Authority Document - Unified Compliance

Back

North America > Minnesota State Legislature

Minnesota Statutes Chapter 325O, Minnesota Consumer Data Privacy Act

AD ID

0003951

AD STATUS

Minnesota Statutes Chapter 325O, Minnesota Consumer Data Privacy Act

ORIGINATOR

Minnesota State Legislature

TYPE

Statutes (Bills or Acts)

AVAILABILITY

Free

SYNONYMS

Minnesota Consumer Data Privacy Act

Minnesota Statutes Chapter 325O, Minnesota Consumer Data Privacy Act

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-08-09T00:00:00-0700.

URL

Click here

AD ID

0003951

AD STATUS

Free

ORIGINATOR

Minnesota State Legislature

TYPE

Statutes (Bills or Acts)

AVAILABILITY

SYNONYMS

Minnesota Consumer Data Privacy Act

Minnesota Statutes Chapter 325O, Minnesota Consumer Data Privacy Act

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-08-09T00:00:00-0700.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Minnesota Statutes Chapter 325O, Minnesota Consumer Data Privacy Act that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Minnesota Statutes Chapter 325O, Minnesota Consumer Data Privacy Act are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 143 Mandated Controls - bold
87 Implied Controls - italic 1264 Implementation

Number of Controls

1494 Total

Acquisition or sale of facilities, technology, and services

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Acquisition or sale of facilities, technology, and services CC ID 01123	IT Impact Zone	IT Impact Zone
Plan for selling facilities, technology, or services. CC ID 06893	Acquisition/Sale of Assets or Services	Preventive
Refrain from providing products and services, as necessary. CC ID 15580 [{not require} A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: require a controller to provide a good or service that requires the consumer's personal data that the controller does not collect or maintain; or Section 8 Subdivision 3(b) (1)]	Acquisition/Sale of Assets or Services	Preventive

Audits and risk management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Statement of Compliance. CC ID 12499	Establish/Maintain Documentation	Preventive
Include a description of the organization's privacy policy in the Statement of Compliance. CC ID 12362 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: Section 10(a) (2)]	Establish/Maintain Documentation	Preventive
Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818	Actionable Reports or Measurements	Preventive
Include the outcomes of privacy rights violation complaints received in the Statement of Compliance. CC ID 12534	Establish/Maintain Documentation	Preventive
Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175	Establish/Maintain Documentation	Preventive
Include dispute resolution quality measures in the Statement of Compliance. CC ID 12533	Establish/Maintain Documentation	Preventive
Include the type of privacy rights violation complaints received in the Statement of Compliance. CC ID 12532	Establish/Maintain Documentation	Preventive
Include the number of privacy rights violation complaints received in the Statement of Compliance. CC ID 12530	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of sensitive data; Section 10(b) (3) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: any processing activities involving personal data that present a heightened risk of harm to consumers; and Section 10(b) (4) {data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c) {data protection assessment} A data privacy and protection assessment must include the description of policies and procedures required by paragraph (a). Section 10(e) {be similar} A single data protection assessment may address multiple sets of comparable processing operations that include similar activities. Section 10(h) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: Section 10(b) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of targeted advertising; Section 10(b) (1) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the sale of personal data; Section 10(b) (2)]	Process or Activity	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Establish/Maintain Documentation	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Establish/Maintain Documentation	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Establish/Maintain Documentation	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Establish/Maintain Documentation	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [{data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c) {data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [{make available} {data protection assessment} As part of a civil investigative demand, the attorney general may request, in writing, that a controller disclose any data privacy and protection assessment that is relevant to an investigation conducted by the attorney general. The controller must make a data privacy and protection assessment available to the attorney general upon a request made under this paragraph. The attorney general may evaluate the data privacy and protection assessments for compliance with this chapter. Data privacy and protection assessments are classified as nonpublic data, as defined by section 13.02, subdivision 9. The disclosure of a data privacy and protection assessment pursuant to a request from the attorney general under this paragraph does not constitute a waiver of the attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment. Section 10(f)]	Communicate	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Establish/Maintain Documentation	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Establish/Maintain Documentation	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [{data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c) {data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Establish/Maintain Documentation	Preventive

Human Resources management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources Management	Preventive
Identify and define all critical roles. CC ID 00777	Establish Roles	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607 [Controllers and processors are responsible for meeting the respective obligations established under this chapter. Section 5(a) {technical measures} taking into account the nature of the processing, the processor shall assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to section 325O.05; and Section 5(b) (1) {technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]	Human Resources Management	Preventive
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)]	Human Resources Management	Preventive
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Communicate	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471 [Controllers and processors are responsible for meeting the respective obligations established under this chapter. Section 5(a) {technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]	Establish Roles	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources Management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources Management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources Management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Establish Roles	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources Management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Establish Roles	Preventive
Establish, implement, and maintain a legal support program. CC ID 13710 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: investigate, establish, exercise, prepare for, or defend legal claims; Section 11(a) (4) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Establish/Maintain Documentation	Preventive
Provide security inspectors access to personnel files during site reviews. CC ID 12300	Audits and Risk Management	Detective
Establish, implement, and maintain an ethics program. CC ID 11496 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Human Resources Management	Preventive
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858	Communicate	Preventive
Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908	Behavior	Preventive
Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900	Investigate	Preventive
Establish, implement, and maintain an ethical culture. CC ID 12781	Behavior	Preventive
Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873	Monitor and Evaluate Occurrences	Preventive
Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872	Monitor and Evaluate Occurrences	Preventive
Refrain from practicing false advertising. CC ID 14253	Business Processes	Preventive
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806	Business Processes	Preventive
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859	Communicate	Preventive
Establish, implement, and maintain a training program to report compliance violations. CC ID 11835	Establish/Maintain Documentation	Preventive
Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608	Behavior	Preventive
Refrain from discriminating against employees who are whistleblowers. CC ID 13609	Behavior	Preventive
Respond to ethics complaints of ethics violations. CC ID 11497	Business Processes	Corrective
Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607	Behavior	Preventive
Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Human Resources Management	Preventive
Include prohibiting counterfeiting in the ethics program. CC ID 11517	Human Resources Management	Preventive
Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055	Human Resources Management	Preventive
Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061	Establish Roles	Preventive
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060	Behavior	Preventive
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059	Behavior	Preventive
Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052	Behavior	Preventive

Leadership and high level objectives

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Establish/Maintain Documentation	Preventive
Include contact information in the organization's policies, standards, and procedures. CC ID 17167 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: the name and contact information for the controller's chief privacy individual with primary responsibility for directing the policies and procedures implemented to comply with the provisions of this chapter; and Section 10(a) (1)]	Establish/Maintain Documentation	Preventive
Include the effective date on all organizational policies. CC ID 06820 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the date the privacy notice was last updated. Section 8 Subdivision 1(a) (8)]	Establish/Maintain Documentation	Preventive
Establish and maintain an Authority Document list. CC ID 07113	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: Section 10(a)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Communicate	Preventive
Approve all compliance documents. CC ID 06286	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a compliance exception standard. CC ID 01628 [The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication. Section 11(c)]	Establish/Maintain Documentation	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Establish/Maintain Documentation	Preventive
Include all compliance exceptions in the compliance exception standard. CC ID 01630	Establish/Maintain Documentation	Detective
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in paragraph (f). Section 11(g)]	Establish/Maintain Documentation	Preventive
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632	Business Processes	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Establish/Maintain Documentation	Preventive
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Establish Roles	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Establish/Maintain Documentation	Preventive
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Communicate	Preventive

Monitoring and measurement

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Log Management	Detective
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitor and Evaluate Occurrences	Preventive
Monitor systems for inappropriate usage and other security violations. CC ID 00585	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Audits and Risk Management	Preventive
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain a risk monitoring program. CC ID 00658	Establish/Maintain Documentation	Preventive
Implement a fraud detection system. CC ID 13081 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Business Processes	Preventive
Update or adjust fraud detection systems, as necessary. CC ID 13684	Process or Activity	Corrective
Establish, implement, and maintain a system security plan. CC ID 01922 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Testing	Preventive
Include a system description in the system security plan. CC ID 16467	Establish/Maintain Documentation	Preventive
Include a description of the operational context in the system security plan. CC ID 14301	Establish/Maintain Documentation	Preventive
Include the results of the security categorization in the system security plan. CC ID 14281	Establish/Maintain Documentation	Preventive
Include the information types in the system security plan. CC ID 14696	Establish/Maintain Documentation	Preventive
Include the security requirements in the system security plan. CC ID 14274	Establish/Maintain Documentation	Preventive
Include cryptographic key management procedures in the system security plan. CC ID 17029	Establish/Maintain Documentation	Preventive
Include threats in the system security plan. CC ID 14693	Establish/Maintain Documentation	Preventive
Include network diagrams in the system security plan. CC ID 14273	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the system security plan. CC ID 14682	Establish/Maintain Documentation	Preventive
Include backup and recovery procedures in the system security plan. CC ID 17043	Establish/Maintain Documentation	Preventive
Include the results of the privacy risk assessment in the system security plan. CC ID 14676	Establish/Maintain Documentation	Preventive
Include remote access methods in the system security plan. CC ID 16441	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Communicate	Preventive
Include a description of the operational environment in the system security plan. CC ID 14272	Establish/Maintain Documentation	Preventive
Include the security categorizations and rationale in the system security plan. CC ID 14270	Establish/Maintain Documentation	Preventive
Include the authorization boundary in the system security plan. CC ID 14257	Establish/Maintain Documentation	Preventive
Align the enterprise architecture with the system security plan. CC ID 14255	Process or Activity	Preventive
Include security controls in the system security plan. CC ID 14239	Establish/Maintain Documentation	Preventive
Create specific test plans to test each system component. CC ID 00661	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities in the test plan. CC ID 14299	Establish/Maintain Documentation	Preventive
Include the assessment team in the test plan. CC ID 14297	Establish/Maintain Documentation	Preventive
Include the scope in the test plans. CC ID 14293	Establish/Maintain Documentation	Preventive
Include the assessment environment in the test plan. CC ID 14271	Establish/Maintain Documentation	Preventive
Approve the system security plan. CC ID 14241	Business Processes	Preventive
Adhere to the system security plan. CC ID 11640	Testing	Detective
Review the test plans for each system component. CC ID 00662	Establish/Maintain Documentation	Preventive
Validate all testing assumptions in the test plans. CC ID 00663	Testing	Detective
Document validated testing processes in the testing procedures. CC ID 06200	Establish/Maintain Documentation	Preventive
Require testing procedures to be complete. CC ID 00664	Testing	Detective
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Establish/Maintain Documentation	Preventive
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Testing	Preventive
Implement automated audit tools. CC ID 04882	Acquisition/Sale of Assets or Services	Preventive
Assign senior management to approve test plans. CC ID 13071	Human Resources Management	Preventive
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Establish/Maintain Documentation	Preventive
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A controller that uses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments. Section 7(c)]	Monitor and Evaluate Occurrences	Detective
Identify and document instances of non-compliance with the compliance framework. CC ID 06499	Establish/Maintain Documentation	Preventive
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063	Business Processes	Detective
Determine the causes of compliance violations. CC ID 12401	Investigate	Corrective
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935	Establish/Maintain Documentation	Preventive
Determine if multiple compliance violations of the same type could occur. CC ID 12402	Investigate	Detective
Correct compliance violations. CC ID 13515 [A controller that uses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments. Section 7(c)]	Process or Activity	Corrective
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403	Investigate	Detective
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675	Behavior	Corrective
Align disciplinary actions with the level of compliance violation. CC ID 12404	Human Resources Management	Preventive
Establish, implement, and maintain disciplinary action notices. CC ID 16577	Establish/Maintain Documentation	Preventive
Include a copy of the order in the disciplinary action notice. CC ID 16606	Establish/Maintain Documentation	Preventive
Include the sanctions imposed in the disciplinary action notice. CC ID 16599	Establish/Maintain Documentation	Preventive
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589	Establish/Maintain Documentation	Preventive
Include the requirements that were violated in the disciplinary action notice. CC ID 16588	Establish/Maintain Documentation	Preventive
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587	Establish/Maintain Documentation	Preventive
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586	Establish/Maintain Documentation	Preventive
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585	Communicate	Preventive
Include required information in the disciplinary action notice. CC ID 16584	Establish/Maintain Documentation	Preventive
Include a justification for actions taken in the disciplinary action notice. CC ID 16583	Establish/Maintain Documentation	Preventive
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582	Establish/Maintain Documentation	Preventive
Include the investigation results in the disciplinary action notice. CC ID 16581	Establish/Maintain Documentation	Preventive
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580	Establish/Maintain Documentation	Preventive
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579	Establish/Maintain Documentation	Preventive
Include contact information in the disciplinary action notice. CC ID 16578	Establish/Maintain Documentation	Preventive

Operational management

181

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Establish/Maintain Documentation	Preventive
Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c) {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]	Establish/Maintain Documentation	Preventive
Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c) {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]	Establish/Maintain Documentation	Preventive
Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c) {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]	Establish/Maintain Documentation	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Business Processes	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data; Section 11(a) (1)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630	Business Processes	Preventive
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Establish/Maintain Documentation	Preventive
Apply security controls to each level of the information classification standard. CC ID 01903	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain the systems' integrity level. CC ID 01906 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Business Processes	Preventive
Establish, implement, and maintain an incident management policy. CC ID 16414	Establish/Maintain Documentation	Preventive
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885	Communicate	Preventive
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055	Human Resources Management	Preventive
Define the uses and capabilities of the Incident Management program. CC ID 00854	Establish/Maintain Documentation	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856	Establish/Maintain Documentation	Preventive
Define the characteristics of the Incident Management program. CC ID 00855	Establish/Maintain Documentation	Preventive
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Establish/Maintain Documentation	Preventive
Include the criteria for an incident in the Incident Management program. CC ID 12173	Establish/Maintain Documentation	Preventive
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Business Processes	Detective
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Establish/Maintain Documentation	Preventive
Categorize the incident following an incident response. CC ID 13208	Technical Security	Preventive
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033	Establish/Maintain Documentation	Preventive
Determine the incident severity level when assessing the security incidents. CC ID 01650	Monitor and Evaluate Occurrences	Corrective
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Monitor and Evaluate Occurrences	Detective
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Monitor and Evaluate Occurrences	Detective
Identify root causes of incidents that force system changes. CC ID 13482	Investigate	Detective
Respond to and triage when an incident is detected. CC ID 06942	Monitor and Evaluate Occurrences	Detective
Document the incident and any relevant evidence in the incident report. CC ID 08659	Establish/Maintain Documentation	Detective
Escalate incidents, as necessary. CC ID 14861	Monitor and Evaluate Occurrences	Corrective
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Process or Activity	Corrective
Respond to all alerts from security systems in a timely manner. CC ID 06434	Behavior	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Process or Activity	Corrective
Contain the incident to prevent further loss. CC ID 01751	Process or Activity	Corrective
Wipe data and memory after an incident has been detected. CC ID 16850	Technical Security	Corrective
Refrain from accessing compromised systems. CC ID 01752	Technical Security	Corrective
Isolate compromised systems from the network. CC ID 01753	Technical Security	Corrective
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Log Management	Corrective
Change authenticators after a security incident has been detected. CC ID 06789	Technical Security	Corrective
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Investigate	Detective
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Establish/Maintain Documentation	Preventive
Include the investigation methodology in the forensic investigation report. CC ID 17071	Establish/Maintain Documentation	Preventive
Include corrective actions in the forensic investigation report. CC ID 17070	Establish/Maintain Documentation	Preventive
Include the investigation results in the forensic investigation report. CC ID 17069	Establish/Maintain Documentation	Preventive
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Establish/Maintain Documentation	Detective
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Establish/Maintain Documentation	Detective
Assess all incidents to determine what information was accessed. CC ID 01226	Testing	Corrective
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Monitor and Evaluate Occurrences	Corrective
Analyze the incident response process following an incident response. CC ID 13179	Investigate	Detective
Share incident information with interested personnel and affected parties. CC ID 01212	Data and Information Management	Corrective
Share data loss event information with the media. CC ID 01759	Behavior	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Data and Information Management	Preventive
Share data loss event information with interconnected system owners. CC ID 01209	Establish/Maintain Documentation	Corrective
Redact restricted data before sharing incident information. CC ID 16994	Data and Information Management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Communicate	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Communicate	Preventive
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Establish/Maintain Documentation	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Data and Information Management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Log Management	Detective
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Communicate	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Communicate	Preventive
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Behavior	Corrective
Remediate security violations according to organizational standards. CC ID 12338	Business Processes	Preventive
Include data loss event notifications in the Incident Response program. CC ID 00364	Establish/Maintain Documentation	Preventive
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Behavior	Corrective
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Behavior	Detective
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Behavior	Corrective
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Establish/Maintain Documentation	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Communicate	Preventive
Revoke the written request to delay the notification. CC ID 16843	Process or Activity	Preventive
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Establish/Maintain Documentation	Preventive
Avoid false positive incident response notifications. CC ID 04732	Behavior	Detective
Establish, implement, and maintain incident response notifications. CC ID 12975	Establish/Maintain Documentation	Corrective
Refrain from charging for providing incident response notifications. CC ID 13876	Business Processes	Preventive
Include information required by law in incident response notifications. CC ID 00802	Establish/Maintain Documentation	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Establish/Maintain Documentation	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Establish/Maintain Documentation	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Establish/Maintain Documentation	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Establish/Maintain Documentation	Preventive
Use plain language to write incident response notifications. CC ID 12976	Establish/Maintain Documentation	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Establish/Maintain Documentation	Preventive
Refrain from including restricted information in the incident response notification. CC ID 16806	Actionable Reports or Measurements	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Establish/Maintain Documentation	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Establish/Maintain Documentation	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Establish/Maintain Documentation	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Establish/Maintain Documentation	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734	Establish/Maintain Documentation	Preventive
Include time information in incident response notifications. CC ID 04745	Establish/Maintain Documentation	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Establish/Maintain Documentation	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Establish/Maintain Documentation	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735	Establish/Maintain Documentation	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Establish/Maintain Documentation	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Establish/Maintain Documentation	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Establish/Maintain Documentation	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Establish/Maintain Documentation	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Establish/Maintain Documentation	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Establish/Maintain Documentation	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Establish/Maintain Documentation	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Establish/Maintain Documentation	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Establish/Maintain Documentation	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Establish/Maintain Documentation	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Establish/Maintain Documentation	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Establish/Maintain Documentation	Detective
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Communicate	Corrective
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Business Processes	Corrective
Include contact information in incident response notifications. CC ID 04739	Establish/Maintain Documentation	Preventive
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Communicate	Preventive
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Behavior	Corrective
Post the incident response notification on the organization's website. CC ID 16809	Process or Activity	Preventive
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Behavior	Corrective
Document the determination for providing a substitute incident response notification. CC ID 16841	Process or Activity	Preventive
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Behavior	Corrective
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Behavior	Corrective
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Behavior	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Establish/Maintain Documentation	Preventive
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Establish/Maintain Documentation	Preventive
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Behavior	Preventive
Publish the incident response notification in a general circulation periodical. CC ID 04651	Behavior	Corrective
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Behavior	Preventive
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Behavior	Corrective
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Communicate	Corrective
Establish, implement, and maintain a containment strategy. CC ID 13480	Establish/Maintain Documentation	Preventive
Include the containment approach in the containment strategy. CC ID 13486	Establish/Maintain Documentation	Preventive
Include response times in the containment strategy. CC ID 13485	Establish/Maintain Documentation	Preventive
Include incident recovery procedures in the Incident Management program. CC ID 01758	Establish/Maintain Documentation	Corrective
Change wireless access variables after a data loss event has been detected. CC ID 01756	Technical Security	Corrective
Eradicate the cause of the incident after the incident has been contained. CC ID 01757	Business Processes	Corrective
Establish, implement, and maintain a restoration log. CC ID 12745	Establish/Maintain Documentation	Preventive
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Data and Information Management	Preventive
Include a description of the restored data in the restoration log. CC ID 15462	Data and Information Management	Preventive
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611	Human Resources Management	Corrective
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Establish/Maintain Documentation	Preventive
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265	Monitor and Evaluate Occurrences	Detective
Re-image compromised systems with secure builds. CC ID 12086	Technical Security	Corrective
Analyze security violations in Suspicious Activity Reports. CC ID 00591	Establish/Maintain Documentation	Preventive
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234	Monitor and Evaluate Occurrences	Preventive
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298	Investigate	Preventive
Update the incident response procedures using the lessons learned. CC ID 01233	Establish/Maintain Documentation	Preventive
Test incident monitoring procedures. CC ID 13194	Testing	Detective
Include incident response procedures in the Incident Management program. CC ID 01218	Establish/Maintain Documentation	Preventive
Integrate configuration management procedures into the incident management program. CC ID 13647	Technical Security	Preventive
Include incident management procedures in the Incident Management program. CC ID 12689	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Establish/Maintain Documentation	Preventive
Include after-action analysis procedures in the Incident Management program. CC ID 01219	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Establish/Maintain Documentation	Preventive
Conduct incident investigations, as necessary. CC ID 13826	Process or Activity	Detective
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Investigate	Detective
Identify the affected parties during incident investigations. CC ID 16781	Investigate	Detective
Interview suspects during incident investigations, as necessary. CC ID 14041	Investigate	Detective
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Investigate	Detective
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Establish/Maintain Documentation	Preventive
Destroy investigative materials, as necessary. CC ID 17082	Data and Information Management	Preventive
Establish, implement, and maintain incident management audit logs. CC ID 13514	Records Management	Preventive
Log incidents in the Incident Management audit log. CC ID 00857	Establish/Maintain Documentation	Preventive
Include who the incident was reported to in the incident management audit log. CC ID 16487	Log Management	Preventive
Include the information that was exchanged in the incident management audit log. CC ID 16995	Log Management	Preventive
Include corrective actions in the incident management audit log. CC ID 16466	Establish/Maintain Documentation	Preventive
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Log Management	Corrective
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Log Management	Preventive
Include emergency processing priorities in the Incident Management program. CC ID 00859	Establish/Maintain Documentation	Preventive
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387	Establish/Maintain Documentation	Preventive
Include incident record closure procedures in the Incident Management program. CC ID 01620	Establish/Maintain Documentation	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Communicate	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Establish/Maintain Documentation	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Establish/Maintain Documentation	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Establish Roles	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Establish Roles	Preventive
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)]	Communicate	Corrective
Establish, implement, and maintain incident response procedures. CC ID 01206 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Establish/Maintain Documentation	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Establish/Maintain Documentation	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Establish/Maintain Documentation	Preventive
Respond when an integrity violation is detected, as necessary. CC ID 10678	Technical Security	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Technical Security	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Technical Security	Corrective

