Governance and accountability
1. Data Control Compliance must be monitored for all data assets containing sensitive data through metrics and automated notifications.
2. The Ownership field in a data catalog must be populated for all sensitive data or otherwise reported to a defined workflow.
3. A register of Authoritative Data Sources and Provisioning Points must be populated for all data assets containing sensitive data.
4. The Data Sovereignty and Cross-Border Movement of sensitive data must be recorded, auditable, and controlled according to defined policy.
Cataloging and classification
5. Cataloging must be automated for all data at the point of creation or ingestion, with consistency across all environments.
6. Classification must be automated for all data at the point of creation or ingestion and must always be on.
Accessibility and usage
7. Entitlements and Access for Sensitive Data must default to the creator and owner and access must be tracked for all sensitive data.
8. Data Consumption Purpose must be provided for all Data Sharing Agreements involving sensitive data.
Protection and privacy
9. Appropriate Security Controls must be enabled for sensitive data and evidence must be recorded.
10. Data Privacy Impact Assessments must be automatically triggered for all personal data according to its jurisdiction.
Data lifecycle
11. Data Quality Measurement must be enabled for sensitive data with metrics distributed when available.
12. Data Retention, Archiving, and Purging must be managed according to a defined retention schedule.
Data and technical architecture
13. Data Lineage information must be available for all sensitive data.
14. Cost Metrics directly associated with data use, storage, and movement must be available in the catalog.
