Ownership
The insurance that data subjects own their personal data and have the right to choose how their data is used.
Explanation
Data processors ensure that data subjects own their personal data and have choices on what data is shared, with whom, and for what reason, and maintain the right to remove data or change the parameters.
Best Practice
- Access to see what a company is storing, ability to review data shared at any point to see who it's being shared with and the purposes for storing and sharing
- Provide a self-service tool for data subjects to check who and what stores their data; email at the very least
- Control and oversight over stored data
- Ability to erase data upon request
- Single point of truth (one location for storing all data if possible)
- Obtaining consent from the data subject before sharing any data (partnerships)
- Ability to manage data within data processors and their partners
- Ability to withdraw consent at any time (if applicable)
- Clarity about managing data with data processors or partners
- Verification of partners' policies, procedures and processes if they align with data processor's standard
How We Measure
- Data processors must have proper policies, procedures and processes for data storing and data access for data subjects and for relationships with partners, covering:
- Obtaining and storing consent, also before sharing data with third parties
- Clear RACI for data
- If the data processor collects MIs, have a regular audit
- A clear purpose for storing data
- Data sharing rules f. rules for communicating with the data subject
- Data security and process for deletion of data