Privacy protection for information and data

1041

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Privacy protection for information and data CC ID 00008	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{administrative data security practice} {technical data security practice} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item; Section 10(a) (2)(iii)]	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Data and Information Management	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Establish/Maintain Documentation	Preventive
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Establish/Maintain Documentation	Preventive
Include the processing purpose in the privacy notice. CC ID 16543 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the purposes for which the categories of personal data are processed; Section 8 Subdivision 1(a) (2) If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request. Section 8 Subdivision 1(b)]	Establish/Maintain Documentation	Preventive
Include contact information in the privacy notice. CC ID 14432 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the controller's contact information, including an active email address or other online mechanism that the consumer may use to contact the controller; Section 8 Subdivision 1(a) (6)]	Establish/Maintain Documentation	Preventive
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: an explanation of the rights contained in section 325O.05 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request; Section 8 Subdivision 1(a) (3)]	Establish/Maintain Documentation	Preventive
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Establish/Maintain Documentation	Preventive
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Establish/Maintain Documentation	Preventive
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of third parties, if any, with whom the controller sells or shares personal data; Section 8 Subdivision 1(a) (5)]	Establish/Maintain Documentation	Preventive
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: a description of the controller's retention policies for personal data; and Section 8 Subdivision 1(a) (7)]	Establish/Maintain Documentation	Preventive
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Establish/Maintain Documentation	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data processed by the controller; Section 8 Subdivision 1(a) (1)]	Establish/Maintain Documentation	Preventive
Include disclosure exceptions in the privacy notice. CC ID 13447	Establish/Maintain Documentation	Preventive
Include the types of personal data disclosed in the privacy notice. CC ID 13446 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data that the controller sells to or shares with third parties, if any; Section 8 Subdivision 1(a) (4)]	Establish/Maintain Documentation	Preventive
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Establish/Maintain Documentation	Preventive
Specify the time frame that notice will be given. CC ID 00385	Establish/Maintain Documentation	Preventive
Include the information about the appeal process in the privacy notice. CC ID 15312 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: an explanation of the rights contained in section 325O.05 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request; Section 8 Subdivision 1(a) (3)]	Establish/Maintain Documentation	Preventive
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Establish/Maintain Documentation	Preventive
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 [{be specific} {state} A controller is not required to provide a separate Minnesota-specific privacy notice or section of a privacy notice if the controller's general privacy notice contains all the information required by this section. Section 8 Subdivision 1(f)]	Communicate	Preventive
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: Section 8 Subdivision 1(a) {be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g) The controller must provide the privacy notice in a manner that is reasonably accessible to and usable by individuals with disabilities. Section 8 Subdivision 1(d)]	Communicate	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Establish/Maintain Documentation	Preventive
Update privacy notices, as necessary. CC ID 13474	Communicate	Preventive
Redeliver privacy notices, as necessary. CC ID 14850	Communicate	Preventive
Deliver privacy notices to third parties, as necessary. CC ID 13473	Communicate	Preventive
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Communicate	Preventive
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Establish/Maintain Documentation	Corrective
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Establish/Maintain Documentation	Preventive
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Establish/Maintain Documentation	Preventive
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Establish/Maintain Documentation	Preventive
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448	Establish/Maintain Documentation	Preventive
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Establish/Maintain Documentation	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Establish/Maintain Documentation	Preventive
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Establish/Maintain Documentation	Preventive
Explain the right to opt out in the opt-out notice. CC ID 13462	Establish/Maintain Documentation	Preventive
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Establish/Maintain Documentation	Preventive
Deliver opt-out notices, as necessary. CC ID 13449	Communicate	Preventive
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Communicate	Preventive
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Communicate	Preventive
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Communicate	Preventive
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391	Communicate	Preventive
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819	Data and Information Management	Preventive
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Communicate	Preventive
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Communicate	Preventive
Provide the data subject with a notice of participation procedures. CC ID 06241	Establish/Maintain Documentation	Preventive
Deliver notices to the intended parties. CC ID 06240	Data and Information Management	Preventive
Notify data subjects about their privacy rights. CC ID 12989	Communicate	Preventive
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Communicate	Preventive
Require a data protection impact assessment when profiling the data subject. CC ID 12680 [{data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: unfair or deceptive treatment of, or disparate impact on, consumers; Section 10(b) (5)(i) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: financial, physical, or reputational injury to consumers; Section 10(b) (5)(ii) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or Section 10(b) (5)(iii) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: other substantial injury to consumers. Section 10(b) (5)(iv)]	Process or Activity	Detective
Establish, implement, and maintain adequate openness procedures. CC ID 00377 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: reflect the requirements of this chapter in the design of the controller's systems; Section 10(a) (2)(i)]	Data and Information Management	Preventive
Provide public proof the organization participates in a privacy program. CC ID 12349	Communicate	Preventive
Publish a description of processing activities in an official register. CC ID 00379	Establish/Maintain Documentation	Preventive
Establish and maintain a records request manual. CC ID 00381	Establish/Maintain Documentation	Preventive
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Establish/Maintain Documentation	Preventive
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Behavior	Preventive
Define what is included in registration notices. CC ID 00386	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the registration notice. CC ID 16803	Establish Roles	Preventive
Include the verification method in the registration notice. CC ID 16798	Establish/Maintain Documentation	Preventive
Include the statutory authority in the registration notice. CC ID 16799	Establish/Maintain Documentation	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Establish/Maintain Documentation	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Establish/Maintain Documentation	Preventive
Include information about the dispute resolution body in the registration notice. CC ID 16800	Establish/Maintain Documentation	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Establish/Maintain Documentation	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Establish/Maintain Documentation	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Establish/Maintain Documentation	Preventive
Provide legal authorities access to personal data, upon request. CC ID 06818	Data and Information Management	Preventive
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]	Process or Activity	Preventive
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g) {be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]	Establish/Maintain Documentation	Preventive
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Establish/Maintain Documentation	Preventive
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398	Establish/Maintain Documentation	Preventive
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Process or Activity	Preventive
Document the countries where restricted data may be stored. CC ID 12750	Data and Information Management	Preventive
Protect the rights of students and their parents or legal representatives. CC ID 00222	Data and Information Management	Preventive
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Technical Security	Preventive
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Records Management	Preventive
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Records Management	Preventive
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Records Management	Corrective
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Records Management	Corrective
Define the criteria for waivers of data subjects' rights. CC ID 16858	Behavior	Preventive
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Behavior	Preventive
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Establish/Maintain Documentation	Preventive
Disclose educational data, as necessary. CC ID 00223	Data and Information Management	Preventive
Grant access to education records in support of educational program audits. CC ID 13032	Records Management	Preventive
Grant access to education records in support of external requirements. CC ID 13033	Records Management	Preventive
Disclose statements added to education records, as necessary. CC ID 12990	Communicate	Preventive
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Data and Information Management	Preventive
Disclose education records when written consent is received. CC ID 00224	Data and Information Management	Preventive
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Establish/Maintain Documentation	Preventive
Specify the purpose of the disclosure in the written consent. CC ID 13001	Establish/Maintain Documentation	Preventive
Specify which education records may be disclosed in the written consent. CC ID 13000	Establish/Maintain Documentation	Preventive
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Establish/Maintain Documentation	Preventive
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Communicate	Preventive
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Communicate	Preventive
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Communicate	Preventive
Disclose educational data absent consent to other school officials. CC ID 00226	Data and Information Management	Preventive
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Data and Information Management	Preventive
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Communicate	Preventive
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Data and Information Management	Preventive
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Data and Information Management	Preventive
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Data and Information Management	Preventive
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Data and Information Management	Preventive
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Data and Information Management	Preventive
Disclose educational data absent consent to a crime victim. CC ID 00236	Data and Information Management	Preventive
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Establish/Maintain Documentation	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625	Communicate	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Communicate	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Communicate	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data; Section 7(a) (3)(i)]	Communicate	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Communicate	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g) A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and provide personal data to a consumer as required by this chapter; Section 10(a) (2)(ii)]	Establish/Maintain Documentation	Preventive
Provide the data subject with the data retention period for personal data. CC ID 12587	Process or Activity	Preventive
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Process or Activity	Preventive
Provide the data subject with the adequacy decision. CC ID 12586	Process or Activity	Preventive
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Process or Activity	Preventive
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Process or Activity	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing. Section 6 Subdivision 1(b)]	Data and Information Management	Preventive
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 [A controller may not require a consumer to create a new account in order to exercise a right, but a controller may require a consumer to use an existing account to exercise the consumer's rights under this section. Section 6 Subdivision 4(c)]	Business Processes	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Business Processes	Preventive
Notify the data subject of the right to data portability. CC ID 12603	Process or Activity	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Process or Activity	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing. Section 6 Subdivision 1(b)]	Establish/Maintain Documentation	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Data and Information Management	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Establish/Maintain Documentation	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Establish/Maintain Documentation	Preventive
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Establish/Maintain Documentation	Preventive
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Establish/Maintain Documentation	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Establish/Maintain Documentation	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Establish/Maintain Documentation	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Establish/Maintain Documentation	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133	Establish/Maintain Documentation	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Establish/Maintain Documentation	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Establish/Maintain Documentation	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Establish/Maintain Documentation	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Establish/Maintain Documentation	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Establish/Maintain Documentation	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Establish/Maintain Documentation	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Establish/Maintain Documentation	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Establish/Maintain Documentation	Preventive
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 [A consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data may be provided instead. Section 6 Subdivision 1(h)]	Data and Information Management	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Communicate	Preventive
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Establish/Maintain Documentation	Preventive
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Process or Activity	Preventive
Make telephone directory information available to the public. CC ID 08698	Establish/Maintain Documentation	Preventive
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Technical Security	Preventive
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Establish/Maintain Documentation	Preventive
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Process or Activity	Preventive
Establish, implement, and maintain a privacy policy. CC ID 06281	Establish/Maintain Documentation	Preventive
Include the data subject's rights in the privacy policy. CC ID 16355	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a privacy policy model document. CC ID 14720	Establish/Maintain Documentation	Preventive
Document privacy policies in clearly written and easily understood language. CC ID 00376	Establish/Maintain Documentation	Detective
Write privacy notices in the official languages required by law. CC ID 16529 [The privacy notice must be made available to the public in each language in which the controller provides a product or service that is subject to the privacy notice or carries out activities related to the product or service. Section 8 Subdivision 1(c)]	Establish/Maintain Documentation	Preventive
Define what is included in the privacy policy. CC ID 00404	Establish/Maintain Documentation	Preventive
Define the information being collected in the privacy policy. CC ID 13115	Establish/Maintain Documentation	Preventive
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110	Establish/Maintain Documentation	Preventive
Include the means by which information is collected in the privacy policy. CC ID 13114	Establish/Maintain Documentation	Preventive
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368	Establish/Maintain Documentation	Corrective
Include roles and responsibilities in the privacy policy. CC ID 14669	Establish/Maintain Documentation	Preventive
Include management commitment in the privacy policy. CC ID 14668	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the privacy policy. CC ID 14667	Establish/Maintain Documentation	Preventive
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854	Establish/Maintain Documentation	Preventive
Include compliance requirements in the privacy policy. CC ID 14666	Establish/Maintain Documentation	Preventive
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111	Establish/Maintain Documentation	Preventive
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367	Establish/Maintain Documentation	Corrective
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366	Establish/Maintain Documentation	Preventive
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365	Establish/Maintain Documentation	Preventive
Include a complaint form in the privacy policy. CC ID 12364	Establish/Maintain Documentation	Preventive
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405	Establish/Maintain Documentation	Preventive
Include the processing purpose in the privacy policy. CC ID 00406	Establish/Maintain Documentation	Preventive
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117	Establish/Maintain Documentation	Preventive
Include the data subject categories being processed in the privacy policy. CC ID 00407	Establish/Maintain Documentation	Preventive
Define the retention period for collected information in the privacy policy. CC ID 13116	Establish/Maintain Documentation	Preventive
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408	Establish/Maintain Documentation	Preventive
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409	Establish/Maintain Documentation	Preventive
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410	Establish/Maintain Documentation	Preventive
Include instructions on how to opt-out in the privacy policy. CC ID 00411	Establish/Maintain Documentation	Preventive
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 [{be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)]	Establish/Maintain Documentation	Preventive
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454	Establish/Maintain Documentation	Preventive
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452	Establish/Maintain Documentation	Preventive
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390	Establish/Maintain Documentation	Preventive
Post the privacy policy in an easily seen location. CC ID 00401 [{be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)]	Establish/Maintain Documentation	Preventive
Define who will receive the privacy policy. CC ID 00402	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346	Communicate	Preventive
Establish, implement, and maintain privacy procedures. CC ID 14665	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664	Communicate	Preventive
Establish, implement, and maintain a privacy plan. CC ID 14672	Establish/Maintain Documentation	Preventive
Align the enterprise architecture with the privacy plan. CC ID 14705	Process or Activity	Preventive
Approve the privacy plan. CC ID 14700	Business Processes	Preventive
Include privacy requirements in the privacy plan. CC ID 14699	Establish/Maintain Documentation	Preventive
Include the information types in the privacy plan. CC ID 14695	Establish/Maintain Documentation	Preventive
Include threats in the privacy plan. CC ID 14694	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the privacy plan. CC ID 14702	Establish/Maintain Documentation	Preventive
Include a description of the operational context in the privacy plan. CC ID 14692	Establish/Maintain Documentation	Preventive
Include risk assessment results in the privacy plan. CC ID 14701	Establish/Maintain Documentation	Preventive
Include the security categorizations and rationale in the privacy plan. CC ID 14690	Establish/Maintain Documentation	Preventive
Include security controls in the privacy plan. CC ID 14681	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680	Communicate	Preventive
Include a description of the operational environment in the privacy plan. CC ID 14679	Establish/Maintain Documentation	Preventive
Include network diagrams in the privacy plan. CC ID 14678	Establish/Maintain Documentation	Preventive
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 [Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e) Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)]	Behavior	Preventive
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a privacy report. CC ID 14754	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761	Communicate	Preventive
Protect private communications in keeping with compliance requirements. CC ID 14334 [A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)]	Business Processes	Preventive
Disseminate private communications when required by law. CC ID 14335	Communicate	Corrective
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data request procedures. CC ID 16546 [A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b) A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)]	Establish/Maintain Documentation	Preventive
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: Section 8 Subdivision 3(b)]	Human Resources Management	Preventive
Refrain from charging a fee to implement an opt-out request. CC ID 13877	Business Processes	Preventive
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433	Establish/Maintain Documentation	Preventive
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438	Establish/Maintain Documentation	Preventive
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Establish/Maintain Documentation	Preventive
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Establish/Maintain Documentation	Preventive
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Establish/Maintain Documentation	Preventive
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Establish/Maintain Documentation	Preventive
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Establish/Maintain Documentation	Preventive
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Establish/Maintain Documentation	Preventive
Include agreement termination information in the disclosure authorization form. CC ID 13437	Establish/Maintain Documentation	Preventive
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{not prohibit} {be different} A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program. Section 8 Subdivision 3(b) (2)]	Business Processes	Preventive
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Business Processes	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. Section 6 Subdivision 1(f) A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: Section 6 Subdivision 3(a) If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request. Section 8 Subdivision 1(b) {be easy} A controller shall provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, the child's parent or lawful guardian, to revoke previously given consent under this subdivision. The mechanism provided shall be at least as easy as the mechanism by which the consent was previously given. Upon revocation of consent, a controller shall cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request. Section 8 Subdivision 2(e)]	Data and Information Management	Preventive
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Business Processes	Preventive
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Business Processes	Preventive
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 [{refrain from disadvantaging} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: not unfairly disadvantage another controller; Section 6 Subdivision 3(a) (1) {refrain from using} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: not make use of a default setting, but require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of the processing of the consumer's personal data; Section 6 Subdivision 3(a) (2) {be easy to use} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: be consumer-friendly and easy to use by the average consumer; Section 6 Subdivision 3(a) (3) {be consistent} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and Section 6 Subdivision 3(a) (4) A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: enable the controller to accurately determine whether the consumer is a Minnesota resident and whether the consumer has made a legitimate request to opt out of any sale of the consumer's personal data or targeted advertising. For purposes of this paragraph, the use of an Internet protocol address to estimate the consumer's location is sufficient to determine the consumer's residence. Section 6 Subdivision 3(a) (5) {opt-out mechanism} The platform, technology, or mechanism required under paragraph (a) is subject to the requirements of subdivision 4. Section 6 Subdivision 3(c) Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)]	Data and Information Management	Preventive
Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880	Technical Security	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d) {loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b) {opt out} A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: opting the consumer out of the processing of personal data for any purpose except for the purposes exempted pursuant to the provisions of this chapter. Section 6 Subdivision 4(k) (2) {be easy} A controller shall provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, the child's parent or lawful guardian, to revoke previously given consent under this subdivision. The mechanism provided shall be at least as easy as the mechanism by which the consent was previously given. Upon revocation of consent, a controller shall cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request. Section 8 Subdivision 2(e)]	Business Processes	Preventive
Confirm the individual's identity before granting an opt-out request. CC ID 16813	Process or Activity	Preventive
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Establish/Maintain Documentation	Preventive
Allow consent requests to be provided in any official languages. CC ID 16530	Business Processes	Preventive
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]	Communicate	Preventive
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Records Management	Preventive
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605	Data and Information Management	Preventive
Refrain from obtaining consent through deception. CC ID 13556	Data and Information Management	Preventive
Give individuals the ability to change the uses of their personal data. CC ID 00469 [{loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)]	Data and Information Management	Preventive
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [{loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)]	Data and Information Management	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Establish/Maintain Documentation	Preventive
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848	Human Resources Management	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Establish Roles	Preventive
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Human Resources Management	Preventive
Notify the supervisory authority. CC ID 00472	Behavior	Preventive
Establish, implement, and maintain approval applications. CC ID 16778	Establish/Maintain Documentation	Preventive
Define the requirements for approving or denying approval applications. CC ID 16780	Business Processes	Preventive
Submit approval applications to the supervisory authority. CC ID 16627	Communicate	Preventive
Include required information in the approval application. CC ID 16628	Establish/Maintain Documentation	Preventive
Extend the time limit for approving or denying approval applications. CC ID 16779	Business Processes	Preventive
Approve the approval application unless applicant has been convicted. CC ID 16603	Process or Activity	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]	Process or Activity	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Communicate	Preventive
Respond to questions about submissions in a timely manner. CC ID 16930	Communicate	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Communicate	Corrective
Cooperate with Data Protection Authorities. CC ID 06870 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined: Section 11(a) (9)]	Data and Information Management	Preventive
Submit a safe harbor self-certification letter. CC ID 06871	Establish/Maintain Documentation	Preventive
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647	Human Resources Management	Preventive
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584	Establish/Maintain Documentation	Preventive
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Establish/Maintain Documentation	Preventive
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Establish/Maintain Documentation	Preventive
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Establish/Maintain Documentation	Preventive
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Establish/Maintain Documentation	Preventive
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Establish/Maintain Documentation	Preventive
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Establish/Maintain Documentation	Preventive
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Establish/Maintain Documentation	Preventive
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Establish/Maintain Documentation	Preventive
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Establish/Maintain Documentation	Preventive
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Establish/Maintain Documentation	Preventive
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Establish/Maintain Documentation	Preventive
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Establish/Maintain Documentation	Preventive
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Establish/Maintain Documentation	Preventive
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Establish/Maintain Documentation	Preventive
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Establish/Maintain Documentation	Preventive
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Establish/Maintain Documentation	Preventive
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Establish/Maintain Documentation	Preventive
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Establish/Maintain Documentation	Preventive
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Establish/Maintain Documentation	Preventive
Notify the data controller of any changes in data processors. CC ID 12648	Communicate	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet the controller's obligations under this chapter. Assistance under this paragraph shall include the following: Section 5(b) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Establish/Maintain Documentation	Preventive
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Establish/Maintain Documentation	Preventive
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and Section 5(c) (1)]	Establish/Maintain Documentation	Preventive
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Establish/Maintain Documentation	Preventive
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Establish/Maintain Documentation	Preventive
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Establish/Maintain Documentation	Preventive
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Establish/Maintain Documentation	Preventive
Include the duration of processing in the Data Processing Contract. CC ID 14935 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Establish/Maintain Documentation	Preventive
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Establish/Maintain Documentation	Preventive
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)]	Establish/Maintain Documentation	Preventive
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: upon a reasonable request from the controller, the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this chapter; and Section 5(e) (2) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)]	Establish/Maintain Documentation	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet the controller's obligations under this chapter. Assistance under this paragraph shall include the following: Section 5(b) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e) Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under this chapter is contrary to public policy and is void and unenforceable. Section 8 Subdivision 4 ¶ 1 The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: assist another controller, processor, or third party with any of the obligations under this paragraph; Section 11(a) (8)]	Establish/Maintain Documentation	Preventive
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: engage a subcontractor only (i) after providing the controller with an opportunity to object, and (ii) pursuant to a written contract in accordance with paragraph (e) that requires the subcontractor to meet the obligations of the processor with respect to the personal data. Section 5(c) (2)]	Human Resources Management	Preventive
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: at the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; Section 5(e) (1) {no longer necessary} A controller may not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09. Section 8 Subdivision 2(g)]	Establish/Maintain Documentation	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Establish/Maintain Documentation	Preventive
Display or print the least amount of personal data necessary. CC ID 04643	Data and Information Management	Preventive
Redact confidential information from public information, as necessary. CC ID 06872	Data and Information Management	Preventive
Notify the data subject of the collection purpose. CC ID 00095	Behavior	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Data and Information Management	Preventive
Document the law that requires restricted data to be collected. CC ID 00103	Establish/Maintain Documentation	Preventive
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Behavior	Preventive
Notify the data subject of changes to personal data use. CC ID 00105	Behavior	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Establish/Maintain Documentation	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Establish/Maintain Documentation	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [{not be necessary} Except as provided in this chapter, a controller may not process personal data for purposes that are not reasonably necessary to, or compatible with, the purposes for which the personal data are processed, as disclosed to the consumer, unless the controller obtains the consumer's consent. Section 8 Subdivision 2(b)]	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; Section 11(a) (6)]	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Establish/Maintain Documentation	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Establish/Maintain Documentation	Preventive
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Behavior	Preventive
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Establish/Maintain Documentation	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125	Data and Information Management	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Records Management	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Communicate	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]	Establish/Maintain Documentation	Preventive
Allow data subjects to submit data requests. CC ID 16545 [A consumer may exercise the rights set forth in this section by submitting a request, at any time, to a controller specifying which rights the consumer wishes to exercise. Section 6 Subdivision 2(a)]	Process or Activity	Preventive
Provide individuals with information about where their personal data was processed. CC ID 00415	Data and Information Management	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [{be adequate} {be relevant} {be necessary} A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer. Section 8 Subdivision 2(a)]	Data and Information Management	Preventive
Provide individuals with information about disclosure of their personal data. CC ID 00417	Data and Information Management	Preventive
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Data and Information Management	Preventive
Provide assistance to requesters in preparing data access requests. CC ID 13588	Data and Information Management	Preventive
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Establish/Maintain Documentation	Preventive
Define what is to be included in a data access request. CC ID 08699	Establish/Maintain Documentation	Preventive
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Business Processes	Preventive
Respond to data access requests in a timely manner. CC ID 00421 [Except as provided in this chapter, a controller must comply with a request to exercise the consumer rights provided in this subdivision. Section 6 Subdivision 1(a) Except as provided in this chapter, a controller must comply with a request to exercise the rights pursuant to subdivision 1. Section 6 Subdivision 4(a) A controller must comply with a request to exercise the right in subdivision 1, paragraph (f), as soon as feasibly possible, but no later than 45 days of receipt of the request. Section 6 Subdivision 4(d) A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)]	Behavior	Preventive
Respond to data access requests in an official language. CC ID 17176	Communicate	Preventive
Delay responding to data access requests, as necessary. CC ID 15504 [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Data and Information Management	Preventive
Expedite the processing of data access requests, as necessary. CC ID 15496	Data and Information Management	Preventive
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Behavior	Detective
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Behavior	Detective
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Business Processes	Preventive
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Process or Activity	Preventive
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Establish/Maintain Documentation	Preventive
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Data and Information Management	Preventive
Document the outcome of the personal data access request review procedure. CC ID 00455	Data and Information Management	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811	Establish/Maintain Documentation	Preventive
Submit personal data removal requests in writing. CC ID 11973	Records Management	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Establish/Maintain Documentation	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Records Management	Corrective
Notify third parties of data access requests that relates to the third party. CC ID 08703	Establish/Maintain Documentation	Preventive
Allow affected third parties to consent or object to a data access request. CC ID 08704	Process or Activity	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Establish/Maintain Documentation	Preventive
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299	Data and Information Management	Preventive
Disclose de-identified data, as necessary. CC ID 13034	Communicate	Preventive
Notify the data subject after personal data is used or disclosed. CC ID 06247 [Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Behavior	Preventive
Refrain from processing restricted data, as necessary. CC ID 12551	Records Management	Preventive
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Process or Activity	Preventive
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data; Section 7(a) (3)(i)]	Process or Activity	Preventive
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Business Processes	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Process or Activity	Detective
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Process or Activity	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [A controller shall not process personal data on the basis of a consumer's or a class of consumers' actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the consumer or class of consumers with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation. Section 8 Subdivision 3(a)]	Data and Information Management	Preventive
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Data and Information Management	Preventive
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Business Processes	Preventive
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Business Processes	Preventive
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Business Processes	Preventive
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Business Processes	Preventive
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Business Processes	Preventive
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Business Processes	Preventive
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Business Processes	Preventive
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Business Processes	Preventive
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Process or Activity	Preventive
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Establish/Maintain Documentation	Preventive
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Records Management	Preventive
Include the data processor's contact information in the record of processing activities. CC ID 12657	Records Management	Preventive
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Records Management	Preventive
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Records Management	Preventive
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Records Management	Preventive
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Records Management	Preventive
Include the personal data processing categories in the record of processing activities. CC ID 12661	Records Management	Preventive
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Records Management	Preventive
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Records Management	Preventive
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Records Management	Preventive
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Records Management	Preventive
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Records Management	Preventive
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Records Management	Preventive
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Records Management	Preventive
Include the data controller's contact information in the record of processing activities. CC ID 12637	Records Management	Preventive
Process restricted data lawfully and carefully. CC ID 00086 [Except as otherwise provided in this act, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its implementing regulations, rules, and exemptions. Section 8 Subdivision 2(d)]	Establish Roles	Preventive
Analyze requirements for processing personal data in contracts. CC ID 12550 [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Investigate	Detective
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Technical Security	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Data and Information Management	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Communicate	Corrective
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Records Management	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Data and Information Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Records Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Process or Activity	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Records Management	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Data and Information Management	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Establish/Maintain Documentation	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Data and Information Management	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Establish/Maintain Documentation	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Establish/Maintain Documentation	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Data and Information Management	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Data and Information Management	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Data and Information Management	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180	Data and Information Management	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Data and Information Management	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Data and Information Management	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Data and Information Management	Preventive
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is: subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and Section 11(a) (10)(i) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is: under the responsibility of a professional individual who is subject to confidentiality obligations under federal, state, or local law. Section 11(a) (10)(ii) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1) {not adversely affect} Obligations imposed on controllers and processors under this chapter shall not: adversely affect the rights or freedoms of any persons, including exercising the right of free speech pursuant to the First Amendment of the United States Constitution; or Section 11(e) (1)]	Data and Information Management	Preventive
Process traffic data in a controlled manner. CC ID 00130	Data and Information Management	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Data and Information Management	Preventive
Process personal data when it is publicly accessible. CC ID 00187	Data and Information Management	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Data and Information Management	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [{refrain from selling} {absent consent} {minor} A controller may not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data, without the consumer's consent, under circumstances where the controller knows that the consumer is between the ages of 13 and 16. Section 8 Subdivision 2(f)]	Business Processes	Preventive
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Communicate	Corrective
Process personal data for the purposes of employment. CC ID 16527	Data and Information Management	Preventive
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Data and Information Management	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190	Data and Information Management	Preventive
Process personal data in order to advance the public interest. CC ID 00191	Data and Information Management	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined: Section 11(a) (9)]	Data and Information Management	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Data and Information Management	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Data and Information Management	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Data and Information Management	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Data and Information Management	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Data and Information Management	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Data and Information Management	Preventive
Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537	Data and Information Management	Preventive
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Process or Activity	Preventive
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Data and Information Management	Preventive
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Data and Information Management	Preventive
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Data and Information Management	Preventive
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Data and Information Management	Preventive
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580	Data and Information Management	Preventive
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Data and Information Management	Preventive
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Data and Information Management	Preventive
Process personal data absent consent in order to perform a contract. CC ID 13586	Data and Information Management	Preventive
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Data and Information Management	Preventive
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Data and Information Management	Preventive
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Data and Information Management	Preventive
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Data and Information Management	Preventive
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578	Data and Information Management	Preventive
Process personal data absent consent when it is needed by law. CC ID 13577	Data and Information Management	Preventive
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Data and Information Management	Preventive
Process personal data absent consent when it is from publicly available information. CC ID 13576	Data and Information Management	Preventive
Process personal data absent consent to create a credit report. CC ID 15288	Data and Information Management	Preventive
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Data and Information Management	Preventive
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Data and Information Management	Preventive
Process personal data absent consent when produced for business purposes. CC ID 13563	Data and Information Management	Preventive
Process personal data absent consent for handling insurance claims. CC ID 13561	Data and Information Management	Preventive
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533	Data and Information Management	Preventive
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Data and Information Management	Preventive
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Data and Information Management	Preventive
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Data and Information Management	Preventive
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: Social Security number; Section 6 Subdivision 4(i) (1) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: driver's license number or other government-issued identification number; Section 6 Subdivision 4(i) (2) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: financial account number; Section 6 Subdivision 4(i) (3) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: health insurance account number or medical identification number; Section 6 Subdivision 4(i) (4) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: account password, security questions, or answers; or Section 6 Subdivision 4(i) (5) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: biometric data. Section 6 Subdivision 4(i) (6)]	Behavior	Preventive
Define security breach notification requirement exceptions. CC ID 04797	Establish/Maintain Documentation	Preventive
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086	Communicate	Corrective
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: Social Security number; Section 6 Subdivision 4(i) (1) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: driver's license number or other government-issued identification number; Section 6 Subdivision 4(i) (2) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: financial account number; Section 6 Subdivision 4(i) (3) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: health insurance account number or medical identification number; Section 6 Subdivision 4(i) (4) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: account password, security questions, or answers; or Section 6 Subdivision 4(i) (5) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: biometric data. Section 6 Subdivision 4(i) (6)]	Records Management	Preventive
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Communicate	Corrective
