervals;
  • Provide training materials in a permanent form (such as on a website) for individuals to reference as needed;
  • Specifically address in training materials for all individuals how data classified as public or protected is managed throughout its lifecycle; and,
  • Provide clear information about how an individual should proceed if he or she believes data policies or standards (including those regarding data management, cybersecurity and privacy) are not followed, or there has been a breach of data security.

12.5.3 Monitor

Last modified: June 9, 2021

Each 中出少妇视频 organization中出少妇视频檚 Data Governance Committee is responsible for assigning roles and responsibilities for data governance and management per Section 12.2.1. In addition to ensuring cybersecurity and data privacy compliance, organizations must assign roles and responsibilities for active monitoring and communicating the results of these efforts.


12.5.4 Audit

Last modified: March 22, 2019

Compliance with this Data Governance and Management section of the BPM can be a subject of institution, system or state audit. Institutions must maintain records not only of documentation explicitly referenced in this section but also general evidence that the organization is in compliance with its data governance and management policies and procedures.


12.6 Data Privacy

Last modified: June 4, 2021

The 中出少妇视频 is committed to protecting privacy. Personal information will only be disclosed to third parties when allowed by law or with the consent of the data subject.

中出少妇视频 provides additional data privacy compliance guidance at /policies/dataprivacy.

12.6.1 Data Inventory

Last modified: August 26, 2021

Compliance due by December 31, 2023
See supporting RoPA Process Guide at /policies/dataprivacy.

Processing of organizational data by systems, products or services must be understood and used to inform management of privacy risk. Inventorying data is a foundational step in identifying the assets that are to be protected. Organizations must:

  • Inventory systems, products or services managing individuals’ (data subjects) data;
  • Inventory the data actions of the systems, products or services managing data; and,
  • Inventory the purposes for the data actions managing data.

12.6.2 Data Risk Management

Last modified: August 26, 2021

Compliance due by December 31, 2023
See supporting RoPA Process Guide at /policies/dataprivacy.

Establishing priorities, constraints, risk tolerance, and assumptions are the next steps to support risk decisions associated with managing privacy risk and third parties. Organizations shall confirm:

  • All parties in the data processing ecosystem are identified, assessed and prioritized to support operational risk decisions; and,
  • Contracts or multi-party approaches are used to achieve data privacy objectives and manage data privacy risks.

12.6.3 Data Processing Documentation

Last modified: August 26, 2021

Compliance due by December 31, 2023
See supporting RoPA Process Guide at /policies/dataprivacy.

For data systems determined in the inventory to contain personal information (Section 12.6.1), it is essential that written documentation is used to manage data processing to protect individuals (data subjects) and reduce organizational risk. Organizations must document both their policies, processes and procedures regarding, and execution of:

  • Authorizing data processing, revoking authorizations and maintaining authorizations; and,
  • Enabling individuals中出少妇视频 data processing preferences and requests that are required by law/policy.

12.6.4 Disassociation and De-identification

Last modified: June 4, 2021

Compliance due by December 31, 2022
See supporting DSR Process Guide at /policies/dataprivacy.

As an objective of data privacy, data processing solutions shall increase disassociability to protect individuals中出少妇视频 (data subject中出少妇视频檚) privacy and enable implementation of privacy principles (e.g., data minimization). Organizations must process privacy protected data to limit to the extent possible:

  • Observability and linkability (e.g., encryption);
  • Identification of individuals;
  • Formulation of inferences about individuals中出少妇视频 behavior or activities;
  • Collection or disclosure of data elements; and,
  • Attribute values, substitute with attribute references.

12.6.5 Data Processing Awareness

Last modified: August 26, 2021

Compliance due by December 31, 2022
See supporting DSR Process Guide at /policies/dataprivacy.

Awareness of data processing practices and associated privacy risks must be shared with individual (data subject) and organizational stakeholders. To support awareness, organizations must:

  • Implement mechanisms (e.g., notices, internal or public reports) for communicating data processing purposes, practices, associated privacy risks and options for enabling individual中出少妇视频檚 (data subject中出少妇视频檚) preferences and requests where allowable by law;
  • Maintain records of unintended data disclosures to be accessed for investigative review;
  • Develop and implement policies and processes for receiving, tracking and responding to complaints, concerns and questions from individuals about organizational privacy practices;
  • Communicate requested data corrections or deletions to individuals (data subjects) or organizations making such requests;
  • Notify impacted individuals (data subjects) and/or organizations as required by law concerning a privacy breach or event; and,
  • Provide individuals (data subjects) with mitigation mechanisms as required by law to address impacts of a privacy breach or event.

12.6.6 Communication

Last modified: June 4, 2021

Compliance due by December 31, 2022
See supporting DSR Process Guide at /policies/dataprivacy.

Beyond awareness, communication must be employed to increase transparency of the organization中出少妇视频檚 data processing practices and associated privacy risks. Organizations shall promote communications through written policies, processes and procedures that include:

  • Establishing roles and responsibilities (e.g., public relations) for communicating data processing purposes, practices and associated privacy risks to external stakeholders; and,
  • Communicating data processing purposes, practices and associated privacy values, policies and risks.

© 2024 Board of Regents of the 中出少妇视频 System of Georgia
270 Washington Street, S.W.,
Atlanta, Georgia  30334
U.S.A.

↑ Top