PT-3(1)—Data Tagging
>Control Description
Attach data tags containing the following purposes to ⚙organization-defined elements of personally identifiable information: ⚙organization-defined processing purposes.
>Cross-Framework Mappings
>Supplemental Guidance
Data tags support the tracking of processing purposes by conveying the purposes along with the relevant elements of personally identifiable information throughout the system. By conveying the processing purposes in a data tag along with the personally identifiable information as the information transits a system, a system owner or operator can identify whether a change in processing would be compatible with the identified and documented purposes. Data tags may also support the use of automated tools.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern data tagging in organizational systems?
- •Who is responsible for implementing and overseeing data tagging controls?
- •How does the organization ensure data tagging complies with privacy laws and regulations?
- •What process exists for documenting and maintaining data tagging?
- •What governance exists for monitoring and enforcing data tagging requirements?
Technical Implementation:
- •What systems or tools technically implement data tagging?
- •How are data tagging requirements enforced in PII processing systems?
- •What privacy-enhancing technologies support data tagging?
- •How is data tagging integrated with data governance and privacy tools?
- •What technical controls prevent violations of data tagging requirements?
Evidence & Documentation:
- •Provide documented policies and procedures for data tagging.
- •Provide evidence of data tagging implementation in PII systems.
- •Provide documentation demonstrating compliance with data tagging requirements.
- •Provide records of data tagging reviews and updates.
- •Provide privacy impact assessments or other documentation addressing data tagging.
Ask AI
Configure your API key to use AI features.