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157	Data and Information Management	Preventive
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Establish/Maintain Documentation	Preventive
Define the exceptions to disclosure absent consent. CC ID 00135	Establish/Maintain Documentation	Preventive
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158	Data and Information Management	Detective
Define opt-out exceptions for disclosing restricted data. CC ID 00159 [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]	Establish/Maintain Documentation	Preventive
Define how a data subject may give consent. CC ID 00160	Establish/Maintain Documentation	Preventive
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Data and Information Management	Preventive
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267	Communicate	Preventive
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Data and Information Management	Preventive
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270	Data and Information Management	Preventive
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137	Data and Information Management	Preventive
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Data and Information Management	Preventive
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284	Data and Information Management	Preventive
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Data and Information Management	Preventive
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Data and Information Management	Preventive
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Data and Information Management	Preventive
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Data and Information Management	Preventive
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Data and Information Management	Preventive
Disclose personal data absent consent to create a credit report. CC ID 15297	Data and Information Management	Preventive
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Data and Information Management	Preventive
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Data and Information Management	Preventive
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Data and Information Management	Preventive
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285	Data and Information Management	Preventive
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Data and Information Management	Preventive
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Data and Information Management	Preventive
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Data and Information Management	Preventive
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Data and Information Management	Preventive
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Data and Information Management	Preventive
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554	Data and Information Management	Preventive
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138	Data and Information Management	Preventive
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Data and Information Management	Preventive
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552	Data and Information Management	Preventive
Disclose restricted data absent consent in order to perform a contract. CC ID 00139	Data and Information Management	Preventive
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Data and Information Management	Preventive
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290	Data and Information Management	Preventive
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286	Data and Information Management	Preventive
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Data and Information Management	Preventive
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Data and Information Management	Preventive
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Data and Information Management	Preventive
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147	Data and Information Management	Preventive
Disclose restricted data absent consent for public economic interests. CC ID 00148	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149	Data and Information Management	Preventive
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150	Data and Information Management	Preventive
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151	Data and Information Management	Preventive
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Data and Information Management	Preventive
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Data and Information Management	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154	Data and Information Management	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155	Data and Information Management	Preventive
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161	Data and Information Management	Preventive
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Establish/Maintain Documentation	Detective
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Data and Information Management	Preventive
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796	Data and Information Management	Preventive
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Data and Information Management	Preventive
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Data and Information Management	Preventive
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Data and Information Management	Preventive
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Communicate	Preventive
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1) This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2) {no longer necessary} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: prevent the retention of personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09; and Section 10(a) (2)(v) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data; Section 11(a) (1) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Establish/Maintain Documentation	Preventive
Capture personal data removal requests. CC ID 13507 [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1)]	Communicate	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A consumer has the right to delete personal data concerning the consumer. Section 6 Subdivision 1(d)]	Records Management	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Process or Activity	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Process or Activity	Preventive
Dispose of personal data removal requests, as necessary. CC ID 13512	Business Processes	Preventive
Refrain from selling restricted data, as necessary. CC ID 17165 [{absent consent} A small business, as defined by the United States Small Business Administration under Code of Federal Regulations, title 13, part 121, that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota, must not sell a consumer's sensitive data without the consumer's prior consent. Section 9(a)]	Data and Information Management	Preventive
Limit the redisclosure and reuse of restricted data. CC ID 00168	Data and Information Management	Preventive
Refrain from redisclosing or reusing restricted data. CC ID 00169	Data and Information Management	Preventive
Document the redisclosing restricted data exceptions. CC ID 00170	Establish/Maintain Documentation	Preventive
Redisclose restricted data when the data subject consents. CC ID 00171	Data and Information Management	Preventive
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Data and Information Management	Preventive
Redisclose restricted data in order to protect public revenue. CC ID 00173	Data and Information Management	Preventive
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Data and Information Management	Preventive
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Data and Information Management	Preventive
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Data and Information Management	Preventive
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Data and Information Management	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [Except as otherwise provided in this act, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its implementing regulations, rules, and exemptions. Section 8 Subdivision 2(d)]	Data and Information Management	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Data and Information Management	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Data and Information Management	Preventive
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Data and Information Management	Preventive
Process Personal Identification Numbers with consent. CC ID 00239	Data and Information Management	Preventive
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Behavior	Preventive
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Data and Information Management	Preventive
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Data and Information Management	Preventive
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Establish/Maintain Documentation	Preventive
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Data and Information Management	Preventive
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Data and Information Management	Preventive
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Data and Information Management	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Establish/Maintain Documentation	Preventive
Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901	Communicate	Preventive
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Data and Information Management	Preventive
Review personal data disclosure requests. CC ID 07129	Data and Information Management	Preventive
Notify the data subject of the disclosure purpose. CC ID 15268	Communicate	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and Section 7(a) (3)(ii) This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. Section 7(a) (3)(iii) If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f) A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]	Establish/Maintain Documentation	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)]	Data and Information Management	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Data and Information Management	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Data and Information Management	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Data and Information Management	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Data and Information Management	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Data and Information Management	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [In response to a consumer request under subdivision 1, a controller is not required to reveal any trade secret. Section 6 Subdivision 4(j)]	Data and Information Management	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Data and Information Management	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Data and Information Management	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Process or Activity	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Data and Information Management	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Data and Information Management	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Data and Information Management	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Data and Information Management	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Data and Information Management	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Data and Information Management	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Data and Information Management	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Data and Information Management	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Data and Information Management	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Data and Information Management	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Data and Information Management	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Data and Information Management	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g) If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)]	Data and Information Management	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Communicate	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Data and Information Management	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Process or Activity	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication. Section 11(c)]	Data and Information Management	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Data and Information Management	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Communicate	Preventive
Provide data or records in a reasonable time frame. CC ID 00429	Data and Information Management	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Communicate	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Data and Information Management	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Data and Information Management	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Data and Information Management	Preventive
Provide data at a cost that is not excessive. CC ID 00430 [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g) {be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)]	Data and Information Management	Preventive
Provide records or data in a reasonable manner. CC ID 00431 [A consumer has the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. Section 6 Subdivision 1(e)]	Data and Information Management	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Data and Information Management	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Data and Information Management	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Data and Information Management	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Data and Information Management	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Establish/Maintain Documentation	Preventive
Include cookie management in the privacy framework. CC ID 13809	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain cookie management procedures. CC ID 13810	Establish/Maintain Documentation	Preventive
Refrain from using cookies unless legitimate reasons have been defined. CC ID 16953	Data and Information Management	Preventive
Include the acceptable uses of cookies in the cookie management procedures. CC ID 16952	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Establish/Maintain Documentation	Preventive
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279	Data and Information Management	Preventive
Refrain from collecting personal data, as necessary. CC ID 15269 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]	Data and Information Management	Preventive
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488	Business Processes	Detective
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 [{be relevant} {be necessary} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed; Section 10(a) (2)(iv)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Establish/Maintain Documentation	Preventive
Use personal data for specified purposes. CC ID 11831 [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1) {be necessary} {be reasonable} {be proportionate} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: necessary, reasonable, and proportionate to the purposes listed in this section; Section 11(f) (1) {be adequate} {be relevant} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: adequate, relevant, and limited to what is necessary in relation to the specific purpose or purposes listed in this section; and Section 11(f) (2) {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]	Data and Information Management	Preventive
Post the collection purpose. CC ID 00101	Establish/Maintain Documentation	Preventive
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012	Data and Information Management	Preventive
Document each individual's personal data collection consent preferences. CC ID 06945	Establish/Maintain Documentation	Preventive
Provide explicit consent that is clear and unambiguous. CC ID 00181	Data and Information Management	Preventive
Allow individuals to change their personal data collection consent preferences. CC ID 06946	Data and Information Management	Preventive
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Data and Information Management	Preventive
Notify the data subject of the source of collected personal data. CC ID 00083	Behavior	Preventive
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Data and Information Management	Preventive
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Data and Information Management	Preventive
Establish and maintain a personal data definition. CC ID 00028	Establish/Maintain Documentation	Preventive
Include an individual's name in the personal data definition. CC ID 04710	Data and Information Management	Preventive
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Data and Information Management	Preventive
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Data and Information Management	Preventive
Include an individual's signature in the personal data definition. CC ID 04711	Data and Information Management	Preventive
Include an individual's date of birth in the personal data definition. CC ID 04770	Data and Information Management	Preventive
Include the number of children in the personal data definition. CC ID 13759	Establish/Maintain Documentation	Preventive
Include the individual's religion in the personal data definition. CC ID 13765	Establish/Maintain Documentation	Preventive
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Data and Information Management	Preventive
Include an individual's biometric data in the personal data definition. CC ID 04698	Data and Information Management	Preventive
Include an individual's photographic image in the personal data definition. CC ID 04779	Data and Information Management	Preventive
Include an individual's fingerprints in the personal data definition. CC ID 04689	Data and Information Management	Preventive
Include an individual's address in the personal data definition. CC ID 04687	Data and Information Management	Preventive
Include an individual's telephone number in the personal data definition. CC ID 04688	Data and Information Management	Preventive
Include an individual's fax number in the personal data definition. CC ID 07120	Data and Information Management	Preventive
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Establish/Maintain Documentation	Preventive
Include an individual's license plate number in the personal data definition. CC ID 13763	Establish/Maintain Documentation	Preventive
Include an individual's financial account number in the personal data definition. CC ID 04692	Data and Information Management	Preventive
Include an individual's account balances in the personal data definition. CC ID 13770	Establish/Maintain Documentation	Preventive
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Data and Information Management	Preventive
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Data and Information Management	Preventive
Include an individual's logon credentials in the personal data definition. CC ID 13771	Establish/Maintain Documentation	Preventive
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Data and Information Management	Preventive
Include an individual's passport number in the personal data definition. CC ID 04713	Data and Information Management	Preventive
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Data and Information Management	Preventive
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Data and Information Management	Preventive
Include an individual's military identification number in the personal data definition. CC ID 13083	Establish/Maintain Documentation	Preventive
Include an individual's e-mail address in the personal data definition. CC ID 04696	Data and Information Management	Preventive
Include electronic signatures in the personal data definition. CC ID 04697	Data and Information Management	Preventive
Include an individual's payment card information in the personal data definition. CC ID 04751	Data and Information Management	Preventive
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Data and Information Management	Preventive
Include an individual's payment card service code in the personal data definition. CC ID 04753	Data and Information Management	Preventive
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Data and Information Management	Preventive
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Data and Information Management	Preventive
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Data and Information Management	Preventive
Include an individual's medical history in the personal data definition. CC ID 04701	Data and Information Management	Preventive
Include an individual's medical treatment in the personal data definition. CC ID 04702	Data and Information Management	Preventive
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Data and Information Management	Preventive
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Data and Information Management	Preventive
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Data and Information Management	Preventive
Include an individual's health insurance information in the personal data definition. CC ID 04705	Data and Information Management	Preventive
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Data and Information Management	Preventive
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Data and Information Management	Preventive
Include an individual's education information in the personal data definition. CC ID 04714	Data and Information Management	Preventive
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Data and Information Management	Preventive
Include an individual's employment information in the personal data definition. CC ID 04715	Data and Information Management	Preventive
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Data and Information Management	Preventive
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Data and Information Management	Preventive
Include an individual's employment history in the personal data definition. CC ID 04716	Data and Information Management	Preventive
Include an individual's place of employment in the personal data definition. CC ID 04765	Data and Information Management	Preventive
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Data and Information Management	Preventive
Include an individual's property information in the personal data definition. CC ID 04780	Data and Information Management	Preventive
Include an individual's property title in the personal data definition. CC ID 04781	Data and Information Management	Preventive
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Data and Information Management	Preventive
Include hardware asset identification information in the personal data definition. CC ID 07123	Data and Information Management	Preventive
Include MAC addresses in the personal data definition. CC ID 04778	Data and Information Management	Preventive
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Data and Information Management	Preventive
Include asset serial numbers in the personal data definition. CC ID 07124	Data and Information Management	Preventive
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Data and Information Management	Preventive
Refrain from including publicly available information in the personal data definition. CC ID 13084	Establish/Maintain Documentation	Preventive
Define specially restricted data. CC ID 00037	Data and Information Management	Preventive
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Data and Information Management	Preventive
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Data and Information Management	Preventive
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Data and Information Management	Preventive
Implement a nondiscrimination principle. CC ID 00081	Data and Information Management	Preventive
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Data and Information Management	Preventive
Preserve each individual's right to human dignity. CC ID 00082	Data and Information Management	Preventive
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Data and Information Management	Preventive
Employ a random number generator to create authenticators. CC ID 13782	Technical Security	Preventive
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Data and Information Management	Preventive
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Behavior	Preventive
Manage health data collection. CC ID 00050	Data and Information Management	Preventive
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Data and Information Management	Preventive
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Data and Information Management	Preventive
Collect Individually Identifiable Health Information for research. CC ID 00054	Data and Information Management	Preventive
Remove personal data before disclosing health data. CC ID 00055	Data and Information Management	Preventive
Give special attention to collecting children's data. CC ID 00038	Data and Information Management	Preventive
Use simple understandable language to collect information from children. CC ID 00039	Behavior	Preventive
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Establish/Maintain Documentation	Preventive
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Data and Information Management	Preventive
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Establish/Maintain Documentation	Preventive
Collect personal data directly from the data subject. CC ID 00011	Data and Information Management	Preventive
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Data and Information Management	Preventive
Provide unlinkability for users and resources. CC ID 04550	Data and Information Management	Preventive
Provide unobservability of users and resources. CC ID 04551	Technical Security	Preventive
Confirm the data quality of personal data collected from third parties. CC ID 13510	Investigate	Detective
Collect restricted data in a fair and lawful manner. CC ID 00010	Data and Information Management	Preventive
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013	Data and Information Management	Preventive
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014	Data and Information Management	Preventive
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015	Data and Information Management	Preventive
Collect personal data absent consent in order to make a disclosure. CC ID 13550	Data and Information Management	Preventive
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801	Data and Information Management	Preventive
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548	Data and Information Management	Preventive
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544	Data and Information Management	Preventive
Collect personal data absent consent for handling insurance claims. CC ID 13543	Data and Information Management	Preventive
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016	Data and Information Management	Preventive
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295	Data and Information Management	Preventive
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614	Data and Information Management	Preventive
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277	Data and Information Management	Preventive
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289	Data and Information Management	Preventive
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292	Data and Information Management	Preventive
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017	Data and Information Management	Preventive
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293	Data and Information Management	Preventive
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018	Data and Information Management	Preventive
Collect restricted data absent consent from publicly available information. CC ID 00019	Data and Information Management	Preventive
Collect restricted data absent consent when needed by law. CC ID 00020	Data and Information Management	Preventive
Collect personal data absent consent to create a credit report. CC ID 15287	Data and Information Management	Preventive
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021	Data and Information Management	Preventive
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022	Data and Information Management	Preventive
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be adequate} {be relevant} {be necessary} A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer. Section 8 Subdivision 2(a)]	Data and Information Management	Preventive
Collect restricted data in a proper information framework. CC ID 00009	Data and Information Management	Preventive
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)]	Data and Information Management	Preventive
Collect restricted data when required by law. CC ID 00031	Data and Information Management	Preventive
Collect restricted data to prevent life-threatening emergencies. CC ID 00032	Data and Information Management	Preventive
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034	Data and Information Management	Preventive
Collect restricted data for legal purposes. CC ID 00036	Data and Information Management	Preventive
Validate the business need for maintaining collected restricted data. CC ID 17090	Data and Information Management	Preventive
Review the methods for collecting personal data, as necessary. CC ID 13511	Investigate	Detective
Provide the data subject with information about the data controller during the collection process. CC ID 00023	Establish/Maintain Documentation	Preventive
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760	Communicate	Preventive
Provide the data subject with the data collector's name and contact information. CC ID 00024	Establish/Maintain Documentation	Preventive
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025	Establish/Maintain Documentation	Preventive
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Establish/Maintain Documentation	Preventive
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Data and Information Management	Preventive
Protect electronic messaging information. CC ID 12022	Technical Security	Preventive
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Data and Information Management	Preventive
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Configuration	Preventive
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Testing	Detective
Store payment card data in secure chips, if possible. CC ID 13065	Configuration	Preventive
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Configuration	Preventive
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Technical Security	Preventive
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Data and Information Management	Preventive
Log the disclosure of personal data. CC ID 06628	Log Management	Preventive
Log the modification of personal data. CC ID 11844	Log Management	Preventive
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Technical Security	Preventive
Implement security measures to protect personal data. CC ID 13606 [{technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]	Technical Security	Preventive
Implement physical controls to protect personal data. CC ID 00355	Testing	Preventive
Limit data leakage. CC ID 00356	Data and Information Management	Preventive
Conduct personal data risk assessments. CC ID 00357	Testing	Detective
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Business Processes	Preventive
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Establish/Maintain Documentation	Detective
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Data and Information Management	Detective
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Data and Information Management	Detective
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Monitor and Evaluate Occurrences	Detective
Perform an identity check prior to approving an account change request. CC ID 13670	Investigate	Detective
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Behavior	Detective
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Data and Information Management	Detective
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Log Management	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Monitor and Evaluate Occurrences	Corrective
Log dates for account name changes or address changes. CC ID 04876	Log Management	Detective
Review accounts that are changed for additional user requests. CC ID 11846	Monitor and Evaluate Occurrences	Detective
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Data and Information Management	Detective
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Acquisition/Sale of Assets or Services	Preventive
Search the Internet for evidence of data leakage. CC ID 10419	Process or Activity	Detective
Alert appropriate personnel when data leakage is detected. CC ID 14715	Process or Activity	Preventive
Review monitored websites for data leakage. CC ID 10593	Monitor and Evaluate Occurrences	Detective
Take appropriate action when a data leakage is discovered. CC ID 14716	Process or Activity	Corrective
Include text about data ownership in the data handling policy. CC ID 15720	Data and Information Management	Preventive
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain call metadata controls. CC ID 04790	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: reidentify deidentified data; Section 7(a) (1) A processor or third party must not attempt to identify the subjects of deidentified or pseudonymous data without the express authority of the controller that caused the data to be deidentified or pseudonymized. Section 7(d) A controller, processor, or third party must not attempt to identify the subjects of data that has been collected with only pseudonymous identifiers. Section 7(e) This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]	Data and Information Management	Preventive
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127	Data and Information Management	Preventive
Store de-identifying code and re-identifying code separately. CC ID 16535 [The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (e) and (h), do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. Section 7(b)]	Data and Information Management	Preventive
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128	Data and Information Management	Preventive
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465	Communicate	Preventive
Establish, implement, and maintain data handling procedures. CC ID 11756	Establish/Maintain Documentation	Preventive
Define personal data that falls under breach notification rules. CC ID 00800	Establish/Maintain Documentation	Preventive
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Data and Information Management	Preventive
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Data and Information Management	Preventive
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Data and Information Management	Preventive
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Data and Information Management	Preventive
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Data and Information Management	Preventive
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Data and Information Management	Preventive
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Data and Information Management	Preventive
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Data and Information Management	Preventive
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Data and Information Management	Preventive
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Data and Information Management	Preventive
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Data and Information Management	Preventive
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Data and Information Management	Preventive
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Data and Information Management	Preventive
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Data and Information Management	Preventive
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Data and Information Management	Preventive
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Data and Information Management	Preventive
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Data and Information Management	Preventive
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Data and Information Management	Preventive
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Data and Information Management	Preventive
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Data and Information Management	Preventive
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Data and Information Management	Preventive
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Data and Information Management	Preventive
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Data and Information Management	Preventive
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Data and Information Management	Preventive
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Data and Information Management	Preventive
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Data and Information Management	Preventive
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Data and Information Management	Preventive
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Data and Information Management	Preventive
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Data and Information Management	Preventive
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Data and Information Management	Preventive
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Data and Information Management	Preventive
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Data and Information Management	Preventive
Define an out of scope privacy breach. CC ID 04677	Establish/Maintain Documentation	Preventive
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Business Processes	Preventive
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Monitor and Evaluate Occurrences	Preventive
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Monitor and Evaluate Occurrences	Preventive
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Monitor and Evaluate Occurrences	Preventive
Conduct internal data processing audits. CC ID 00374	Testing	Detective
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Communicate	Preventive
Establish, implement, and maintain a personal data transfer program. CC ID 00307	Establish/Maintain Documentation	Preventive
Obtain consent from an individual prior to transferring personal data. CC ID 06948	Data and Information Management	Preventive
Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351	Establish/Maintain Documentation	Preventive
Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528	Business Processes	Preventive
Notify data subjects when their personal data is transferred. CC ID 00352	Behavior	Preventive
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333	Establish/Maintain Documentation	Preventive
Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414	Communicate	Preventive
Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314	Data and Information Management	Preventive
Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312	Data and Information Management	Preventive
Prohibit the transfer of personal data when security is inadequate. CC ID 00345	Data and Information Management	Preventive
Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346	Data and Information Management	Preventive
Refrain from transferring past the first transfer. CC ID 00347	Data and Information Management	Preventive
Document transfer disagreements by the data subject in writing. CC ID 00348	Establish/Maintain Documentation	Preventive
Allow the data subject the right to object to the personal data transfer. CC ID 00349	Data and Information Management	Preventive
Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428	Records Management	Preventive
Follow the instructions of the data transferrer. CC ID 00334	Behavior	Preventive
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315	Establish/Maintain Documentation	Preventive
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316	Data and Information Management	Preventive
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317	Data and Information Management	Preventive
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318	Data and Information Management	Preventive
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319	Data and Information Management	Preventive
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320	Data and Information Management	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321	Data and Information Management	Preventive
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322	Data and Information Management	Preventive
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323	Data and Information Management	Preventive
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324	Data and Information Management	Preventive
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325	Data and Information Management	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326	Data and Information Management	Preventive
Require transferees to implement adequate data protection levels for the personal data. CC ID 00335	Data and Information Management	Preventive
Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527	Business Processes	Preventive
Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336	Establish/Maintain Documentation	Preventive
Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337	Data and Information Management	Preventive
Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338	Data and Information Management	Preventive
Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339	Data and Information Management	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340	Data and Information Management	Preventive
Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341	Data and Information Management	Preventive
Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342	Data and Information Management	Preventive
Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343	Data and Information Management	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344	Data and Information Management	Preventive
Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353	Communicate	Preventive
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350	Behavior	Preventive
Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949	Establish/Maintain Documentation	Preventive
Obtain consent prior to storing cookies on an individual's browser. CC ID 06950	Data and Information Management	Preventive
Obtain consent prior to downloading software to an individual's computer. CC ID 06951	Data and Information Management	Preventive
Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000	Process or Activity	Preventive
Remove or uninstall software from an individual's computer, as necessary. CC ID 13998	Process or Activity	Preventive
Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997	Process or Activity	Preventive
Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961	Data and Information Management	Preventive
Establish, implement, and maintain a privacy impact assessment. CC ID 13712	Establish/Maintain Documentation	Preventive
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520	Establish/Maintain Documentation	Preventive
Include how to grant consent in the privacy impact assessment. CC ID 15519	Establish/Maintain Documentation	Preventive
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518	Establish/Maintain Documentation	Preventive
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517	Establish/Maintain Documentation	Preventive
Include data handling procedures in the privacy impact assessment. CC ID 15516	Establish/Maintain Documentation	Preventive
Include the intended use of information in the privacy impact assessment. CC ID 15515	Establish/Maintain Documentation	Preventive
Include the reason information is being collected in the privacy impact assessment. CC ID 15514	Establish/Maintain Documentation	Preventive
Include the type of information to be collected in the privacy impact assessment. CC ID 15513	Business Processes	Preventive
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458	Communicate	Preventive
Review compliance with the organization's privacy objectives. CC ID 13490 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)]	Human Resources Management	Detective
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and remediate violations of this chapter. Section 10(a) (2)(vi)]	Data and Information Management	Preventive
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Behavior	Preventive
Implement procedures to file privacy rights violation complaints. CC ID 00476	Data and Information Management	Corrective
File privacy rights violation complaints in writing. CC ID 00477	Establish/Maintain Documentation	Corrective
Include supporting documentation in the privacy rights violation complaint. CC ID 16997	Establish/Maintain Documentation	Preventive
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360	Establish/Maintain Documentation	Corrective
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359	Establish/Maintain Documentation	Preventive
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478	Behavior	Corrective
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807	Business Processes	Preventive
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Behavior	Corrective
Change or destroy any personal data that is incorrect. CC ID 00462 [{be inaccurate} A consumer has the right to correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data. Section 6 Subdivision 1(c)]	Data and Information Management	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Behavior	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Data and Information Management	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Data and Information Management	Corrective
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526	Establish/Maintain Documentation	Preventive
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Establish/Maintain Documentation	Preventive
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Establish/Maintain Documentation	Preventive
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529	Establish/Maintain Documentation	Preventive
Document unresolved challenges. CC ID 13568	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Establish/Maintain Documentation	Preventive
Notify individuals of their right to challenge personal data. CC ID 00457 [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]	Data and Information Management	Preventive
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Data and Information Management	Preventive
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Configuration	Preventive
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Human Resources Management	Preventive
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Data and Information Management	Preventive
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Communicate	Preventive
Investigate the disputed accuracy of personal data. CC ID 00461	Data and Information Management	Preventive
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Behavior	Corrective
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467	Behavior	Corrective
Notify third parties of unresolved challenges. CC ID 13559	Communicate	Preventive
Document disagreements as to whether personal data is complete and accurate. CC ID 06952	Establish/Maintain Documentation	Preventive
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954	Establish/Maintain Documentation	Preventive
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475	Data and Information Management	Corrective
Investigate privacy rights violation complaints. CC ID 00480	Behavior	Detective
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; Section 11(a) (2) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; Section 11(a) (3)]	Business Processes	Corrective
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Behavior	Detective
Include the allegations against the organization in the notice of investigation. CC ID 13031	Establish/Maintain Documentation	Preventive
Investigate privacy rights violation complaints in private. CC ID 00492	Behavior	Detective
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Behavior	Detective
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Behavior	Detective
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]	Behavior	Preventive
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Behavior	Preventive
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Behavior	Preventive
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Behavior	Preventive
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Behavior	Preventive
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513	Communicate	Corrective
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495	Establish/Maintain Documentation	Corrective
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Behavior	Corrective
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497	Establish/Maintain Documentation	Detective
Order the organization to change to be in compliance with applicable law. CC ID 00499	Behavior	Corrective
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Behavior	Corrective
Award damages based on applicable law. CC ID 00501	Behavior	Corrective
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503	Data and Information Management	Corrective
Define the organization's liability based on the applicable law. CC ID 00504 [{not relieve} In no event shall any contract relieve a controller or a processor from the liabilities imposed on a controller or processor by virtue of the controller's or processor's roles in the processing relationship under this chapter. Section 5(f) A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter if the recipient processes the personal data in violation of this chapter, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is not in violation of this chapter for the obligations of the controller or processor from which the third-party controller or processor receives the personal data. Section 11(d) {is liable} Any controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation. Section 12(c)]	Establish/Maintain Documentation	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Establish/Maintain Documentation	Preventive
Define the appeal process based on the applicable law. CC ID 00506 [A controller must establish an internal process whereby a consumer may appeal a refusal to take action on a request to exercise any of the rights under subdivision 1 within a reasonable period of time after the consumer's receipt of the notice sent by the controller under subdivision 4, paragraph (f). Section 6 Subdivision 5(a) The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests. Section 6 Subdivision 5(b) The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests. Section 6 Subdivision 5(b)]	Establish/Maintain Documentation	Preventive
Define the fee structure for the appeal process. CC ID 16532	Process or Activity	Preventive
Define the time requirements for the appeal process. CC ID 16531	Process or Activity	Preventive
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)]	Communicate	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Communicate	Preventive
Provide notice of proposed penalties. CC ID 06216	Establish/Maintain Documentation	Preventive
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Behavior	Preventive
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218	Testing	Detective
Establish, implement, and maintain a Customer Information Management program. CC ID 00084	Data and Information Management	Preventive
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h) A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]	Establish/Maintain Documentation	Preventive
Check the accuracy of restricted data. CC ID 00088	Data and Information Management	Preventive
Record restricted data correctly. CC ID 00089	Testing	Detective
Check the data accuracy of new accounts. CC ID 04859	Data and Information Management	Preventive
Use documents for identification that do not appear altered or forged. CC ID 04860	Establish/Maintain Documentation	Preventive
Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861	Testing	Detective
Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862	Data and Information Management	Preventive
Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863	Data and Information Management	Preventive
Correlate the applicant's social security number with their date of birth. CC ID 04864	Data and Information Management	Preventive
Compare the applicant's social security number against existing accounts or different applications. CC ID 04867	Data and Information Management	Preventive
Compare the applicant's personal data against known fraudulent activities. CC ID 04865	Data and Information Management	Preventive
Compare the applicant's address against known suspicious addresses. CC ID 04866	Data and Information Management	Preventive
Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868	Data and Information Management	Preventive
Provide additional personal data when the application is incomplete. CC ID 04869	Data and Information Management	Preventive
Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870	Data and Information Management	Detective
Ask the applicant challenge questions and verify they respond correctly. CC ID 04871	Behavior	Detective
Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872	Data and Information Management	Detective
Interview appropriate parties to validate consumer information. CC ID 16902	Process or Activity	Preventive
Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972	Business Processes	Detective
Validate a consumer's identity in accordance with applicable requirements. CC ID 16899	Business Processes	Preventive
Use contact methods specified by the consumer for identity verification. CC ID 16878	Process or Activity	Preventive

Records management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Records management CC ID 00902	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain records management procedures. CC ID 11619	Establish/Maintain Documentation	Preventive
Capture the records required by organizational compliance requirements. CC ID 00912 [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]	Records Management	Detective
Establish, implement, and maintain authorization records. CC ID 14367	Establish/Maintain Documentation	Preventive
Include the reasons for granting the authorization in the authorization records. CC ID 14371	Establish/Maintain Documentation	Preventive
Include the date and time the authorization was granted in the authorization records. CC ID 14370	Establish/Maintain Documentation	Preventive
Include the person's name who approved the authorization in the authorization records. CC ID 14369	Establish/Maintain Documentation	Preventive
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555	Data and Information Management	Detective
Establish, implement, and maintain electronic health records. CC ID 14436	Data and Information Management	Preventive
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437	Data and Information Management	Preventive
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438	Records Management	Preventive
Display required information automatically in electronic health records. CC ID 14442	Process or Activity	Preventive
Create summary of care records in accordance with applicable standards. CC ID 14440	Establish/Maintain Documentation	Preventive
Provide the patient with a summary of care record, as necessary. CC ID 14441	Actionable Reports or Measurements	Preventive
Create export summaries, as necessary. CC ID 14446	Process or Activity	Preventive
Import data files into a patient's electronic health record. CC ID 14448	Data and Information Management	Preventive
Export requested sections of the electronic health record. CC ID 14447	Data and Information Management	Preventive
Identify patient-specific education resources. CC ID 14439	Process or Activity	Detective
Establish and maintain an implantable device list. CC ID 14444	Records Management	Preventive
Display the implantable device list to authorized users. CC ID 14445	Data and Information Management	Preventive
Establish, implement, and maintain decision support interventions. CC ID 14443	Business Processes	Preventive
Include attributes in the decision support intervention. CC ID 16766	Data and Information Management	Preventive
Establish, implement, and maintain a recordkeeping system. CC ID 15709	Records Management	Preventive
Log the termination date in the recordkeeping system. CC ID 16181	Records Management	Preventive
Log the name of the requestor in the recordkeeping system. CC ID 15712	Records Management	Preventive
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711	Records Management	Preventive
Log records as being received into the recordkeeping system. CC ID 11696	Records Management	Preventive
Log the date and time each item is received into the recordkeeping system. CC ID 11709	Log Management	Preventive
Log the date and time each item is made available into the recordkeeping system. CC ID 11710	Log Management	Preventive
Log the number of routine items received into the recordkeeping system. CC ID 11701	Establish/Maintain Documentation	Preventive
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707	Log Management	Preventive
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705	Log Management	Preventive
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703	Log Management	Preventive
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711	Log Management	Preventive
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718	Log Management	Preventive
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719	Log Management	Preventive
Log the number of non-routine items received into the recordkeeping system. CC ID 11706	Log Management	Preventive
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716	Log Management	Preventive
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708	Log Management	Preventive
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704	Log Management	Preventive
Log performance monitoring into the recordkeeping system. CC ID 11724	Log Management	Preventive
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728	Log Management	Preventive
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727	Log Management	Preventive
Establish, implement, and maintain a transfer journal. CC ID 11729	Records Management	Preventive
Log any notices filed by the organization into the recordkeeping system. CC ID 11725	Log Management	Preventive
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723	Log Management	Preventive
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720	Log Management	Preventive
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717	Log Management	Preventive
Provide a receipt of records logged into the recordkeeping system. CC ID 11697	Records Management	Preventive
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712	Log Management	Preventive
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726	Log Management	Preventive
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715	Log Management	Preventive
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720	Data and Information Management	Detective

Technical security

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Technical security CC ID 00508	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a digital identity management program. CC ID 13713	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [In the case of processing personal data concerning a known child, the parent or legal guardian of the known child may exercise the rights of this chapter on the child's behalf. Section 6 Subdivision 2(b) In the case of processing personal data concerning a consumer legally subject to guardianship or conservatorship under sections 524.5-101 to 524.5-502, the guardian or the conservator of the consumer may exercise the rights of this chapter on the consumer's behalf. Section 6 Subdivision 2(c) A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d) A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d) A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)]	Establish/Maintain Documentation	Preventive
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802	Establish/Maintain Documentation	Preventive
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801	Establish/Maintain Documentation	Preventive
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800	Establish/Maintain Documentation	Preventive
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain digital identification procedures. CC ID 13714	Establish/Maintain Documentation	Preventive
Implement digital identification processes. CC ID 13731	Process or Activity	Preventive
Implement identity proofing processes. CC ID 13719 [A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)]	Process or Activity	Preventive
Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786	Process or Activity	Preventive
Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787	Process or Activity	Preventive
Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776	Process or Activity	Detective
Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750	Process or Activity	Preventive
Establish, implement, and maintain remote proofing procedures. CC ID 13796	Establish/Maintain Documentation	Preventive
Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805	Configuration	Preventive
Interact with the data subject when performing remote proofing. CC ID 13777	Process or Activity	Detective
Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742	Process or Activity	Preventive
View all applicant actions when performing remote proofing. CC ID 13804	Process or Activity	Detective
Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741	Process or Activity	Preventive
Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755	Process or Activity	Detective
Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743	Process or Activity	Detective
Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752	Process or Activity	Preventive
Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785	Process or Activity	Preventive
Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774	Process or Activity	Detective
Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773	Process or Activity	Preventive
Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745	Configuration	Preventive
Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746	Configuration	Preventive
Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747	Configuration	Preventive
Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749	Process or Activity	Preventive
Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744	Process or Activity	Detective
Validate proof of identity during the identity proofing process. CC ID 13756	Process or Activity	Detective
Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797	Business Processes	Detective
Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803	Process or Activity	Detective
Verify proof of identity records. CC ID 13761	Investigate	Detective
Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784	Process or Activity	Detective
Allow records that relate to the data subject as proof of identity. CC ID 13772	Process or Activity	Preventive
Conduct in-person proofing with physical interactions. CC ID 13775	Process or Activity	Detective
Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748	Process or Activity	Preventive
Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739	Process or Activity	Preventive
Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738	Process or Activity	Preventive
Refrain from approving attributes in the identity proofing process. CC ID 13716	Process or Activity	Preventive
Establish, implement, and maintain an access control program. CC ID 11702	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Establish/Maintain Documentation	Preventive
Control access rights to organizational assets. CC ID 00004	Technical Security	Preventive
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Establish Roles	Preventive
Enforce access restrictions for restricted data. CC ID 01921 [The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (e) and (h), do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. Section 7(b)]	Data and Information Management	Preventive
Establish, implement, and maintain an identification and authentication policy. CC ID 14033	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and provide personal data to a consumer as required by this chapter; Section 10(a) (2)(ii)]	Establish/Maintain Documentation	Preventive
Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002	Technical Security	Preventive
Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223	Communicate	Preventive
Identify and control all network access controls. CC ID 00529	Technical Security	Preventive
Establish, implement, and maintain a network configuration standard. CC ID 00530	Establish/Maintain Documentation	Preventive
Maintain up-to-date data flow diagrams. CC ID 10059	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a sensitive information inventory. CC ID 13736 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c) {administrative data security practice} {technical data security practice} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item; Section 10(a) (2)(iii)]	Establish/Maintain Documentation	Detective

Third Party and supply chain oversight

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Third Party and supply chain oversight CC ID 08807	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a supply chain management program. CC ID 11742	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract; Section 11(a) (5)]	Establish/Maintain Documentation	Preventive
Review and update all contracts, as necessary. CC ID 11612	Establish/Maintain Documentation	Preventive
Conduct all parts of the supply chain due diligence process. CC ID 08854	Business Processes	Preventive
Assess third parties' compliance environment during due diligence. CC ID 13134	Process or Activity	Detective
Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter if the recipient processes the personal data in violation of this chapter, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is not in violation of this chapter for the obligations of the controller or processor from which the third-party controller or processor receives the personal data. Section 11(d)]	Establish/Maintain Documentation	Detective
Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139	Communicate	Preventive
Include the audit scope in the third party external audit report. CC ID 13138	Establish/Maintain Documentation	Preventive
Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063	Establish/Maintain Documentation	Detective
Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878	Business Processes	Preventive
Provide products or services per customer requests. CC ID 08893 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract; Section 11(a) (5)]	Business Processes	Preventive

Common Controls and
mandates by Type 143 Mandated Controls - bold
87 Implied Controls - italic 1264 Implementation

Number of Controls

1494 Total

Acquisition/Sale of Assets or Services

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983	Monitoring and measurement	Preventive
Implement automated audit tools. CC ID 04882	Monitoring and measurement	Preventive
Plan for selling facilities, technology, or services. CC ID 06893	Acquisition or sale of facilities, technology, and services	Preventive
Refrain from providing products and services, as necessary. CC ID 15580 [{not require} A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: require a controller to provide a good or service that requires the consumer's personal data that the controller does not collect or maintain; or Section 8 Subdivision 3(b) (1)]	Acquisition or sale of facilities, technology, and services	Preventive
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Privacy protection for information and data	Preventive

Actionable Reports or Measurements

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818	Audits and risk management	Preventive
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Preventive
Provide the patient with a summary of care record, as necessary. CC ID 14441	Records management	Preventive

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Monitoring and measurement	Preventive
Provide security inspectors access to personnel files during site reviews. CC ID 12300	Human Resources management	Detective

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675	Monitoring and measurement	Corrective
Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908	Human Resources management	Preventive
Establish, implement, and maintain an ethical culture. CC ID 12781	Human Resources management	Preventive
Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608	Human Resources management	Preventive
Refrain from discriminating against employees who are whistleblowers. CC ID 13609	Human Resources management	Preventive
Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607	Human Resources management	Preventive
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060	Human Resources management	Preventive
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059	Human Resources management	Preventive
Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052	Human Resources management	Preventive
Respond to all alerts from security systems in a timely manner. CC ID 06434	Operational management	Corrective
Share data loss event information with the media. CC ID 01759	Operational management	Corrective
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Corrective
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Operational management	Corrective
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Operational management	Detective
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Operational management	Corrective
Avoid false positive incident response notifications. CC ID 04732	Operational management	Detective
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Operational management	Corrective
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Operational management	Corrective
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Operational management	Corrective
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Operational management	Corrective
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Operational management	Preventive
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Operational management	Preventive
Publish the incident response notification in a general circulation periodical. CC ID 04651	Operational management	Corrective
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Operational management	Preventive
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Operational management	Corrective
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Privacy protection for information and data	Preventive
Define the criteria for waivers of data subjects' rights. CC ID 16858	Privacy protection for information and data	Preventive
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Privacy protection for information and data	Preventive
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 [Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e) Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)]	Privacy protection for information and data	Preventive
Notify the supervisory authority. CC ID 00472	Privacy protection for information and data	Preventive
Notify the data subject of the collection purpose. CC ID 00095	Privacy protection for information and data	Preventive
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Privacy protection for information and data	Preventive
Notify the data subject of changes to personal data use. CC ID 00105	Privacy protection for information and data	Preventive
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Privacy protection for information and data	Preventive
Respond to data access requests in a timely manner. CC ID 00421 [Except as provided in this chapter, a controller must comply with a request to exercise the consumer rights provided in this subdivision. Section 6 Subdivision 1(a) Except as provided in this chapter, a controller must comply with a request to exercise the rights pursuant to subdivision 1. Section 6 Subdivision 4(a) A controller must comply with a request to exercise the right in subdivision 1, paragraph (f), as soon as feasibly possible, but no later than 45 days of receipt of the request. Section 6 Subdivision 4(d) A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)]	Privacy protection for information and data	Preventive
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Privacy protection for information and data	Detective
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Privacy protection for information and data	Detective
Notify the data subject after personal data is used or disclosed. CC ID 06247 [Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Privacy protection for information and data	Preventive
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: Social Security number; Section 6 Subdivision 4(i) (1) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: driver's license number or other government-issued identification number; Section 6 Subdivision 4(i) (2) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: financial account number; Section 6 Subdivision 4(i) (3) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: health insurance account number or medical identification number; Section 6 Subdivision 4(i) (4) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: account password, security questions, or answers; or Section 6 Subdivision 4(i) (5) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: biometric data. Section 6 Subdivision 4(i) (6)]	Privacy protection for information and data	Preventive
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Privacy protection for information and data	Preventive
Notify the data subject of the source of collected personal data. CC ID 00083	Privacy protection for information and data	Preventive
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Privacy protection for information and data	Preventive
Use simple understandable language to collect information from children. CC ID 00039	Privacy protection for information and data	Preventive
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Privacy protection for information and data	Detective
Notify data subjects when their personal data is transferred. CC ID 00352	Privacy protection for information and data	Preventive
Follow the instructions of the data transferrer. CC ID 00334	Privacy protection for information and data	Preventive
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350	Privacy protection for information and data	Preventive
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Privacy protection for information and data	Preventive
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478	Privacy protection for information and data	Corrective
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Privacy protection for information and data	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Corrective
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Privacy protection for information and data	Corrective
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467	Privacy protection for information and data	Corrective
Investigate privacy rights violation complaints. CC ID 00480	Privacy protection for information and data	Detective
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Privacy protection for information and data	Detective
Investigate privacy rights violation complaints in private. CC ID 00492	Privacy protection for information and data	Detective
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Privacy protection for information and data	Detective
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Privacy protection for information and data	Detective
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]	Privacy protection for information and data	Preventive
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Privacy protection for information and data	Preventive
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Privacy protection for information and data	Corrective
Order the organization to change to be in compliance with applicable law. CC ID 00499	Privacy protection for information and data	Corrective
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Privacy protection for information and data	Corrective
Award damages based on applicable law. CC ID 00501	Privacy protection for information and data	Corrective
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Privacy protection for information and data	Preventive
Ask the applicant challenge questions and verify they respond correctly. CC ID 04871	Privacy protection for information and data	Detective

Business Processes

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632	Leadership and high level objectives	Preventive
Implement a fraud detection system. CC ID 13081 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Monitoring and measurement	Preventive
Approve the system security plan. CC ID 14241	Monitoring and measurement	Preventive
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063	Monitoring and measurement	Detective
Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797	Technical security	Detective
Refrain from practicing false advertising. CC ID 14253	Human Resources management	Preventive
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806	Human Resources management	Preventive
Respond to ethics complaints of ethics violations. CC ID 11497	Human Resources management	Corrective
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630	Operational management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Operational management	Preventive
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Operational management	Detective
Remediate security violations according to organizational standards. CC ID 12338	Operational management	Preventive
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Preventive
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Corrective
Eradicate the cause of the incident after the incident has been contained. CC ID 01757	Operational management	Corrective
Establish, implement, and maintain decision support interventions. CC ID 14443	Records management	Preventive
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 [A controller may not require a consumer to create a new account in order to exercise a right, but a controller may require a consumer to use an existing account to exercise the consumer's rights under this section. Section 6 Subdivision 4(c)]	Privacy protection for information and data	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Privacy protection for information and data	Preventive
Approve the privacy plan. CC ID 14700	Privacy protection for information and data	Preventive
Protect private communications in keeping with compliance requirements. CC ID 14334 [A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)]	Privacy protection for information and data	Preventive
Refrain from charging a fee to implement an opt-out request. CC ID 13877	Privacy protection for information and data	Preventive
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{not prohibit} {be different} A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program. Section 8 Subdivision 3(b) (2)]	Privacy protection for information and data	Preventive
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Privacy protection for information and data	Preventive
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Privacy protection for information and data	Preventive
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Privacy protection for information and data	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d) {loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b) {opt out} A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: opting the consumer out of the processing of personal data for any purpose except for the purposes exempted pursuant to the provisions of this chapter. Section 6 Subdivision 4(k) (2) {be easy} A controller shall provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, the child's parent or lawful guardian, to revoke previously given consent under this subdivision. The mechanism provided shall be at least as easy as the mechanism by which the consent was previously given. Upon revocation of consent, a controller shall cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request. Section 8 Subdivision 2(e)]	Privacy protection for information and data	Preventive
Allow consent requests to be provided in any official languages. CC ID 16530	Privacy protection for information and data	Preventive
Define the requirements for approving or denying approval applications. CC ID 16780	Privacy protection for information and data	Preventive
Extend the time limit for approving or denying approval applications. CC ID 16779	Privacy protection for information and data	Preventive
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Privacy protection for information and data	Preventive
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Privacy protection for information and data	Preventive
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Privacy protection for information and data	Preventive
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Privacy protection for information and data	Preventive
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Privacy protection for information and data	Preventive
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Privacy protection for information and data	Preventive
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Privacy protection for information and data	Preventive
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Privacy protection for information and data	Preventive
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Privacy protection for information and data	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [{refrain from selling} {absent consent} {minor} A controller may not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data, without the consumer's consent, under circumstances where the controller knows that the consumer is between the ages of 13 and 16. Section 8 Subdivision 2(f)]	Privacy protection for information and data	Preventive
Dispose of personal data removal requests, as necessary. CC ID 13512	Privacy protection for information and data	Preventive
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488	Privacy protection for information and data	Detective
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Privacy protection for information and data	Preventive
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Privacy protection for information and data	Preventive
Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528	Privacy protection for information and data	Preventive
Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527	Privacy protection for information and data	Preventive
Include the type of information to be collected in the privacy impact assessment. CC ID 15513	Privacy protection for information and data	Preventive
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807	Privacy protection for information and data	Preventive
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; Section 11(a) (2) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; Section 11(a) (3)]	Privacy protection for information and data	Corrective
Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972	Privacy protection for information and data	Detective
Validate a consumer's identity in accordance with applicable requirements. CC ID 16899	Privacy protection for information and data	Preventive
Conduct all parts of the supply chain due diligence process. CC ID 08854	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878	Third Party and supply chain oversight	Preventive
Provide products or services per customer requests. CC ID 08893 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract; Section 11(a) (5)]	Third Party and supply chain oversight	Preventive

Communicate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Leadership and high level objectives	Preventive
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Leadership and high level objectives	Preventive
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Monitoring and measurement	Preventive
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585	Monitoring and measurement	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [{make available} {data protection assessment} As part of a civil investigative demand, the attorney general may request, in writing, that a controller disclose any data privacy and protection assessment that is relevant to an investigation conducted by the attorney general. The controller must make a data privacy and protection assessment available to the attorney general upon a request made under this paragraph. The attorney general may evaluate the data privacy and protection assessments for compliance with this chapter. Data privacy and protection assessments are classified as nonpublic data, as defined by section 13.02, subdivision 9. The disclosure of a data privacy and protection assessment pursuant to a request from the attorney general under this paragraph does not constitute a waiver of the attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment. Section 10(f)]	Audits and risk management	Preventive
Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223	Technical security	Preventive
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Human Resources management	Preventive
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858	Human Resources management	Preventive
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859	Human Resources management	Preventive
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885	Operational management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Preventive
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Preventive
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Corrective
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Preventive
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Corrective
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Operational management	Preventive
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)]	Operational management	Corrective
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 [{be specific} {state} A controller is not required to provide a separate Minnesota-specific privacy notice or section of a privacy notice if the controller's general privacy notice contains all the information required by this section. Section 8 Subdivision 1(f)]	Privacy protection for information and data	Preventive
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: Section 8 Subdivision 1(a) {be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g) The controller must provide the privacy notice in a manner that is reasonably accessible to and usable by individuals with disabilities. Section 8 Subdivision 1(d)]	Privacy protection for information and data	Preventive
Update privacy notices, as necessary. CC ID 13474	Privacy protection for information and data	Preventive
Redeliver privacy notices, as necessary. CC ID 14850	Privacy protection for information and data	Preventive
Deliver privacy notices to third parties, as necessary. CC ID 13473	Privacy protection for information and data	Preventive
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Privacy protection for information and data	Preventive
Deliver opt-out notices, as necessary. CC ID 13449	Privacy protection for information and data	Preventive
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Privacy protection for information and data	Preventive
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Privacy protection for information and data	Preventive
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Privacy protection for information and data	Preventive
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391	Privacy protection for information and data	Preventive
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Privacy protection for information and data	Preventive
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Privacy protection for information and data	Preventive
Notify data subjects about their privacy rights. CC ID 12989	Privacy protection for information and data	Preventive
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Privacy protection for information and data	Preventive
Provide public proof the organization participates in a privacy program. CC ID 12349	Privacy protection for information and data	Preventive
Disclose statements added to education records, as necessary. CC ID 12990	Privacy protection for information and data	Preventive
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Privacy protection for information and data	Preventive
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Privacy protection for information and data	Preventive
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Privacy protection for information and data	Preventive
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Privacy protection for information and data	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data; Section 7(a) (3)(i)]	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Privacy protection for information and data	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Privacy protection for information and data	Preventive
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346	Privacy protection for information and data	Preventive
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664	Privacy protection for information and data	Preventive
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680	Privacy protection for information and data	Preventive
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761	Privacy protection for information and data	Preventive
Disseminate private communications when required by law. CC ID 14335	Privacy protection for information and data	Corrective
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]	Privacy protection for information and data	Preventive
Submit approval applications to the supervisory authority. CC ID 16627	Privacy protection for information and data	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Privacy protection for information and data	Preventive
Respond to questions about submissions in a timely manner. CC ID 16930	Privacy protection for information and data	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Privacy protection for information and data	Corrective
Notify the data controller of any changes in data processors. CC ID 12648	Privacy protection for information and data	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Preventive
Respond to data access requests in an official language. CC ID 17176	Privacy protection for information and data	Preventive
Disclose de-identified data, as necessary. CC ID 13034	Privacy protection for information and data	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Privacy protection for information and data	Corrective
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Privacy protection for information and data	Corrective
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086	Privacy protection for information and data	Corrective
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Privacy protection for information and data	Corrective
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Privacy protection for information and data	Preventive
Capture personal data removal requests. CC ID 13507 [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1)]	Privacy protection for information and data	Preventive
Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901	Privacy protection for information and data	Preventive
Notify the data subject of the disclosure purpose. CC ID 15268	Privacy protection for information and data	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Privacy protection for information and data	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Privacy protection for information and data	Preventive
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760	Privacy protection for information and data	Preventive
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465	Privacy protection for information and data	Preventive
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Privacy protection for information and data	Preventive
Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414	Privacy protection for information and data	Preventive
Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353	Privacy protection for information and data	Preventive
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458	Privacy protection for information and data	Preventive
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Privacy protection for information and data	Preventive
Notify third parties of unresolved challenges. CC ID 13559	Privacy protection for information and data	Preventive
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513	Privacy protection for information and data	Corrective
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)]	Privacy protection for information and data	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Privacy protection for information and data	Preventive
Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139	Third Party and supply chain oversight	Preventive

Configuration

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805	Technical security	Preventive
Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745	Technical security	Preventive
Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746	Technical security	Preventive
Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747	Technical security	Preventive
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Privacy protection for information and data	Preventive
Store payment card data in secure chips, if possible. CC ID 13065	Privacy protection for information and data	Preventive
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Privacy protection for information and data	Preventive
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Privacy protection for information and data	Preventive

Data and Information Management

477

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Enforce access restrictions for restricted data. CC ID 01921 [The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (e) and (h), do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. Section 7(b)]	Technical security	Preventive
Share incident information with interested personnel and affected parties. CC ID 01212	Operational management	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Preventive
Redact restricted data before sharing incident information. CC ID 16994	Operational management	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Corrective
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Operational management	Preventive
Include a description of the restored data in the restoration log. CC ID 15462	Operational management	Preventive
Destroy investigative materials, as necessary. CC ID 17082	Operational management	Preventive
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555	Records management	Detective
Establish, implement, and maintain electronic health records. CC ID 14436	Records management	Preventive
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437	Records management	Preventive
Import data files into a patient's electronic health record. CC ID 14448	Records management	Preventive
Export requested sections of the electronic health record. CC ID 14447	Records management	Preventive
Display the implantable device list to authorized users. CC ID 14445	Records management	Preventive
Include attributes in the decision support intervention. CC ID 16766	Records management	Preventive
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720	Records management	Detective
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Preventive
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819	Privacy protection for information and data	Preventive
Deliver notices to the intended parties. CC ID 06240	Privacy protection for information and data	Preventive
Establish, implement, and maintain adequate openness procedures. CC ID 00377 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: reflect the requirements of this chapter in the design of the controller's systems; Section 10(a) (2)(i)]	Privacy protection for information and data	Preventive
Provide legal authorities access to personal data, upon request. CC ID 06818	Privacy protection for information and data	Preventive
Document the countries where restricted data may be stored. CC ID 12750	Privacy protection for information and data	Preventive
Protect the rights of students and their parents or legal representatives. CC ID 00222	Privacy protection for information and data	Preventive
Disclose educational data, as necessary. CC ID 00223	Privacy protection for information and data	Preventive
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Privacy protection for information and data	Preventive
Disclose education records when written consent is received. CC ID 00224	Privacy protection for information and data	Preventive
Disclose educational data absent consent to other school officials. CC ID 00226	Privacy protection for information and data	Preventive
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Privacy protection for information and data	Preventive
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Privacy protection for information and data	Preventive
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Privacy protection for information and data	Preventive
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Privacy protection for information and data	Preventive
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Privacy protection for information and data	Preventive
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Privacy protection for information and data	Preventive
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Privacy protection for information and data	Preventive
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Privacy protection for information and data	Preventive
Disclose educational data absent consent to a crime victim. CC ID 00236	Privacy protection for information and data	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing. Section 6 Subdivision 1(b)]	Privacy protection for information and data	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Privacy protection for information and data	Preventive
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 [A consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data may be provided instead. Section 6 Subdivision 1(h)]	Privacy protection for information and data	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. Section 6 Subdivision 1(f) A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: Section 6 Subdivision 3(a) If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request. Section 8 Subdivision 1(b) {be easy} A controller shall provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, the child's parent or lawful guardian, to revoke previously given consent under this subdivision. The mechanism provided shall be at least as easy as the mechanism by which the consent was previously given. Upon revocation of consent, a controller shall cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request. Section 8 Subdivision 2(e)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 [{refrain from disadvantaging} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: not unfairly disadvantage another controller; Section 6 Subdivision 3(a) (1) {refrain from using} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: not make use of a default setting, but require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of the processing of the consumer's personal data; Section 6 Subdivision 3(a) (2) {be easy to use} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: be consumer-friendly and easy to use by the average consumer; Section 6 Subdivision 3(a) (3) {be consistent} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and Section 6 Subdivision 3(a) (4) A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: enable the controller to accurately determine whether the consumer is a Minnesota resident and whether the consumer has made a legitimate request to opt out of any sale of the consumer's personal data or targeted advertising. For purposes of this paragraph, the use of an Internet protocol address to estimate the consumer's location is sufficient to determine the consumer's residence. Section 6 Subdivision 3(a) (5) {opt-out mechanism} The platform, technology, or mechanism required under paragraph (a) is subject to the requirements of subdivision 4. Section 6 Subdivision 3(c) Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)]	Privacy protection for information and data	Preventive
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605	Privacy protection for information and data	Preventive
Refrain from obtaining consent through deception. CC ID 13556	Privacy protection for information and data	Preventive
Give individuals the ability to change the uses of their personal data. CC ID 00469 [{loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)]	Privacy protection for information and data	Preventive
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [{loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)]	Privacy protection for information and data	Preventive
Cooperate with Data Protection Authorities. CC ID 06870 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined: Section 11(a) (9)]	Privacy protection for information and data	Preventive
Display or print the least amount of personal data necessary. CC ID 04643	Privacy protection for information and data	Preventive
Redact confidential information from public information, as necessary. CC ID 06872	Privacy protection for information and data	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Privacy protection for information and data	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125	Privacy protection for information and data	Preventive
Provide individuals with information about where their personal data was processed. CC ID 00415	Privacy protection for information and data	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [{be adequate} {be relevant} {be necessary} A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer. Section 8 Subdivision 2(a)]	Privacy protection for information and data	Preventive
Provide individuals with information about disclosure of their personal data. CC ID 00417	Privacy protection for information and data	Preventive
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Privacy protection for information and data	Preventive
Provide assistance to requesters in preparing data access requests. CC ID 13588	Privacy protection for information and data	Preventive
Delay responding to data access requests, as necessary. CC ID 15504 [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Privacy protection for information and data	Preventive
Expedite the processing of data access requests, as necessary. CC ID 15496	Privacy protection for information and data	Preventive
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Privacy protection for information and data	Preventive
Document the outcome of the personal data access request review procedure. CC ID 00455	Privacy protection for information and data	Preventive
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299	Privacy protection for information and data	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [A controller shall not process personal data on the basis of a consumer's or a class of consumers' actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the consumer or class of consumers with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation. Section 8 Subdivision 3(a)]	Privacy protection for information and data	Preventive
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Privacy protection for information and data	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Privacy protection for information and data	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Privacy protection for information and data	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Privacy protection for information and data	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Privacy protection for information and data	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Privacy protection for information and data	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180	Privacy protection for information and data	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Privacy protection for information and data	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Privacy protection for information and data	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Privacy protection for information and data	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Privacy protection for information and data	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Privacy protection for information and data	Preventive
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is: subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and Section 11(a) (10)(i) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is: under the responsibility of a professional individual who is subject to confidentiality obligations under federal, state, or local law. Section 11(a) (10)(ii) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1) {not adversely affect} Obligations imposed on controllers and processors under this chapter shall not: adversely affect the rights or freedoms of any persons, including exercising the right of free speech pursuant to the First Amendment of the United States Constitution; or Section 11(e) (1)]	Privacy protection for information and data	Preventive
Process traffic data in a controlled manner. CC ID 00130	Privacy protection for information and data	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Privacy protection for information and data	Preventive
Process personal data when it is publicly accessible. CC ID 00187	Privacy protection for information and data	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Privacy protection for information and data	Preventive
Process personal data for the purposes of employment. CC ID 16527	Privacy protection for information and data	Preventive
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Privacy protection for information and data	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190	Privacy protection for information and data	Preventive
Process personal data in order to advance the public interest. CC ID 00191	Privacy protection for information and data	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined: Section 11(a) (9)]	Privacy protection for information and data	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Privacy protection for information and data	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Privacy protection for information and data	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Privacy protection for information and data	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Privacy protection for information and data	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Privacy protection for information and data	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Privacy protection for information and data	Preventive
Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537	Privacy protection for information and data	Preventive
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Privacy protection for information and data	Preventive
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Privacy protection for information and data	Preventive
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Privacy protection for information and data	Preventive
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Privacy protection for information and data	Preventive
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580	Privacy protection for information and data	Preventive
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Privacy protection for information and data	Preventive
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Privacy protection for information and data	Preventive
Process personal data absent consent in order to perform a contract. CC ID 13586	Privacy protection for information and data	Preventive
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Privacy protection for information and data	Preventive
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Privacy protection for information and data	Preventive
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Privacy protection for information and data	Preventive
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Privacy protection for information and data	Preventive
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578	Privacy protection for information and data	Preventive
Process personal data absent consent when it is needed by law. CC ID 13577	Privacy protection for information and data	Preventive
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Privacy protection for information and data	Preventive
Process personal data absent consent when it is from publicly available information. CC ID 13576	Privacy protection for information and data	Preventive
Process personal data absent consent to create a credit report. CC ID 15288	Privacy protection for information and data	Preventive
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Privacy protection for information and data	Preventive
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Privacy protection for information and data	Preventive
Process personal data absent consent when produced for business purposes. CC ID 13563	Privacy protection for information and data	Preventive
Process personal data absent consent for handling insurance claims. CC ID 13561	Privacy protection for information and data	Preventive
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533	Privacy protection for information and data	Preventive
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Privacy protection for information and data	Preventive
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Privacy protection for information and data	Preventive
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Privacy protection for information and data	Preventive
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157	Privacy protection for information and data	Preventive
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158	Privacy protection for information and data	Detective
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Privacy protection for information and data	Preventive
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270	Privacy protection for information and data	Preventive
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Privacy protection for information and data	Preventive
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284	Privacy protection for information and data	Preventive
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Privacy protection for information and data	Preventive
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Privacy protection for information and data	Preventive
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Privacy protection for information and data	Preventive
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Privacy protection for information and data	Preventive
Disclose personal data absent consent to create a credit report. CC ID 15297	Privacy protection for information and data	Preventive
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Privacy protection for information and data	Preventive
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Privacy protection for information and data	Preventive
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Privacy protection for information and data	Preventive
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285	Privacy protection for information and data	Preventive
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Privacy protection for information and data	Preventive
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Privacy protection for information and data	Preventive
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Privacy protection for information and data	Preventive
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to perform a contract. CC ID 00139	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Privacy protection for information and data	Preventive
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290	Privacy protection for information and data	Preventive
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147	Privacy protection for information and data	Preventive
Disclose restricted data absent consent for public economic interests. CC ID 00148	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149	Privacy protection for information and data	Preventive
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Privacy protection for information and data	Preventive
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Privacy protection for information and data	Preventive
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796	Privacy protection for information and data	Preventive
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Privacy protection for information and data	Preventive
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Privacy protection for information and data	Preventive
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Privacy protection for information and data	Preventive
Refrain from selling restricted data, as necessary. CC ID 17165 [{absent consent} A small business, as defined by the United States Small Business Administration under Code of Federal Regulations, title 13, part 121, that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota, must not sell a consumer's sensitive data without the consumer's prior consent. Section 9(a)]	Privacy protection for information and data	Preventive
Limit the redisclosure and reuse of restricted data. CC ID 00168	Privacy protection for information and data	Preventive
Refrain from redisclosing or reusing restricted data. CC ID 00169	Privacy protection for information and data	Preventive
Redisclose restricted data when the data subject consents. CC ID 00171	Privacy protection for information and data	Preventive
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Privacy protection for information and data	Preventive
Redisclose restricted data in order to protect public revenue. CC ID 00173	Privacy protection for information and data	Preventive
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Privacy protection for information and data	Preventive
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Privacy protection for information and data	Preventive
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Privacy protection for information and data	Preventive
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Privacy protection for information and data	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [Except as otherwise provided in this act, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its implementing regulations, rules, and exemptions. Section 8 Subdivision 2(d)]	Privacy protection for information and data	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Privacy protection for information and data	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Privacy protection for information and data	Preventive
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Privacy protection for information and data	Preventive
Process Personal Identification Numbers with consent. CC ID 00239	Privacy protection for information and data	Preventive
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Privacy protection for information and data	Preventive
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Privacy protection for information and data	Preventive
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Privacy protection for information and data	Preventive
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Privacy protection for information and data	Preventive
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Privacy protection for information and data	Preventive
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Privacy protection for information and data	Preventive
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Privacy protection for information and data	Preventive
Review personal data disclosure requests. CC ID 07129	Privacy protection for information and data	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)]	Privacy protection for information and data	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Privacy protection for information and data	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Privacy protection for information and data	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [In response to a consumer request under subdivision 1, a controller is not required to reveal any trade secret. Section 6 Subdivision 4(j)]	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Privacy protection for information and data	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Privacy protection for information and data	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Privacy protection for information and data	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Privacy protection for information and data	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Privacy protection for information and data	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g) If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)]	Privacy protection for information and data	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication. Section 11(c)]	Privacy protection for information and data	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Privacy protection for information and data	Preventive
Provide data or records in a reasonable time frame. CC ID 00429	Privacy protection for information and data	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Privacy protection for information and data	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Privacy protection for information and data	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Privacy protection for information and data	Preventive
Provide data at a cost that is not excessive. CC ID 00430 [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g) {be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)]	Privacy protection for information and data	Preventive
Provide records or data in a reasonable manner. CC ID 00431 [A consumer has the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. Section 6 Subdivision 1(e)]	Privacy protection for information and data	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Privacy protection for information and data	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Privacy protection for information and data	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Privacy protection for information and data	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Privacy protection for information and data	Preventive
Refrain from using cookies unless legitimate reasons have been defined. CC ID 16953	Privacy protection for information and data	Preventive
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279	Privacy protection for information and data	Preventive
Refrain from collecting personal data, as necessary. CC ID 15269 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]	Privacy protection for information and data	Preventive
Use personal data for specified purposes. CC ID 11831 [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1) {be necessary} {be reasonable} {be proportionate} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: necessary, reasonable, and proportionate to the purposes listed in this section; Section 11(f) (1) {be adequate} {be relevant} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: adequate, relevant, and limited to what is necessary in relation to the specific purpose or purposes listed in this section; and Section 11(f) (2) {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]	Privacy protection for information and data	Preventive
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012	Privacy protection for information and data	Preventive
Provide explicit consent that is clear and unambiguous. CC ID 00181	Privacy protection for information and data	Preventive
Allow individuals to change their personal data collection consent preferences. CC ID 06946	Privacy protection for information and data	Preventive
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Privacy protection for information and data	Preventive
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Privacy protection for information and data	Preventive
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Privacy protection for information and data	Preventive
Include an individual's name in the personal data definition. CC ID 04710	Privacy protection for information and data	Preventive
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Privacy protection for information and data	Preventive
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Privacy protection for information and data	Preventive
Include an individual's signature in the personal data definition. CC ID 04711	Privacy protection for information and data	Preventive
Include an individual's date of birth in the personal data definition. CC ID 04770	Privacy protection for information and data	Preventive
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Privacy protection for information and data	Preventive
Include an individual's biometric data in the personal data definition. CC ID 04698	Privacy protection for information and data	Preventive
Include an individual's photographic image in the personal data definition. CC ID 04779	Privacy protection for information and data	Preventive
Include an individual's fingerprints in the personal data definition. CC ID 04689	Privacy protection for information and data	Preventive
Include an individual's address in the personal data definition. CC ID 04687	Privacy protection for information and data	Preventive
Include an individual's telephone number in the personal data definition. CC ID 04688	Privacy protection for information and data	Preventive
Include an individual's fax number in the personal data definition. CC ID 07120	Privacy protection for information and data	Preventive
Include an individual's financial account number in the personal data definition. CC ID 04692	Privacy protection for information and data	Preventive
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Privacy protection for information and data	Preventive
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Privacy protection for information and data	Preventive
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Privacy protection for information and data	Preventive
Include an individual's passport number in the personal data definition. CC ID 04713	Privacy protection for information and data	Preventive
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Privacy protection for information and data	Preventive
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Privacy protection for information and data	Preventive
Include an individual's e-mail address in the personal data definition. CC ID 04696	Privacy protection for information and data	Preventive
Include electronic signatures in the personal data definition. CC ID 04697	Privacy protection for information and data	Preventive
Include an individual's payment card information in the personal data definition. CC ID 04751	Privacy protection for information and data	Preventive
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Privacy protection for information and data	Preventive
Include an individual's payment card service code in the personal data definition. CC ID 04753	Privacy protection for information and data	Preventive
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Privacy protection for information and data	Preventive
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Privacy protection for information and data	Preventive
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Privacy protection for information and data	Preventive
Include an individual's medical history in the personal data definition. CC ID 04701	Privacy protection for information and data	Preventive
Include an individual's medical treatment in the personal data definition. CC ID 04702	Privacy protection for information and data	Preventive
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Privacy protection for information and data	Preventive
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Privacy protection for information and data	Preventive
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Privacy protection for information and data	Preventive
Include an individual's health insurance information in the personal data definition. CC ID 04705	Privacy protection for information and data	Preventive
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Privacy protection for information and data	Preventive
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Privacy protection for information and data	Preventive
Include an individual's education information in the personal data definition. CC ID 04714	Privacy protection for information and data	Preventive
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Privacy protection for information and data	Preventive
Include an individual's employment information in the personal data definition. CC ID 04715	Privacy protection for information and data	Preventive
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Privacy protection for information and data	Preventive
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Privacy protection for information and data	Preventive
Include an individual's employment history in the personal data definition. CC ID 04716	Privacy protection for information and data	Preventive
Include an individual's place of employment in the personal data definition. CC ID 04765	Privacy protection for information and data	Preventive
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Privacy protection for information and data	Preventive
Include an individual's property information in the personal data definition. CC ID 04780	Privacy protection for information and data	Preventive
Include an individual's property title in the personal data definition. CC ID 04781	Privacy protection for information and data	Preventive
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Privacy protection for information and data	Preventive
Include hardware asset identification information in the personal data definition. CC ID 07123	Privacy protection for information and data	Preventive
Include MAC addresses in the personal data definition. CC ID 04778	Privacy protection for information and data	Preventive
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Privacy protection for information and data	Preventive
Include asset serial numbers in the personal data definition. CC ID 07124	Privacy protection for information and data	Preventive
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Privacy protection for information and data	Preventive
Define specially restricted data. CC ID 00037	Privacy protection for information and data	Preventive
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Privacy protection for information and data	Preventive
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Privacy protection for information and data	Preventive
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Privacy protection for information and data	Preventive
Implement a nondiscrimination principle. CC ID 00081	Privacy protection for information and data	Preventive
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Privacy protection for information and data	Preventive
Preserve each individual's right to human dignity. CC ID 00082	Privacy protection for information and data	Preventive
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Privacy protection for information and data	Preventive
Manage health data collection. CC ID 00050	Privacy protection for information and data	Preventive
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Privacy protection for information and data	Preventive
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Privacy protection for information and data	Preventive
Collect Individually Identifiable Health Information for research. CC ID 00054	Privacy protection for information and data	Preventive
Remove personal data before disclosing health data. CC ID 00055	Privacy protection for information and data	Preventive
Give special attention to collecting children's data. CC ID 00038	Privacy protection for information and data	Preventive
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Privacy protection for information and data	Preventive
Collect personal data directly from the data subject. CC ID 00011	Privacy protection for information and data	Preventive
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Privacy protection for information and data	Preventive
Provide unlinkability for users and resources. CC ID 04550	Privacy protection for information and data	Preventive
Collect restricted data in a fair and lawful manner. CC ID 00010	Privacy protection for information and data	Preventive
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013	Privacy protection for information and data	Preventive
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014	Privacy protection for information and data	Preventive
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to make a disclosure. CC ID 13550	Privacy protection for information and data	Preventive
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801	Privacy protection for information and data	Preventive
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548	Privacy protection for information and data	Preventive
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544	Privacy protection for information and data	Preventive
Collect personal data absent consent for handling insurance claims. CC ID 13543	Privacy protection for information and data	Preventive
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016	Privacy protection for information and data	Preventive
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277	Privacy protection for information and data	Preventive
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289	Privacy protection for information and data	Preventive
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292	Privacy protection for information and data	Preventive
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293	Privacy protection for information and data	Preventive
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018	Privacy protection for information and data	Preventive
Collect restricted data absent consent from publicly available information. CC ID 00019	Privacy protection for information and data	Preventive
Collect restricted data absent consent when needed by law. CC ID 00020	Privacy protection for information and data	Preventive
Collect personal data absent consent to create a credit report. CC ID 15287	Privacy protection for information and data	Preventive
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021	Privacy protection for information and data	Preventive
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022	Privacy protection for information and data	Preventive
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be adequate} {be relevant} {be necessary} A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer. Section 8 Subdivision 2(a)]	Privacy protection for information and data	Preventive
Collect restricted data in a proper information framework. CC ID 00009	Privacy protection for information and data	Preventive
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)]	Privacy protection for information and data	Preventive
Collect restricted data when required by law. CC ID 00031	Privacy protection for information and data	Preventive
Collect restricted data to prevent life-threatening emergencies. CC ID 00032	Privacy protection for information and data	Preventive
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034	Privacy protection for information and data	Preventive
Collect restricted data for legal purposes. CC ID 00036	Privacy protection for information and data	Preventive
Validate the business need for maintaining collected restricted data. CC ID 17090	Privacy protection for information and data	Preventive
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Privacy protection for information and data	Preventive
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Privacy protection for information and data	Preventive
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Privacy protection for information and data	Preventive
Limit data leakage. CC ID 00356	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Privacy protection for information and data	Detective
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Privacy protection for information and data	Detective
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Privacy protection for information and data	Detective
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Privacy protection for information and data	Detective
Include text about data ownership in the data handling policy. CC ID 15720	Privacy protection for information and data	Preventive
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: reidentify deidentified data; Section 7(a) (1) A processor or third party must not attempt to identify the subjects of deidentified or pseudonymous data without the express authority of the controller that caused the data to be deidentified or pseudonymized. Section 7(d) A controller, processor, or third party must not attempt to identify the subjects of data that has been collected with only pseudonymous identifiers. Section 7(e) This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]	Privacy protection for information and data	Preventive
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127	Privacy protection for information and data	Preventive
Store de-identifying code and re-identifying code separately. CC ID 16535 [The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (e) and (h), do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. Section 7(b)]	Privacy protection for information and data	Preventive
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128	Privacy protection for information and data	Preventive
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Privacy protection for information and data	Preventive
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Privacy protection for information and data	Preventive
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Privacy protection for information and data	Preventive
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Privacy protection for information and data	Preventive
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Privacy protection for information and data	Preventive
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Privacy protection for information and data	Preventive
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Privacy protection for information and data	Preventive
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Privacy protection for information and data	Preventive
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Privacy protection for information and data	Preventive
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Privacy protection for information and data	Preventive
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Privacy protection for information and data	Preventive
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Privacy protection for information and data	Preventive
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Privacy protection for information and data	Preventive
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Privacy protection for information and data	Preventive
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Privacy protection for information and data	Preventive
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Privacy protection for information and data	Preventive
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Privacy protection for information and data	Preventive
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Privacy protection for information and data	Preventive
Obtain consent from an individual prior to transferring personal data. CC ID 06948	Privacy protection for information and data	Preventive
Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314	Privacy protection for information and data	Preventive
Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312	Privacy protection for information and data	Preventive
Prohibit the transfer of personal data when security is inadequate. CC ID 00345	Privacy protection for information and data	Preventive
Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346	Privacy protection for information and data	Preventive
Refrain from transferring past the first transfer. CC ID 00347	Privacy protection for information and data	Preventive
Allow the data subject the right to object to the personal data transfer. CC ID 00349	Privacy protection for information and data	Preventive
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316	Privacy protection for information and data	Preventive
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317	Privacy protection for information and data	Preventive
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318	Privacy protection for information and data	Preventive
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319	Privacy protection for information and data	Preventive
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320	Privacy protection for information and data	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321	Privacy protection for information and data	Preventive
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322	Privacy protection for information and data	Preventive
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323	Privacy protection for information and data	Preventive
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324	Privacy protection for information and data	Preventive
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325	Privacy protection for information and data	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326	Privacy protection for information and data	Preventive
Require transferees to implement adequate data protection levels for the personal data. CC ID 00335	Privacy protection for information and data	Preventive
Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337	Privacy protection for information and data	Preventive
Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338	Privacy protection for information and data	Preventive
Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339	Privacy protection for information and data	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340	Privacy protection for information and data	Preventive
Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341	Privacy protection for information and data	Preventive
Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342	Privacy protection for information and data	Preventive
Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343	Privacy protection for information and data	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344	Privacy protection for information and data	Preventive
Obtain consent prior to storing cookies on an individual's browser. CC ID 06950	Privacy protection for information and data	Preventive
Obtain consent prior to downloading software to an individual's computer. CC ID 06951	Privacy protection for information and data	Preventive
Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961	Privacy protection for information and data	Preventive
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and remediate violations of this chapter. Section 10(a) (2)(vi)]	Privacy protection for information and data	Preventive
Implement procedures to file privacy rights violation complaints. CC ID 00476	Privacy protection for information and data	Corrective
Change or destroy any personal data that is incorrect. CC ID 00462 [{be inaccurate} A consumer has the right to correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data. Section 6 Subdivision 1(c)]	Privacy protection for information and data	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Corrective
Notify individuals of their right to challenge personal data. CC ID 00457 [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]	Privacy protection for information and data	Preventive
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Privacy protection for information and data	Preventive
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Privacy protection for information and data	Preventive
Investigate the disputed accuracy of personal data. CC ID 00461	Privacy protection for information and data	Preventive
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475	Privacy protection for information and data	Corrective
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503	Privacy protection for information and data	Corrective
Establish, implement, and maintain a Customer Information Management program. CC ID 00084	Privacy protection for information and data	Preventive
Check the accuracy of restricted data. CC ID 00088	Privacy protection for information and data	Preventive
Check the data accuracy of new accounts. CC ID 04859	Privacy protection for information and data	Preventive
Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862	Privacy protection for information and data	Preventive
Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863	Privacy protection for information and data	Preventive
Correlate the applicant's social security number with their date of birth. CC ID 04864	Privacy protection for information and data	Preventive
Compare the applicant's social security number against existing accounts or different applications. CC ID 04867	Privacy protection for information and data	Preventive
Compare the applicant's personal data against known fraudulent activities. CC ID 04865	Privacy protection for information and data	Preventive
Compare the applicant's address against known suspicious addresses. CC ID 04866	Privacy protection for information and data	Preventive
Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868	Privacy protection for information and data	Preventive
Provide additional personal data when the application is incomplete. CC ID 04869	Privacy protection for information and data	Preventive
Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870	Privacy protection for information and data	Detective
Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872	Privacy protection for information and data	Detective

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Leadership and high level objectives	Preventive
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Preventive
Identify and define all critical roles. CC ID 00777	Human Resources management	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471 [Controllers and processors are responsible for meeting the respective obligations established under this chapter. Section 5(a) {technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]	Human Resources management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Human Resources management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Human Resources management	Preventive
Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061	Human Resources management	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Operational management	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Preventive
Include roles and responsibilities in the registration notice. CC ID 16803	Privacy protection for information and data	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Privacy protection for information and data	Preventive
Process restricted data lawfully and carefully. CC ID 00086 [Except as otherwise provided in this act, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its implementing regulations, rules, and exemptions. Section 8 Subdivision 2(d)]	Privacy protection for information and data	Preventive

Establish/Maintain Documentation

492

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Preventive
Include contact information in the organization's policies, standards, and procedures. CC ID 17167 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: the name and contact information for the controller's chief privacy individual with primary responsibility for directing the policies and procedures implemented to comply with the provisions of this chapter; and Section 10(a) (1)]	Leadership and high level objectives	Preventive
Include the effective date on all organizational policies. CC ID 06820 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the date the privacy notice was last updated. Section 8 Subdivision 1(a) (8)]	Leadership and high level objectives	Preventive
Establish and maintain an Authority Document list. CC ID 07113	Leadership and high level objectives	Preventive
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: Section 10(a)]	Leadership and high level objectives	Preventive
Approve all compliance documents. CC ID 06286	Leadership and high level objectives	Preventive
Establish, implement, and maintain a compliance exception standard. CC ID 01628 [The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication. Section 11(c)]	Leadership and high level objectives	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Leadership and high level objectives	Preventive
Include all compliance exceptions in the compliance exception standard. CC ID 01630	Leadership and high level objectives	Detective
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in paragraph (f). Section 11(g)]	Leadership and high level objectives	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Leadership and high level objectives	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Leadership and high level objectives	Preventive
Establish, implement, and maintain a risk monitoring program. CC ID 00658	Monitoring and measurement	Preventive
Include a system description in the system security plan. CC ID 16467	Monitoring and measurement	Preventive
Include a description of the operational context in the system security plan. CC ID 14301	Monitoring and measurement	Preventive
Include the results of the security categorization in the system security plan. CC ID 14281	Monitoring and measurement	Preventive
Include the information types in the system security plan. CC ID 14696	Monitoring and measurement	Preventive
Include the security requirements in the system security plan. CC ID 14274	Monitoring and measurement	Preventive
Include cryptographic key management procedures in the system security plan. CC ID 17029	Monitoring and measurement	Preventive
Include threats in the system security plan. CC ID 14693	Monitoring and measurement	Preventive
Include network diagrams in the system security plan. CC ID 14273	Monitoring and measurement	Preventive
Include roles and responsibilities in the system security plan. CC ID 14682	Monitoring and measurement	Preventive
Include backup and recovery procedures in the system security plan. CC ID 17043	Monitoring and measurement	Preventive
Include the results of the privacy risk assessment in the system security plan. CC ID 14676	Monitoring and measurement	Preventive
Include remote access methods in the system security plan. CC ID 16441	Monitoring and measurement	Preventive
Include a description of the operational environment in the system security plan. CC ID 14272	Monitoring and measurement	Preventive
Include the security categorizations and rationale in the system security plan. CC ID 14270	Monitoring and measurement	Preventive
Include the authorization boundary in the system security plan. CC ID 14257	Monitoring and measurement	Preventive
Include security controls in the system security plan. CC ID 14239	Monitoring and measurement	Preventive
Create specific test plans to test each system component. CC ID 00661	Monitoring and measurement	Preventive
Include the roles and responsibilities in the test plan. CC ID 14299	Monitoring and measurement	Preventive
Include the assessment team in the test plan. CC ID 14297	Monitoring and measurement	Preventive
Include the scope in the test plans. CC ID 14293	Monitoring and measurement	Preventive
Include the assessment environment in the test plan. CC ID 14271	Monitoring and measurement	Preventive
Review the test plans for each system component. CC ID 00662	Monitoring and measurement	Preventive
Document validated testing processes in the testing procedures. CC ID 06200	Monitoring and measurement	Preventive
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Monitoring and measurement	Preventive
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Preventive
Identify and document instances of non-compliance with the compliance framework. CC ID 06499	Monitoring and measurement	Preventive
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935	Monitoring and measurement	Preventive
Establish, implement, and maintain disciplinary action notices. CC ID 16577	Monitoring and measurement	Preventive
Include a copy of the order in the disciplinary action notice. CC ID 16606	Monitoring and measurement	Preventive
Include the sanctions imposed in the disciplinary action notice. CC ID 16599	Monitoring and measurement	Preventive
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589	Monitoring and measurement	Preventive
Include the requirements that were violated in the disciplinary action notice. CC ID 16588	Monitoring and measurement	Preventive
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587	Monitoring and measurement	Preventive
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586	Monitoring and measurement	Preventive
Include required information in the disciplinary action notice. CC ID 16584	Monitoring and measurement	Preventive
Include a justification for actions taken in the disciplinary action notice. CC ID 16583	Monitoring and measurement	Preventive
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582	Monitoring and measurement	Preventive
Include the investigation results in the disciplinary action notice. CC ID 16581	Monitoring and measurement	Preventive
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580	Monitoring and measurement	Preventive
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579	Monitoring and measurement	Preventive
Include contact information in the disciplinary action notice. CC ID 16578	Monitoring and measurement	Preventive
Establish, implement, and maintain a Statement of Compliance. CC ID 12499	Audits and risk management	Preventive
Include a description of the organization's privacy policy in the Statement of Compliance. CC ID 12362 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: Section 10(a) (2)]	Audits and risk management	Preventive
Include the outcomes of privacy rights violation complaints received in the Statement of Compliance. CC ID 12534	Audits and risk management	Preventive
Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175	Audits and risk management	Preventive
Include dispute resolution quality measures in the Statement of Compliance. CC ID 12533	Audits and risk management	Preventive
Include the type of privacy rights violation complaints received in the Statement of Compliance. CC ID 12532	Audits and risk management	Preventive
Include the number of privacy rights violation complaints received in the Statement of Compliance. CC ID 12530	Audits and risk management	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Audits and risk management	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Audits and risk management	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Audits and risk management	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Audits and risk management	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [{data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c) {data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Audits and risk management	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Audits and risk management	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Audits and risk management	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [{data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c) {data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Audits and risk management	Preventive
Establish, implement, and maintain a digital identity management program. CC ID 13713	Technical security	Preventive
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [In the case of processing personal data concerning a known child, the parent or legal guardian of the known child may exercise the rights of this chapter on the child's behalf. Section 6 Subdivision 2(b) In the case of processing personal data concerning a consumer legally subject to guardianship or conservatorship under sections 524.5-101 to 524.5-502, the guardian or the conservator of the consumer may exercise the rights of this chapter on the consumer's behalf. Section 6 Subdivision 2(c) A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d) A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d) A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)]	Technical security	Preventive
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802	Technical security	Preventive
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801	Technical security	Preventive
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800	Technical security	Preventive
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799	Technical security	Preventive
Establish, implement, and maintain digital identification procedures. CC ID 13714	Technical security	Preventive
Establish, implement, and maintain remote proofing procedures. CC ID 13796	Technical security	Preventive
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Preventive
Establish, implement, and maintain an identification and authentication policy. CC ID 14033	Technical security	Preventive
Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and provide personal data to a consumer as required by this chapter; Section 10(a) (2)(ii)]	Technical security	Preventive
Establish, implement, and maintain a network configuration standard. CC ID 00530	Technical security	Preventive
Maintain up-to-date data flow diagrams. CC ID 10059	Technical security	Preventive
Establish, implement, and maintain a sensitive information inventory. CC ID 13736 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c) {administrative data security practice} {technical data security practice} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item; Section 10(a) (2)(iii)]	Technical security	Detective
Establish, implement, and maintain a legal support program. CC ID 13710 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: investigate, establish, exercise, prepare for, or defend legal claims; Section 11(a) (4) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Human Resources management	Preventive
Establish, implement, and maintain a training program to report compliance violations. CC ID 11835	Human Resources management	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Preventive
Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c) {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]	Operational management	Preventive
Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c) {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]	Operational management	Preventive
Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c) {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]	Operational management	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data; Section 11(a) (1)]	Operational management	Preventive
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Operational management	Preventive
Establish, implement, and maintain the systems' integrity level. CC ID 01906 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Operational management	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Preventive
Establish, implement, and maintain an incident management policy. CC ID 16414	Operational management	Preventive
Define the uses and capabilities of the Incident Management program. CC ID 00854	Operational management	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856	Operational management	Preventive
Define the characteristics of the Incident Management program. CC ID 00855	Operational management	Preventive
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Operational management	Preventive
Include the criteria for an incident in the Incident Management program. CC ID 12173	Operational management	Preventive
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Operational management	Preventive
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Operational management	Preventive
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033	Operational management	Preventive
Document the incident and any relevant evidence in the incident report. CC ID 08659	Operational management	Detective
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Operational management	Preventive
Include the investigation methodology in the forensic investigation report. CC ID 17071	Operational management	Preventive
Include corrective actions in the forensic investigation report. CC ID 17070	Operational management	Preventive
Include the investigation results in the forensic investigation report. CC ID 17069	Operational management	Preventive
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Operational management	Detective
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Operational management	Detective
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Corrective
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Preventive
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Preventive
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954	Operational management	Preventive
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Preventive
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Operational management	Preventive
Establish, implement, and maintain incident response notifications. CC ID 12975	Operational management	Corrective
Include information required by law in incident response notifications. CC ID 00802	Operational management	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Preventive
Use plain language to write incident response notifications. CC ID 12976	Operational management	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734	Operational management	Preventive
Include time information in incident response notifications. CC ID 04745	Operational management	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735	Operational management	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Detective
Include contact information in incident response notifications. CC ID 04739	Operational management	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Preventive
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Operational management	Preventive
Establish, implement, and maintain a containment strategy. CC ID 13480	Operational management	Preventive
Include the containment approach in the containment strategy. CC ID 13486	Operational management	Preventive
Include response times in the containment strategy. CC ID 13485	Operational management	Preventive
Include incident recovery procedures in the Incident Management program. CC ID 01758	Operational management	Corrective
Establish, implement, and maintain a restoration log. CC ID 12745	Operational management	Preventive
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Operational management	Preventive
Analyze security violations in Suspicious Activity Reports. CC ID 00591	Operational management	Preventive
Update the incident response procedures using the lessons learned. CC ID 01233	Operational management	Preventive
Include incident response procedures in the Incident Management program. CC ID 01218	Operational management	Preventive
Include incident management procedures in the Incident Management program. CC ID 12689	Operational management	Preventive
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Operational management	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Preventive
Include after-action analysis procedures in the Incident Management program. CC ID 01219	Operational management	Preventive
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Operational management	Preventive
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Operational management	Preventive
Log incidents in the Incident Management audit log. CC ID 00857	Operational management	Preventive
Include corrective actions in the incident management audit log. CC ID 16466	Operational management	Preventive
Include emergency processing priorities in the Incident Management program. CC ID 00859	Operational management	Preventive
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387	Operational management	Preventive
Include incident record closure procedures in the Incident Management program. CC ID 01620	Operational management	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Operational management	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Preventive
Establish, implement, and maintain incident response procedures. CC ID 01206 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Operational management	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Operational management	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Operational management	Preventive
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Preventive
Establish, implement, and maintain authorization records. CC ID 14367	Records management	Preventive
Include the reasons for granting the authorization in the authorization records. CC ID 14371	Records management	Preventive
Include the date and time the authorization was granted in the authorization records. CC ID 14370	Records management	Preventive
Include the person's name who approved the authorization in the authorization records. CC ID 14369	Records management	Preventive
Create summary of care records in accordance with applicable standards. CC ID 14440	Records management	Preventive
Log the number of routine items received into the recordkeeping system. CC ID 11701	Records management	Preventive
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{administrative data security practice} {technical data security practice} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item; Section 10(a) (2)(iii)]	Privacy protection for information and data	Preventive
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862	Privacy protection for information and data	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Privacy protection for information and data	Preventive
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Privacy protection for information and data	Preventive
Include the processing purpose in the privacy notice. CC ID 16543 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the purposes for which the categories of personal data are processed; Section 8 Subdivision 1(a) (2) If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request. Section 8 Subdivision 1(b)]	Privacy protection for information and data	Preventive
Include contact information in the privacy notice. CC ID 14432 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the controller's contact information, including an active email address or other online mechanism that the consumer may use to contact the controller; Section 8 Subdivision 1(a) (6)]	Privacy protection for information and data	Preventive
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: an explanation of the rights contained in section 325O.05 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request; Section 8 Subdivision 1(a) (3)]	Privacy protection for information and data	Preventive
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Privacy protection for information and data	Preventive
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Privacy protection for information and data	Preventive
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of third parties, if any, with whom the controller sells or shares personal data; Section 8 Subdivision 1(a) (5)]	Privacy protection for information and data	Preventive
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: a description of the controller's retention policies for personal data; and Section 8 Subdivision 1(a) (7)]	Privacy protection for information and data	Preventive
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Privacy protection for information and data	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data processed by the controller; Section 8 Subdivision 1(a) (1)]	Privacy protection for information and data	Preventive
Include disclosure exceptions in the privacy notice. CC ID 13447	Privacy protection for information and data	Preventive
Include the types of personal data disclosed in the privacy notice. CC ID 13446 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data that the controller sells to or shares with third parties, if any; Section 8 Subdivision 1(a) (4)]	Privacy protection for information and data	Preventive
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Privacy protection for information and data	Preventive
Specify the time frame that notice will be given. CC ID 00385	Privacy protection for information and data	Preventive
Include the information about the appeal process in the privacy notice. CC ID 15312 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: an explanation of the rights contained in section 325O.05 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request; Section 8 Subdivision 1(a) (3)]	Privacy protection for information and data	Preventive
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Privacy protection for information and data	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Privacy protection for information and data	Preventive
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Privacy protection for information and data	Corrective
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Privacy protection for information and data	Preventive
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Privacy protection for information and data	Preventive
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Privacy protection for information and data	Preventive
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Privacy protection for information and data	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448	Privacy protection for information and data	Preventive
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Privacy protection for information and data	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Privacy protection for information and data	Preventive
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Privacy protection for information and data	Preventive
Explain the right to opt out in the opt-out notice. CC ID 13462	Privacy protection for information and data	Preventive
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Privacy protection for information and data	Preventive
Provide the data subject with a notice of participation procedures. CC ID 06241	Privacy protection for information and data	Preventive
Publish a description of processing activities in an official register. CC ID 00379	Privacy protection for information and data	Preventive
Establish and maintain a records request manual. CC ID 00381	Privacy protection for information and data	Preventive
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Privacy protection for information and data	Preventive
Define what is included in registration notices. CC ID 00386	Privacy protection for information and data	Preventive
Include the verification method in the registration notice. CC ID 16798	Privacy protection for information and data	Preventive
Include the statutory authority in the registration notice. CC ID 16799	Privacy protection for information and data	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Privacy protection for information and data	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Privacy protection for information and data	Preventive
Include information about the dispute resolution body in the registration notice. CC ID 16800	Privacy protection for information and data	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Privacy protection for information and data	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Privacy protection for information and data	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Privacy protection for information and data	Preventive
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g) {be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]	Privacy protection for information and data	Preventive
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Privacy protection for information and data	Preventive
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398	Privacy protection for information and data	Preventive
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Privacy protection for information and data	Preventive
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Privacy protection for information and data	Preventive
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Privacy protection for information and data	Preventive
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Privacy protection for information and data	Preventive
Specify the purpose of the disclosure in the written consent. CC ID 13001	Privacy protection for information and data	Preventive
Specify which education records may be disclosed in the written consent. CC ID 13000	Privacy protection for information and data	Preventive
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Privacy protection for information and data	Preventive
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Privacy protection for information and data	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g) A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and provide personal data to a consumer as required by this chapter; Section 10(a) (2)(ii)]	Privacy protection for information and data	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing. Section 6 Subdivision 1(b)]	Privacy protection for information and data	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Privacy protection for information and data	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Preventive
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Privacy protection for information and data	Preventive
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Privacy protection for information and data	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Privacy protection for information and data	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Privacy protection for information and data	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Privacy protection for information and data	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133	Privacy protection for information and data	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Privacy protection for information and data	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Privacy protection for information and data	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Privacy protection for information and data	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Privacy protection for information and data	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Privacy protection for information and data	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Privacy protection for information and data	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Privacy protection for information and data	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Privacy protection for information and data	Preventive
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Privacy protection for information and data	Preventive
Make telephone directory information available to the public. CC ID 08698	Privacy protection for information and data	Preventive
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy policy. CC ID 06281	Privacy protection for information and data	Preventive
Include the data subject's rights in the privacy policy. CC ID 16355	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy policy model document. CC ID 14720	Privacy protection for information and data	Preventive
Document privacy policies in clearly written and easily understood language. CC ID 00376	Privacy protection for information and data	Detective
Write privacy notices in the official languages required by law. CC ID 16529 [The privacy notice must be made available to the public in each language in which the controller provides a product or service that is subject to the privacy notice or carries out activities related to the product or service. Section 8 Subdivision 1(c)]	Privacy protection for information and data	Preventive
Define what is included in the privacy policy. CC ID 00404	Privacy protection for information and data	Preventive
Define the information being collected in the privacy policy. CC ID 13115	Privacy protection for information and data	Preventive
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110	Privacy protection for information and data	Preventive
Include the means by which information is collected in the privacy policy. CC ID 13114	Privacy protection for information and data	Preventive
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368	Privacy protection for information and data	Corrective
Include roles and responsibilities in the privacy policy. CC ID 14669	Privacy protection for information and data	Preventive
Include management commitment in the privacy policy. CC ID 14668	Privacy protection for information and data	Preventive
Include coordination amongst entities in the privacy policy. CC ID 14667	Privacy protection for information and data	Preventive
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854	Privacy protection for information and data	Preventive
Include compliance requirements in the privacy policy. CC ID 14666	Privacy protection for information and data	Preventive
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111	Privacy protection for information and data	Preventive
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367	Privacy protection for information and data	Corrective
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366	Privacy protection for information and data	Preventive
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365	Privacy protection for information and data	Preventive
Include a complaint form in the privacy policy. CC ID 12364	Privacy protection for information and data	Preventive
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405	Privacy protection for information and data	Preventive
Include the processing purpose in the privacy policy. CC ID 00406	Privacy protection for information and data	Preventive
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117	Privacy protection for information and data	Preventive
Include the data subject categories being processed in the privacy policy. CC ID 00407	Privacy protection for information and data	Preventive
Define the retention period for collected information in the privacy policy. CC ID 13116	Privacy protection for information and data	Preventive
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408	Privacy protection for information and data	Preventive
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409	Privacy protection for information and data	Preventive
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410	Privacy protection for information and data	Preventive
Include instructions on how to opt-out in the privacy policy. CC ID 00411	Privacy protection for information and data	Preventive
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 [{be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)]	Privacy protection for information and data	Preventive
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454	Privacy protection for information and data	Preventive
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452	Privacy protection for information and data	Preventive
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390	Privacy protection for information and data	Preventive
Post the privacy policy in an easily seen location. CC ID 00401 [{be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)]	Privacy protection for information and data	Preventive
Define who will receive the privacy policy. CC ID 00402	Privacy protection for information and data	Preventive
Establish, implement, and maintain privacy procedures. CC ID 14665	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy plan. CC ID 14672	Privacy protection for information and data	Preventive
Include privacy requirements in the privacy plan. CC ID 14699	Privacy protection for information and data	Preventive
Include the information types in the privacy plan. CC ID 14695	Privacy protection for information and data	Preventive
Include threats in the privacy plan. CC ID 14694	Privacy protection for information and data	Preventive
Include roles and responsibilities in the privacy plan. CC ID 14702	Privacy protection for information and data	Preventive
Include a description of the operational context in the privacy plan. CC ID 14692	Privacy protection for information and data	Preventive
Include risk assessment results in the privacy plan. CC ID 14701	Privacy protection for information and data	Preventive
Include the security categorizations and rationale in the privacy plan. CC ID 14690	Privacy protection for information and data	Preventive
Include security controls in the privacy plan. CC ID 14681	Privacy protection for information and data	Preventive
Include a description of the operational environment in the privacy plan. CC ID 14679	Privacy protection for information and data	Preventive
Include network diagrams in the privacy plan. CC ID 14678	Privacy protection for information and data	Preventive
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677	Privacy protection for information and data	Preventive
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy report. CC ID 14754	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Privacy protection for information and data	Preventive
Establish, implement, and maintain data request procedures. CC ID 16546 [A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b) A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)]	Privacy protection for information and data	Preventive
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433	Privacy protection for information and data	Preventive
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438	Privacy protection for information and data	Preventive
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Privacy protection for information and data	Preventive
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Privacy protection for information and data	Preventive
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Privacy protection for information and data	Preventive
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Privacy protection for information and data	Preventive
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Privacy protection for information and data	Preventive
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Privacy protection for information and data	Preventive
Include agreement termination information in the disclosure authorization form. CC ID 13437	Privacy protection for information and data	Preventive
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Preventive
Establish, implement, and maintain approval applications. CC ID 16778	Privacy protection for information and data	Preventive
Include required information in the approval application. CC ID 16628	Privacy protection for information and data	Preventive
Submit a safe harbor self-certification letter. CC ID 06871	Privacy protection for information and data	Preventive
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584	Privacy protection for information and data	Preventive
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Privacy protection for information and data	Preventive
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Privacy protection for information and data	Preventive
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Privacy protection for information and data	Preventive
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Privacy protection for information and data	Preventive
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Privacy protection for information and data	Preventive
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Privacy protection for information and data	Preventive
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Privacy protection for information and data	Preventive
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Privacy protection for information and data	Preventive
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Privacy protection for information and data	Preventive
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Privacy protection for information and data	Preventive
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Privacy protection for information and data	Preventive
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Privacy protection for information and data	Preventive
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Privacy protection for information and data	Preventive
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Privacy protection for information and data	Preventive
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Privacy protection for information and data	Preventive
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Privacy protection for information and data	Preventive
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Privacy protection for information and data	Preventive
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Privacy protection for information and data	Preventive
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Privacy protection for information and data	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet the controller's obligations under this chapter. Assistance under this paragraph shall include the following: Section 5(b) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Privacy protection for information and data	Preventive
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Privacy protection for information and data	Preventive
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and Section 5(c) (1)]	Privacy protection for information and data	Preventive
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Privacy protection for information and data	Preventive
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Privacy protection for information and data	Preventive
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Privacy protection for information and data	Preventive
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Privacy protection for information and data	Preventive
Include the duration of processing in the Data Processing Contract. CC ID 14935 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Privacy protection for information and data	Preventive
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Privacy protection for information and data	Preventive
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)]	Privacy protection for information and data	Preventive
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: upon a reasonable request from the controller, the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this chapter; and Section 5(e) (2) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)]	Privacy protection for information and data	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet the controller's obligations under this chapter. Assistance under this paragraph shall include the following: Section 5(b) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e) Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under this chapter is contrary to public policy and is void and unenforceable. Section 8 Subdivision 4 ¶ 1 The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: assist another controller, processor, or third party with any of the obligations under this paragraph; Section 11(a) (8)]	Privacy protection for information and data	Preventive
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: at the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; Section 5(e) (1) {no longer necessary} A controller may not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09. Section 8 Subdivision 2(g)]	Privacy protection for information and data	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Privacy protection for information and data	Preventive
Document the law that requires restricted data to be collected. CC ID 00103	Privacy protection for information and data	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Privacy protection for information and data	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Privacy protection for information and data	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [{not be necessary} Except as provided in this chapter, a controller may not process personal data for purposes that are not reasonably necessary to, or compatible with, the purposes for which the personal data are processed, as disclosed to the consumer, unless the controller obtains the consumer's consent. Section 8 Subdivision 2(b)]	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; Section 11(a) (6)]	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Privacy protection for information and data	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Privacy protection for information and data	Preventive
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Privacy protection for information and data	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]	Privacy protection for information and data	Preventive
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Privacy protection for information and data	Preventive
Define what is to be included in a data access request. CC ID 08699	Privacy protection for information and data	Preventive
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Privacy protection for information and data	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811	Privacy protection for information and data	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Privacy protection for information and data	Preventive
Notify third parties of data access requests that relates to the third party. CC ID 08703	Privacy protection for information and data	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Privacy protection for information and data	Preventive
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Privacy protection for information and data	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Privacy protection for information and data	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Privacy protection for information and data	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Privacy protection for information and data	Preventive
Define security breach notification requirement exceptions. CC ID 04797	Privacy protection for information and data	Preventive
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Privacy protection for information and data	Preventive
Define the exceptions to disclosure absent consent. CC ID 00135	Privacy protection for information and data	Preventive
Define opt-out exceptions for disclosing restricted data. CC ID 00159 [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]	Privacy protection for information and data	Preventive
Define how a data subject may give consent. CC ID 00160	Privacy protection for information and data	Preventive
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Privacy protection for information and data	Detective
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1) This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2) {no longer necessary} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: prevent the retention of personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09; and Section 10(a) (2)(v) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data; Section 11(a) (1) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Privacy protection for information and data	Preventive
Document the redisclosing restricted data exceptions. CC ID 00170	Privacy protection for information and data	Preventive
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Privacy protection for information and data	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Privacy protection for information and data	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and Section 7(a) (3)(ii) This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. Section 7(a) (3)(iii) If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f) A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]	Privacy protection for information and data	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Privacy protection for information and data	Preventive
Include cookie management in the privacy framework. CC ID 13809	Privacy protection for information and data	Preventive
Establish, implement, and maintain cookie management procedures. CC ID 13810	Privacy protection for information and data	Preventive
Include the acceptable uses of cookies in the cookie management procedures. CC ID 16952	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 [{be relevant} {be necessary} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed; Section 10(a) (2)(iv)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Privacy protection for information and data	Preventive
Post the collection purpose. CC ID 00101	Privacy protection for information and data	Preventive
Document each individual's personal data collection consent preferences. CC ID 06945	Privacy protection for information and data	Preventive
Establish and maintain a personal data definition. CC ID 00028	Privacy protection for information and data	Preventive
Include the number of children in the personal data definition. CC ID 13759	Privacy protection for information and data	Preventive
Include the individual's religion in the personal data definition. CC ID 13765	Privacy protection for information and data	Preventive
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Privacy protection for information and data	Preventive
Include an individual's license plate number in the personal data definition. CC ID 13763	Privacy protection for information and data	Preventive
Include an individual's account balances in the personal data definition. CC ID 13770	Privacy protection for information and data	Preventive
Include an individual's logon credentials in the personal data definition. CC ID 13771	Privacy protection for information and data	Preventive
Include an individual's military identification number in the personal data definition. CC ID 13083	Privacy protection for information and data	Preventive
Refrain from including publicly available information in the personal data definition. CC ID 13084	Privacy protection for information and data	Preventive
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Privacy protection for information and data	Preventive
Provide the data subject with information about the data controller during the collection process. CC ID 00023	Privacy protection for information and data	Preventive
Provide the data subject with the data collector's name and contact information. CC ID 00024	Privacy protection for information and data	Preventive
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025	Privacy protection for information and data	Preventive
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026	Privacy protection for information and data	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Privacy protection for information and data	Detective
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170	Privacy protection for information and data	Preventive
Establish, implement, and maintain call metadata controls. CC ID 04790	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling procedures. CC ID 11756	Privacy protection for information and data	Preventive
Define personal data that falls under breach notification rules. CC ID 00800	Privacy protection for information and data	Preventive
Define an out of scope privacy breach. CC ID 04677	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data transfer program. CC ID 00307	Privacy protection for information and data	Preventive
Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351	Privacy protection for information and data	Preventive
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333	Privacy protection for information and data	Preventive
Document transfer disagreements by the data subject in writing. CC ID 00348	Privacy protection for information and data	Preventive
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315	Privacy protection for information and data	Preventive
Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336	Privacy protection for information and data	Preventive
Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy impact assessment. CC ID 13712	Privacy protection for information and data	Preventive
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520	Privacy protection for information and data	Preventive
Include how to grant consent in the privacy impact assessment. CC ID 15519	Privacy protection for information and data	Preventive
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518	Privacy protection for information and data	Preventive
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517	Privacy protection for information and data	Preventive
Include data handling procedures in the privacy impact assessment. CC ID 15516	Privacy protection for information and data	Preventive
Include the intended use of information in the privacy impact assessment. CC ID 15515	Privacy protection for information and data	Preventive
Include the reason information is being collected in the privacy impact assessment. CC ID 15514	Privacy protection for information and data	Preventive
File privacy rights violation complaints in writing. CC ID 00477	Privacy protection for information and data	Corrective
Include supporting documentation in the privacy rights violation complaint. CC ID 16997	Privacy protection for information and data	Preventive
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360	Privacy protection for information and data	Corrective
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526	Privacy protection for information and data	Preventive
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Privacy protection for information and data	Preventive
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Privacy protection for information and data	Preventive
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529	Privacy protection for information and data	Preventive
Document unresolved challenges. CC ID 13568	Privacy protection for information and data	Preventive
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Privacy protection for information and data	Preventive
Document disagreements as to whether personal data is complete and accurate. CC ID 06952	Privacy protection for information and data	Preventive
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954	Privacy protection for information and data	Preventive
Include the allegations against the organization in the notice of investigation. CC ID 13031	Privacy protection for information and data	Preventive
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495	Privacy protection for information and data	Corrective
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497	Privacy protection for information and data	Detective
Define the organization's liability based on the applicable law. CC ID 00504 [{not relieve} In no event shall any contract relieve a controller or a processor from the liabilities imposed on a controller or processor by virtue of the controller's or processor's roles in the processing relationship under this chapter. Section 5(f) A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter if the recipient processes the personal data in violation of this chapter, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is not in violation of this chapter for the obligations of the controller or processor from which the third-party controller or processor receives the personal data. Section 11(d) {is liable} Any controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation. Section 12(c)]	Privacy protection for information and data	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Privacy protection for information and data	Preventive
Define the appeal process based on the applicable law. CC ID 00506 [A controller must establish an internal process whereby a consumer may appeal a refusal to take action on a request to exercise any of the rights under subdivision 1 within a reasonable period of time after the consumer's receipt of the notice sent by the controller under subdivision 4, paragraph (f). Section 6 Subdivision 5(a) The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests. Section 6 Subdivision 5(b) The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests. Section 6 Subdivision 5(b)]	Privacy protection for information and data	Preventive
Provide notice of proposed penalties. CC ID 06216	Privacy protection for information and data	Preventive
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h) A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]	Privacy protection for information and data	Preventive
Use documents for identification that do not appear altered or forged. CC ID 04860	Privacy protection for information and data	Preventive
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract; Section 11(a) (5)]	Third Party and supply chain oversight	Preventive
Review and update all contracts, as necessary. CC ID 11612	Third Party and supply chain oversight	Preventive
Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter if the recipient processes the personal data in violation of this chapter, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is not in violation of this chapter for the obligations of the controller or processor from which the third-party controller or processor receives the personal data. Section 11(d)]	Third Party and supply chain oversight	Detective
Include the audit scope in the third party external audit report. CC ID 13138	Third Party and supply chain oversight	Preventive
Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063	Third Party and supply chain oversight	Detective
Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065	Third Party and supply chain oversight	Detective

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign senior management to approve test plans. CC ID 13071	Monitoring and measurement	Preventive
Align disciplinary actions with the level of compliance violation. CC ID 12404	Monitoring and measurement	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607 [Controllers and processors are responsible for meeting the respective obligations established under this chapter. Section 5(a) {technical measures} taking into account the nature of the processing, the processor shall assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to section 325O.05; and Section 5(b) (1) {technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]	Human Resources management	Preventive
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)]	Human Resources management	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources management	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources management	Preventive
Establish, implement, and maintain an ethics program. CC ID 11496 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Human Resources management	Preventive
Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Human Resources management	Preventive
Include prohibiting counterfeiting in the ethics program. CC ID 11517	Human Resources management	Preventive
Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055	Human Resources management	Preventive
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055	Operational management	Preventive
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611	Operational management	Corrective
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: Section 8 Subdivision 3(b)]	Privacy protection for information and data	Preventive
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848	Privacy protection for information and data	Preventive
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Privacy protection for information and data	Preventive
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647	Privacy protection for information and data	Preventive
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: engage a subcontractor only (i) after providing the controller with an opportunity to object, and (ii) pursuant to a written contract in accordance with paragraph (e) that requires the subcontractor to meet the obligations of the processor with respect to the personal data. Section 5(c) (2)]	Privacy protection for information and data	Preventive
Review compliance with the organization's privacy objectives. CC ID 13490 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)]	Privacy protection for information and data	Detective
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Privacy protection for information and data	Preventive

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Determine the causes of compliance violations. CC ID 12401	Monitoring and measurement	Corrective
Determine if multiple compliance violations of the same type could occur. CC ID 12402	Monitoring and measurement	Detective
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403	Monitoring and measurement	Detective
Verify proof of identity records. CC ID 13761	Technical security	Detective
Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900	Human Resources management	Preventive
Identify root causes of incidents that force system changes. CC ID 13482	Operational management	Detective
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Operational management	Detective
Analyze the incident response process following an incident response. CC ID 13179	Operational management	Detective
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298	Operational management	Preventive
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Operational management	Detective
Identify the affected parties during incident investigations. CC ID 16781	Operational management	Detective
Interview suspects during incident investigations, as necessary. CC ID 14041	Operational management	Detective
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Operational management	Detective
Analyze requirements for processing personal data in contracts. CC ID 12550 [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Privacy protection for information and data	Detective
Confirm the data quality of personal data collected from third parties. CC ID 13510	Privacy protection for information and data	Detective
Review the methods for collecting personal data, as necessary. CC ID 13511	Privacy protection for information and data	Detective
Perform an identity check prior to approving an account change request. CC ID 13670	Privacy protection for information and data	Detective

Log Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Detective
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Operational management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Detective
Include who the incident was reported to in the incident management audit log. CC ID 16487	Operational management	Preventive
Include the information that was exchanged in the incident management audit log. CC ID 16995	Operational management	Preventive
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Operational management	Corrective
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Operational management	Preventive
Log the date and time each item is received into the recordkeeping system. CC ID 11709	Records management	Preventive
Log the date and time each item is made available into the recordkeeping system. CC ID 11710	Records management	Preventive
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707	Records management	Preventive
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705	Records management	Preventive
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703	Records management	Preventive
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711	Records management	Preventive
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718	Records management	Preventive
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719	Records management	Preventive
Log the number of non-routine items received into the recordkeeping system. CC ID 11706	Records management	Preventive
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716	Records management	Preventive
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708	Records management	Preventive
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704	Records management	Preventive
Log performance monitoring into the recordkeeping system. CC ID 11724	Records management	Preventive
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728	Records management	Preventive
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727	Records management	Preventive
Log any notices filed by the organization into the recordkeeping system. CC ID 11725	Records management	Preventive
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723	Records management	Preventive
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720	Records management	Preventive
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717	Records management	Preventive
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712	Records management	Preventive
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726	Records management	Preventive
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715	Records management	Preventive
Log the disclosure of personal data. CC ID 06628	Privacy protection for information and data	Preventive
Log the modification of personal data. CC ID 11844	Privacy protection for information and data	Preventive
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Privacy protection for information and data	Detective
Log dates for account name changes or address changes. CC ID 04876	Privacy protection for information and data	Detective

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitoring and measurement	Preventive
Monitor systems for inappropriate usage and other security violations. CC ID 00585	Monitoring and measurement	Detective
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A controller that uses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments. Section 7(c)]	Monitoring and measurement	Detective
Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873	Human Resources management	Preventive
Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872	Human Resources management	Preventive
Determine the incident severity level when assessing the security incidents. CC ID 01650	Operational management	Corrective
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Operational management	Detective
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Operational management	Detective
Respond to and triage when an incident is detected. CC ID 06942	Operational management	Detective
Escalate incidents, as necessary. CC ID 14861	Operational management	Corrective
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Operational management	Corrective
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265	Operational management	Detective
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234	Operational management	Preventive
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Privacy protection for information and data	Corrective
Review accounts that are changed for additional user requests. CC ID 11846	Privacy protection for information and data	Detective
Review monitored websites for data leakage. CC ID 10593	Privacy protection for information and data	Detective
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Privacy protection for information and data	Preventive
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Privacy protection for information and data	Preventive
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Privacy protection for information and data	Preventive

Process or Activity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Update or adjust fraud detection systems, as necessary. CC ID 13684	Monitoring and measurement	Corrective
Align the enterprise architecture with the system security plan. CC ID 14255	Monitoring and measurement	Preventive
Correct compliance violations. CC ID 13515 [A controller that uses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments. Section 7(c)]	Monitoring and measurement	Corrective
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of sensitive data; Section 10(b) (3) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: any processing activities involving personal data that present a heightened risk of harm to consumers; and Section 10(b) (4) {data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c) {data protection assessment} A data privacy and protection assessment must include the description of policies and procedures required by paragraph (a). Section 10(e) {be similar} A single data protection assessment may address multiple sets of comparable processing operations that include similar activities. Section 10(h) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: Section 10(b) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of targeted advertising; Section 10(b) (1) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the sale of personal data; Section 10(b) (2)]	Audits and risk management	Preventive
Implement digital identification processes. CC ID 13731	Technical security	Preventive
Implement identity proofing processes. CC ID 13719 [A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)]	Technical security	Preventive
Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786	Technical security	Preventive
Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787	Technical security	Preventive
Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776	Technical security	Detective
Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750	Technical security	Preventive
Interact with the data subject when performing remote proofing. CC ID 13777	Technical security	Detective
Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742	Technical security	Preventive
View all applicant actions when performing remote proofing. CC ID 13804	Technical security	Detective
Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741	Technical security	Preventive
Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755	Technical security	Detective
Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743	Technical security	Detective
Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752	Technical security	Preventive
Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785	Technical security	Preventive
Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774	Technical security	Detective
Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773	Technical security	Preventive
Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749	Technical security	Preventive
Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744	Technical security	Detective
Validate proof of identity during the identity proofing process. CC ID 13756	Technical security	Detective
Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803	Technical security	Detective
Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784	Technical security	Detective
Allow records that relate to the data subject as proof of identity. CC ID 13772	Technical security	Preventive
Conduct in-person proofing with physical interactions. CC ID 13775	Technical security	Detective
Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748	Technical security	Preventive
Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739	Technical security	Preventive
Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738	Technical security	Preventive
Refrain from approving attributes in the identity proofing process. CC ID 13716	Technical security	Preventive
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Operational management	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Operational management	Corrective
Contain the incident to prevent further loss. CC ID 01751	Operational management	Corrective
Revoke the written request to delay the notification. CC ID 16843	Operational management	Preventive
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Preventive
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Preventive
Conduct incident investigations, as necessary. CC ID 13826	Operational management	Detective
Display required information automatically in electronic health records. CC ID 14442	Records management	Preventive
Create export summaries, as necessary. CC ID 14446	Records management	Preventive
Identify patient-specific education resources. CC ID 14439	Records management	Detective
Require a data protection impact assessment when profiling the data subject. CC ID 12680 [{data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: unfair or deceptive treatment of, or disparate impact on, consumers; Section 10(b) (5)(i) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: financial, physical, or reputational injury to consumers; Section 10(b) (5)(ii) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or Section 10(b) (5)(iii) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: other substantial injury to consumers. Section 10(b) (5)(iv)]	Privacy protection for information and data	Detective
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]	Privacy protection for information and data	Preventive
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Privacy protection for information and data	Preventive
Provide the data subject with the data retention period for personal data. CC ID 12587	Privacy protection for information and data	Preventive
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Privacy protection for information and data	Preventive
Provide the data subject with the adequacy decision. CC ID 12586	Privacy protection for information and data	Preventive
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Privacy protection for information and data	Preventive
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Privacy protection for information and data	Preventive
Notify the data subject of the right to data portability. CC ID 12603	Privacy protection for information and data	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Privacy protection for information and data	Preventive
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Privacy protection for information and data	Preventive
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Privacy protection for information and data	Preventive
Align the enterprise architecture with the privacy plan. CC ID 14705	Privacy protection for information and data	Preventive
Confirm the individual's identity before granting an opt-out request. CC ID 16813	Privacy protection for information and data	Preventive
Approve the approval application unless applicant has been convicted. CC ID 16603	Privacy protection for information and data	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]	Privacy protection for information and data	Preventive
Allow data subjects to submit data requests. CC ID 16545 [A consumer may exercise the rights set forth in this section by submitting a request, at any time, to a controller specifying which rights the consumer wishes to exercise. Section 6 Subdivision 2(a)]	Privacy protection for information and data	Preventive
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Privacy protection for information and data	Preventive
Allow affected third parties to consent or object to a data access request. CC ID 08704	Privacy protection for information and data	Preventive
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data; Section 7(a) (3)(i)]	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Privacy protection for information and data	Detective
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Privacy protection for information and data	Preventive
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Privacy protection for information and data	Preventive
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Preventive
Search the Internet for evidence of data leakage. CC ID 10419	Privacy protection for information and data	Detective
Alert appropriate personnel when data leakage is detected. CC ID 14715	Privacy protection for information and data	Preventive
Take appropriate action when a data leakage is discovered. CC ID 14716	Privacy protection for information and data	Corrective
Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000	Privacy protection for information and data	Preventive
Remove or uninstall software from an individual's computer, as necessary. CC ID 13998	Privacy protection for information and data	Preventive
Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997	Privacy protection for information and data	Preventive
Define the fee structure for the appeal process. CC ID 16532	Privacy protection for information and data	Preventive
Define the time requirements for the appeal process. CC ID 16531	Privacy protection for information and data	Preventive
Interview appropriate parties to validate consumer information. CC ID 16902	Privacy protection for information and data	Preventive
Use contact methods specified by the consumer for identity verification. CC ID 16878	Privacy protection for information and data	Preventive
Assess third parties' compliance environment during due diligence. CC ID 13134	Third Party and supply chain oversight	Detective

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain incident management audit logs. CC ID 13514	Operational management	Preventive
Capture the records required by organizational compliance requirements. CC ID 00912 [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]	Records management	Detective
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438	Records management	Preventive
Establish and maintain an implantable device list. CC ID 14444	Records management	Preventive
Establish, implement, and maintain a recordkeeping system. CC ID 15709	Records management	Preventive
Log the termination date in the recordkeeping system. CC ID 16181	Records management	Preventive
Log the name of the requestor in the recordkeeping system. CC ID 15712	Records management	Preventive
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711	Records management	Preventive
Log records as being received into the recordkeeping system. CC ID 11696	Records management	Preventive
Establish, implement, and maintain a transfer journal. CC ID 11729	Records management	Preventive
Provide a receipt of records logged into the recordkeeping system. CC ID 11697	Records management	Preventive
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Privacy protection for information and data	Preventive
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Privacy protection for information and data	Preventive
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Privacy protection for information and data	Corrective
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Privacy protection for information and data	Corrective
Grant access to education records in support of educational program audits. CC ID 13032	Privacy protection for information and data	Preventive
Grant access to education records in support of external requirements. CC ID 13033	Privacy protection for information and data	Preventive
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Privacy protection for information and data	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Preventive
Submit personal data removal requests in writing. CC ID 11973	Privacy protection for information and data	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Privacy protection for information and data	Corrective
Refrain from processing restricted data, as necessary. CC ID 12551	Privacy protection for information and data	Preventive
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Privacy protection for information and data	Preventive
Include the data processor's contact information in the record of processing activities. CC ID 12657	Privacy protection for information and data	Preventive
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Privacy protection for information and data	Preventive
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Privacy protection for information and data	Preventive
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Privacy protection for information and data	Preventive
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Privacy protection for information and data	Preventive
Include the personal data processing categories in the record of processing activities. CC ID 12661	Privacy protection for information and data	Preventive
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Privacy protection for information and data	Preventive
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Privacy protection for information and data	Preventive
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Privacy protection for information and data	Preventive
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Privacy protection for information and data	Preventive
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Privacy protection for information and data	Preventive
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Privacy protection for information and data	Preventive
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Privacy protection for information and data	Preventive
Include the data controller's contact information in the record of processing activities. CC ID 12637	Privacy protection for information and data	Preventive
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Privacy protection for information and data	Preventive
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: Social Security number; Section 6 Subdivision 4(i) (1) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: driver's license number or other government-issued identification number; Section 6 Subdivision 4(i) (2) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: financial account number; Section 6 Subdivision 4(i) (3) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: health insurance account number or medical identification number; Section 6 Subdivision 4(i) (4) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: account password, security questions, or answers; or Section 6 Subdivision 4(i) (5) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: biometric data. Section 6 Subdivision 4(i) (6)]	Privacy protection for information and data	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A consumer has the right to delete personal data concerning the consumer. Section 6 Subdivision 1(d)]	Privacy protection for information and data	Preventive
Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428	Privacy protection for information and data	Preventive

Systems Design, Build, and Implementation

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Apply security controls to each level of the information classification standard. CC ID 01903	Operational management	Preventive

Technical Security

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Control access rights to organizational assets. CC ID 00004	Technical security	Preventive
Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002	Technical security	Preventive
Identify and control all network access controls. CC ID 00529	Technical security	Preventive
Categorize the incident following an incident response. CC ID 13208	Operational management	Preventive
Wipe data and memory after an incident has been detected. CC ID 16850	Operational management	Corrective
Refrain from accessing compromised systems. CC ID 01752	Operational management	Corrective
Isolate compromised systems from the network. CC ID 01753	Operational management	Corrective
Change authenticators after a security incident has been detected. CC ID 06789	Operational management	Corrective
Change wireless access variables after a data loss event has been detected. CC ID 01756	Operational management	Corrective
Re-image compromised systems with secure builds. CC ID 12086	Operational management	Corrective
Integrate configuration management procedures into the incident management program. CC ID 13647	Operational management	Preventive
Respond when an integrity violation is detected, as necessary. CC ID 10678	Operational management	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Operational management	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Operational management	Corrective
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Privacy protection for information and data	Preventive
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Privacy protection for information and data	Preventive
Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880	Privacy protection for information and data	Preventive
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Privacy protection for information and data	Preventive
Employ a random number generator to create authenticators. CC ID 13782	Privacy protection for information and data	Preventive
Provide unobservability of users and resources. CC ID 04551	Privacy protection for information and data	Preventive
Protect electronic messaging information. CC ID 12022	Privacy protection for information and data	Preventive
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Privacy protection for information and data	Preventive
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Privacy protection for information and data	Preventive
Implement security measures to protect personal data. CC ID 13606 [{technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]	Privacy protection for information and data	Preventive

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a system security plan. CC ID 01922 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Monitoring and measurement	Preventive
Adhere to the system security plan. CC ID 11640	Monitoring and measurement	Detective
Validate all testing assumptions in the test plans. CC ID 00663	Monitoring and measurement	Detective
Require testing procedures to be complete. CC ID 00664	Monitoring and measurement	Detective
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Monitoring and measurement	Preventive
Assess all incidents to determine what information was accessed. CC ID 01226	Operational management	Corrective
Test incident monitoring procedures. CC ID 13194	Operational management	Detective
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Privacy protection for information and data	Detective
Implement physical controls to protect personal data. CC ID 00355	Privacy protection for information and data	Preventive
Conduct personal data risk assessments. CC ID 00357	Privacy protection for information and data	Detective
Conduct internal data processing audits. CC ID 00374	Privacy protection for information and data	Detective
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218	Privacy protection for information and data	Detective
Record restricted data correctly. CC ID 00089	Privacy protection for information and data	Detective
Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861	Privacy protection for information and data	Detective

Common Controls and
mandates by Classification 143 Mandated Controls - bold
87 Implied Controls - italic 1264 Implementation

Number of Controls

1494 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Update or adjust fraud detection systems, as necessary. CC ID 13684	Monitoring and measurement	Process or Activity
Determine the causes of compliance violations. CC ID 12401	Monitoring and measurement	Investigate
Correct compliance violations. CC ID 13515 [A controller that uses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments. Section 7(c)]	Monitoring and measurement	Process or Activity
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675	Monitoring and measurement	Behavior
Respond to ethics complaints of ethics violations. CC ID 11497	Human Resources management	Business Processes
Determine the incident severity level when assessing the security incidents. CC ID 01650	Operational management	Monitor and Evaluate Occurrences
Escalate incidents, as necessary. CC ID 14861	Operational management	Monitor and Evaluate Occurrences
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Operational management	Process or Activity
Respond to all alerts from security systems in a timely manner. CC ID 06434	Operational management	Behavior
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Operational management	Process or Activity
Contain the incident to prevent further loss. CC ID 01751	Operational management	Process or Activity
Wipe data and memory after an incident has been detected. CC ID 16850	Operational management	Technical Security
Refrain from accessing compromised systems. CC ID 01752	Operational management	Technical Security
Isolate compromised systems from the network. CC ID 01753	Operational management	Technical Security
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Operational management	Log Management
Change authenticators after a security incident has been detected. CC ID 06789	Operational management	Technical Security
Assess all incidents to determine what information was accessed. CC ID 01226	Operational management	Testing
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Operational management	Monitor and Evaluate Occurrences
Share incident information with interested personnel and affected parties. CC ID 01212	Operational management	Data and Information Management
Share data loss event information with the media. CC ID 01759	Operational management	Behavior
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Establish/Maintain Documentation
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Data and Information Management
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Behavior
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Operational management	Behavior
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Operational management	Behavior
Establish, implement, and maintain incident response notifications. CC ID 12975	Operational management	Establish/Maintain Documentation
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Communicate
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Business Processes
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Operational management	Behavior
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Operational management	Behavior
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Operational management	Behavior
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Operational management	Behavior
Publish the incident response notification in a general circulation periodical. CC ID 04651	Operational management	Behavior
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Operational management	Behavior
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Communicate
Include incident recovery procedures in the Incident Management program. CC ID 01758	Operational management	Establish/Maintain Documentation
Change wireless access variables after a data loss event has been detected. CC ID 01756	Operational management	Technical Security
Eradicate the cause of the incident after the incident has been contained. CC ID 01757	Operational management	Business Processes
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611	Operational management	Human Resources Management
Re-image compromised systems with secure builds. CC ID 12086	Operational management	Technical Security
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Operational management	Establish/Maintain Documentation
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Operational management	Log Management
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)]	Operational management	Communicate
Respond when an integrity violation is detected, as necessary. CC ID 10678	Operational management	Technical Security
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Operational management	Technical Security
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Operational management	Technical Security
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Privacy protection for information and data	Establish/Maintain Documentation
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Privacy protection for information and data	Records Management
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Privacy protection for information and data	Records Management
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368	Privacy protection for information and data	Establish/Maintain Documentation
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate private communications when required by law. CC ID 14335	Privacy protection for information and data	Communicate
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Privacy protection for information and data	Communicate
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Privacy protection for information and data	Records Management
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Privacy protection for information and data	Communicate
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Privacy protection for information and data	Communicate
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086	Privacy protection for information and data	Communicate
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Privacy protection for information and data	Communicate
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Privacy protection for information and data	Monitor and Evaluate Occurrences
Take appropriate action when a data leakage is discovered. CC ID 14716	Privacy protection for information and data	Process or Activity
Implement procedures to file privacy rights violation complaints. CC ID 00476	Privacy protection for information and data	Data and Information Management
File privacy rights violation complaints in writing. CC ID 00477	Privacy protection for information and data	Establish/Maintain Documentation
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360	Privacy protection for information and data	Establish/Maintain Documentation
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478	Privacy protection for information and data	Behavior
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Privacy protection for information and data	Behavior
Change or destroy any personal data that is incorrect. CC ID 00462 [{be inaccurate} A consumer has the right to correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data. Section 6 Subdivision 1(c)]	Privacy protection for information and data	Data and Information Management
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Behavior
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Data and Information Management
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Privacy protection for information and data	Behavior
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467	Privacy protection for information and data	Behavior
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475	Privacy protection for information and data	Data and Information Management
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; Section 11(a) (2) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; Section 11(a) (3)]	Privacy protection for information and data	Business Processes
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513	Privacy protection for information and data	Communicate
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495	Privacy protection for information and data	Establish/Maintain Documentation
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Privacy protection for information and data	Behavior
Order the organization to change to be in compliance with applicable law. CC ID 00499	Privacy protection for information and data	Behavior
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Privacy protection for information and data	Behavior
Award damages based on applicable law. CC ID 00501	Privacy protection for information and data	Behavior
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503	Privacy protection for information and data	Data and Information Management

Detective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include all compliance exceptions in the compliance exception standard. CC ID 01630	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Log Management
Monitor systems for inappropriate usage and other security violations. CC ID 00585	Monitoring and measurement	Monitor and Evaluate Occurrences
Adhere to the system security plan. CC ID 11640	Monitoring and measurement	Testing
Validate all testing assumptions in the test plans. CC ID 00663	Monitoring and measurement	Testing
Require testing procedures to be complete. CC ID 00664	Monitoring and measurement	Testing
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A controller that uses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments. Section 7(c)]	Monitoring and measurement	Monitor and Evaluate Occurrences
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063	Monitoring and measurement	Business Processes
Determine if multiple compliance violations of the same type could occur. CC ID 12402	Monitoring and measurement	Investigate
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403	Monitoring and measurement	Investigate
Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776	Technical security	Process or Activity
Interact with the data subject when performing remote proofing. CC ID 13777	Technical security	Process or Activity
View all applicant actions when performing remote proofing. CC ID 13804	Technical security	Process or Activity
Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755	Technical security	Process or Activity
Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743	Technical security	Process or Activity
Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774	Technical security	Process or Activity
Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744	Technical security	Process or Activity
Validate proof of identity during the identity proofing process. CC ID 13756	Technical security	Process or Activity
Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797	Technical security	Business Processes
Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803	Technical security	Process or Activity
Verify proof of identity records. CC ID 13761	Technical security	Investigate
Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784	Technical security	Process or Activity
Conduct in-person proofing with physical interactions. CC ID 13775	Technical security	Process or Activity
Establish, implement, and maintain a sensitive information inventory. CC ID 13736 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c) {administrative data security practice} {technical data security practice} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item; Section 10(a) (2)(iii)]	Technical security	Establish/Maintain Documentation
Provide security inspectors access to personnel files during site reviews. CC ID 12300	Human Resources management	Audits and Risk Management
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Operational management	Business Processes
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Operational management	Monitor and Evaluate Occurrences
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Operational management	Monitor and Evaluate Occurrences
Identify root causes of incidents that force system changes. CC ID 13482	Operational management	Investigate
Respond to and triage when an incident is detected. CC ID 06942	Operational management	Monitor and Evaluate Occurrences
Document the incident and any relevant evidence in the incident report. CC ID 08659	Operational management	Establish/Maintain Documentation
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Operational management	Investigate
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Operational management	Establish/Maintain Documentation
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Operational management	Establish/Maintain Documentation
Analyze the incident response process following an incident response. CC ID 13179	Operational management	Investigate
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Log Management
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Operational management	Behavior
Avoid false positive incident response notifications. CC ID 04732	Operational management	Behavior
Include information required by law in incident response notifications. CC ID 00802	Operational management	Establish/Maintain Documentation
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Establish/Maintain Documentation
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265	Operational management	Monitor and Evaluate Occurrences
Test incident monitoring procedures. CC ID 13194	Operational management	Testing
Conduct incident investigations, as necessary. CC ID 13826	Operational management	Process or Activity
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Operational management	Investigate
Identify the affected parties during incident investigations. CC ID 16781	Operational management	Investigate
Interview suspects during incident investigations, as necessary. CC ID 14041	Operational management	Investigate
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Operational management	Investigate
Establish, implement, and maintain incident response procedures. CC ID 01206 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Operational management	Establish/Maintain Documentation
Capture the records required by organizational compliance requirements. CC ID 00912 [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]	Records management	Records Management
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555	Records management	Data and Information Management
Identify patient-specific education resources. CC ID 14439	Records management	Process or Activity
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720	Records management	Data and Information Management
Require a data protection impact assessment when profiling the data subject. CC ID 12680 [{data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: unfair or deceptive treatment of, or disparate impact on, consumers; Section 10(b) (5)(i) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: financial, physical, or reputational injury to consumers; Section 10(b) (5)(ii) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or Section 10(b) (5)(iii) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: other substantial injury to consumers. Section 10(b) (5)(iv)]	Privacy protection for information and data	Process or Activity
Document privacy policies in clearly written and easily understood language. CC ID 00376	Privacy protection for information and data	Establish/Maintain Documentation
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Privacy protection for information and data	Behavior
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Privacy protection for information and data	Behavior
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Privacy protection for information and data	Process or Activity
Analyze requirements for processing personal data in contracts. CC ID 12550 [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Privacy protection for information and data	Investigate
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158	Privacy protection for information and data	Data and Information Management
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Privacy protection for information and data	Data and Information Management
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488	Privacy protection for information and data	Business Processes
Confirm the data quality of personal data collected from third parties. CC ID 13510	Privacy protection for information and data	Investigate
Review the methods for collecting personal data, as necessary. CC ID 13511	Privacy protection for information and data	Investigate
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Privacy protection for information and data	Testing
Conduct personal data risk assessments. CC ID 00357	Privacy protection for information and data	Testing
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Privacy protection for information and data	Data and Information Management
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Monitor and Evaluate Occurrences
Perform an identity check prior to approving an account change request. CC ID 13670	Privacy protection for information and data	Investigate
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Privacy protection for information and data	Behavior
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Privacy protection for information and data	Data and Information Management
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Privacy protection for information and data	Log Management
Log dates for account name changes or address changes. CC ID 04876	Privacy protection for information and data	Log Management
Review accounts that are changed for additional user requests. CC ID 11846	Privacy protection for information and data	Monitor and Evaluate Occurrences
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Privacy protection for information and data	Data and Information Management
Search the Internet for evidence of data leakage. CC ID 10419	Privacy protection for information and data	Process or Activity
Review monitored websites for data leakage. CC ID 10593	Privacy protection for information and data	Monitor and Evaluate Occurrences
Conduct internal data processing audits. CC ID 00374	Privacy protection for information and data	Testing
Review compliance with the organization's privacy objectives. CC ID 13490 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)]	Privacy protection for information and data	Human Resources Management
Investigate privacy rights violation complaints. CC ID 00480	Privacy protection for information and data	Behavior
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Privacy protection for information and data	Behavior
Investigate privacy rights violation complaints in private. CC ID 00492	Privacy protection for information and data	Behavior
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Privacy protection for information and data	Behavior
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Privacy protection for information and data	Behavior
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218	Privacy protection for information and data	Testing
Record restricted data correctly. CC ID 00089	Privacy protection for information and data	Testing
Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861	Privacy protection for information and data	Testing
Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870	Privacy protection for information and data	Data and Information Management
Ask the applicant challenge questions and verify they respond correctly. CC ID 04871	Privacy protection for information and data	Behavior
Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872	Privacy protection for information and data	Data and Information Management
Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972	Privacy protection for information and data	Business Processes
Assess third parties' compliance environment during due diligence. CC ID 13134	Third Party and supply chain oversight	Process or Activity
Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter if the recipient processes the personal data in violation of this chapter, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is not in violation of this chapter for the obligations of the controller or processor from which the third-party controller or processor receives the personal data. Section 11(d)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063	Third Party and supply chain oversight	Establish/Maintain Documentation
Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065	Third Party and supply chain oversight	Establish/Maintain Documentation

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Preventive

1307

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Establish/Maintain Documentation
Include contact information in the organization's policies, standards, and procedures. CC ID 17167 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: the name and contact information for the controller's chief privacy individual with primary responsibility for directing the policies and procedures implemented to comply with the provisions of this chapter; and Section 10(a) (1)]	Leadership and high level objectives	Establish/Maintain Documentation
Include the effective date on all organizational policies. CC ID 06820 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the date the privacy notice was last updated. Section 8 Subdivision 1(a) (8)]	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain an Authority Document list. CC ID 07113	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: Section 10(a)]	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Leadership and high level objectives	Communicate
Approve all compliance documents. CC ID 06286	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a compliance exception standard. CC ID 01628 [The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication. Section 11(c)]	Leadership and high level objectives	Establish/Maintain Documentation
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Leadership and high level objectives	Establish/Maintain Documentation
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in paragraph (f). Section 11(g)]	Leadership and high level objectives	Establish/Maintain Documentation
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632	Leadership and high level objectives	Business Processes
Include when exemptions expire in the compliance exception standard. CC ID 14330	Leadership and high level objectives	Establish/Maintain Documentation
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Leadership and high level objectives	Establish Roles
Include management of the exemption register in the compliance exception standard. CC ID 14328	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Leadership and high level objectives	Communicate
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitoring and measurement	Monitor and Evaluate Occurrences
Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Monitoring and measurement	Audits and Risk Management
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983	Monitoring and measurement	Acquisition/Sale of Assets or Services
Establish, implement, and maintain a risk monitoring program. CC ID 00658	Monitoring and measurement	Establish/Maintain Documentation
Implement a fraud detection system. CC ID 13081 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Monitoring and measurement	Business Processes
Establish, implement, and maintain a system security plan. CC ID 01922 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Monitoring and measurement	Testing
Include a system description in the system security plan. CC ID 16467	Monitoring and measurement	Establish/Maintain Documentation
Include a description of the operational context in the system security plan. CC ID 14301	Monitoring and measurement	Establish/Maintain Documentation
Include the results of the security categorization in the system security plan. CC ID 14281	Monitoring and measurement	Establish/Maintain Documentation
Include the information types in the system security plan. CC ID 14696	Monitoring and measurement	Establish/Maintain Documentation
Include the security requirements in the system security plan. CC ID 14274	Monitoring and measurement	Establish/Maintain Documentation
Include cryptographic key management procedures in the system security plan. CC ID 17029	Monitoring and measurement	Establish/Maintain Documentation
Include threats in the system security plan. CC ID 14693	Monitoring and measurement	Establish/Maintain Documentation
Include network diagrams in the system security plan. CC ID 14273	Monitoring and measurement	Establish/Maintain Documentation
Include roles and responsibilities in the system security plan. CC ID 14682	Monitoring and measurement	Establish/Maintain Documentation
Include backup and recovery procedures in the system security plan. CC ID 17043	Monitoring and measurement	Establish/Maintain Documentation
Include the results of the privacy risk assessment in the system security plan. CC ID 14676	Monitoring and measurement	Establish/Maintain Documentation
Include remote access methods in the system security plan. CC ID 16441	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Monitoring and measurement	Communicate
Include a description of the operational environment in the system security plan. CC ID 14272	Monitoring and measurement	Establish/Maintain Documentation
Include the security categorizations and rationale in the system security plan. CC ID 14270	Monitoring and measurement	Establish/Maintain Documentation
Include the authorization boundary in the system security plan. CC ID 14257	Monitoring and measurement	Establish/Maintain Documentation
Align the enterprise architecture with the system security plan. CC ID 14255	Monitoring and measurement	Process or Activity
Include security controls in the system security plan. CC ID 14239	Monitoring and measurement	Establish/Maintain Documentation
Create specific test plans to test each system component. CC ID 00661	Monitoring and measurement	Establish/Maintain Documentation
Include the roles and responsibilities in the test plan. CC ID 14299	Monitoring and measurement	Establish/Maintain Documentation
Include the assessment team in the test plan. CC ID 14297	Monitoring and measurement	Establish/Maintain Documentation
Include the scope in the test plans. CC ID 14293	Monitoring and measurement	Establish/Maintain Documentation
Include the assessment environment in the test plan. CC ID 14271	Monitoring and measurement	Establish/Maintain Documentation
Approve the system security plan. CC ID 14241	Monitoring and measurement	Business Processes
Review the test plans for each system component. CC ID 00662	Monitoring and measurement	Establish/Maintain Documentation
Document validated testing processes in the testing procedures. CC ID 06200	Monitoring and measurement	Establish/Maintain Documentation
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Monitoring and measurement	Establish/Maintain Documentation
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Monitoring and measurement	Testing
Implement automated audit tools. CC ID 04882	Monitoring and measurement	Acquisition/Sale of Assets or Services
Assign senior management to approve test plans. CC ID 13071	Monitoring and measurement	Human Resources Management
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Establish/Maintain Documentation
Identify and document instances of non-compliance with the compliance framework. CC ID 06499	Monitoring and measurement	Establish/Maintain Documentation
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935	Monitoring and measurement	Establish/Maintain Documentation
Align disciplinary actions with the level of compliance violation. CC ID 12404	Monitoring and measurement	Human Resources Management
Establish, implement, and maintain disciplinary action notices. CC ID 16577	Monitoring and measurement	Establish/Maintain Documentation
Include a copy of the order in the disciplinary action notice. CC ID 16606	Monitoring and measurement	Establish/Maintain Documentation
Include the sanctions imposed in the disciplinary action notice. CC ID 16599	Monitoring and measurement	Establish/Maintain Documentation
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589	Monitoring and measurement	Establish/Maintain Documentation
Include the requirements that were violated in the disciplinary action notice. CC ID 16588	Monitoring and measurement	Establish/Maintain Documentation
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587	Monitoring and measurement	Establish/Maintain Documentation
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585	Monitoring and measurement	Communicate
Include required information in the disciplinary action notice. CC ID 16584	Monitoring and measurement	Establish/Maintain Documentation
Include a justification for actions taken in the disciplinary action notice. CC ID 16583	Monitoring and measurement	Establish/Maintain Documentation
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582	Monitoring and measurement	Establish/Maintain Documentation
Include the investigation results in the disciplinary action notice. CC ID 16581	Monitoring and measurement	Establish/Maintain Documentation
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580	Monitoring and measurement	Establish/Maintain Documentation
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579	Monitoring and measurement	Establish/Maintain Documentation
Include contact information in the disciplinary action notice. CC ID 16578	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a Statement of Compliance. CC ID 12499	Audits and risk management	Establish/Maintain Documentation
Include a description of the organization's privacy policy in the Statement of Compliance. CC ID 12362 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: Section 10(a) (2)]	Audits and risk management	Establish/Maintain Documentation
Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818	Audits and risk management	Actionable Reports or Measurements
Include the outcomes of privacy rights violation complaints received in the Statement of Compliance. CC ID 12534	Audits and risk management	Establish/Maintain Documentation
Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175	Audits and risk management	Establish/Maintain Documentation
Include dispute resolution quality measures in the Statement of Compliance. CC ID 12533	Audits and risk management	Establish/Maintain Documentation
Include the type of privacy rights violation complaints received in the Statement of Compliance. CC ID 12532	Audits and risk management	Establish/Maintain Documentation
Include the number of privacy rights violation complaints received in the Statement of Compliance. CC ID 12530	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of sensitive data; Section 10(b) (3) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: any processing activities involving personal data that present a heightened risk of harm to consumers; and Section 10(b) (4) {data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c) {data protection assessment} A data privacy and protection assessment must include the description of policies and procedures required by paragraph (a). Section 10(e) {be similar} A single data protection assessment may address multiple sets of comparable processing operations that include similar activities. Section 10(h) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: Section 10(b) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of targeted advertising; Section 10(b) (1) {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the sale of personal data; Section 10(b) (2)]	Audits and risk management	Process or Activity
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Audits and risk management	Establish/Maintain Documentation
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Audits and risk management	Establish/Maintain Documentation
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Audits and risk management	Establish/Maintain Documentation
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Audits and risk management	Establish/Maintain Documentation
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [{data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c) {data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [{make available} {data protection assessment} As part of a civil investigative demand, the attorney general may request, in writing, that a controller disclose any data privacy and protection assessment that is relevant to an investigation conducted by the attorney general. The controller must make a data privacy and protection assessment available to the attorney general upon a request made under this paragraph. The attorney general may evaluate the data privacy and protection assessments for compliance with this chapter. Data privacy and protection assessments are classified as nonpublic data, as defined by section 13.02, subdivision 9. The disclosure of a data privacy and protection assessment pursuant to a request from the attorney general under this paragraph does not constitute a waiver of the attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment. Section 10(f)]	Audits and risk management	Communicate
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Audits and risk management	Establish/Maintain Documentation
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Audits and risk management	Establish/Maintain Documentation
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [{data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c) {data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a digital identity management program. CC ID 13713	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [In the case of processing personal data concerning a known child, the parent or legal guardian of the known child may exercise the rights of this chapter on the child's behalf. Section 6 Subdivision 2(b) In the case of processing personal data concerning a consumer legally subject to guardianship or conservatorship under sections 524.5-101 to 524.5-502, the guardian or the conservator of the consumer may exercise the rights of this chapter on the consumer's behalf. Section 6 Subdivision 2(c) A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d) A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d) A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)]	Technical security	Establish/Maintain Documentation
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802	Technical security	Establish/Maintain Documentation
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801	Technical security	Establish/Maintain Documentation
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800	Technical security	Establish/Maintain Documentation
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain digital identification procedures. CC ID 13714	Technical security	Establish/Maintain Documentation
Implement digital identification processes. CC ID 13731	Technical security	Process or Activity
Implement identity proofing processes. CC ID 13719 [A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)]	Technical security	Process or Activity
Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786	Technical security	Process or Activity
Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787	Technical security	Process or Activity
Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750	Technical security	Process or Activity
Establish, implement, and maintain remote proofing procedures. CC ID 13796	Technical security	Establish/Maintain Documentation
Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805	Technical security	Configuration
Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742	Technical security	Process or Activity
Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741	Technical security	Process or Activity
Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752	Technical security	Process or Activity
Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785	Technical security	Process or Activity
Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773	Technical security	Process or Activity
Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745	Technical security	Configuration
Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746	Technical security	Configuration
Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747	Technical security	Configuration
Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749	Technical security	Process or Activity
Allow records that relate to the data subject as proof of identity. CC ID 13772	Technical security	Process or Activity
Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748	Technical security	Process or Activity
Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739	Technical security	Process or Activity
Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738	Technical security	Process or Activity
Refrain from approving attributes in the identity proofing process. CC ID 13716	Technical security	Process or Activity
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Establish/Maintain Documentation
Control access rights to organizational assets. CC ID 00004	Technical security	Technical Security
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Establish Roles
Enforce access restrictions for restricted data. CC ID 01921 [The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (e) and (h), do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. Section 7(b)]	Technical security	Data and Information Management
Establish, implement, and maintain an identification and authentication policy. CC ID 14033	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and provide personal data to a consumer as required by this chapter; Section 10(a) (2)(ii)]	Technical security	Establish/Maintain Documentation
Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002	Technical security	Technical Security
Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223	Technical security	Communicate
Identify and control all network access controls. CC ID 00529	Technical security	Technical Security
Establish, implement, and maintain a network configuration standard. CC ID 00530	Technical security	Establish/Maintain Documentation
Maintain up-to-date data flow diagrams. CC ID 10059	Technical security	Establish/Maintain Documentation
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Human Resources Management
Identify and define all critical roles. CC ID 00777	Human Resources management	Establish Roles
Define and assign the data processor's roles and responsibilities. CC ID 12607 [Controllers and processors are responsible for meeting the respective obligations established under this chapter. Section 5(a) {technical measures} taking into account the nature of the processing, the processor shall assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to section 325O.05; and Section 5(b) (1) {technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]	Human Resources management	Human Resources Management
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)]	Human Resources management	Human Resources Management
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Human Resources management	Communicate
Define and assign the data controller's roles and responsibilities. CC ID 00471 [Controllers and processors are responsible for meeting the respective obligations established under this chapter. Section 5(a) {technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]	Human Resources management	Establish Roles
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources management	Human Resources Management
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources management	Human Resources Management
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources management	Human Resources Management
Assign the role of data controller to applicable controls. CC ID 00354	Human Resources management	Establish Roles
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources management	Human Resources Management
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Human Resources management	Establish Roles
Establish, implement, and maintain a legal support program. CC ID 13710 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: investigate, establish, exercise, prepare for, or defend legal claims; Section 11(a) (4) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain an ethics program. CC ID 11496 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Human Resources management	Human Resources Management
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858	Human Resources management	Communicate
Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908	Human Resources management	Behavior
Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900	Human Resources management	Investigate
Establish, implement, and maintain an ethical culture. CC ID 12781	Human Resources management	Behavior
Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873	Human Resources management	Monitor and Evaluate Occurrences
Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872	Human Resources management	Monitor and Evaluate Occurrences
Refrain from practicing false advertising. CC ID 14253	Human Resources management	Business Processes
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806	Human Resources management	Business Processes
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859	Human Resources management	Communicate
Establish, implement, and maintain a training program to report compliance violations. CC ID 11835	Human Resources management	Establish/Maintain Documentation
Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608	Human Resources management	Behavior
Refrain from discriminating against employees who are whistleblowers. CC ID 13609	Human Resources management	Behavior
Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607	Human Resources management	Behavior
Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Human Resources management	Human Resources Management
Include prohibiting counterfeiting in the ethics program. CC ID 11517	Human Resources management	Human Resources Management
Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055	Human Resources management	Human Resources Management
Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061	Human Resources management	Establish Roles
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060	Human Resources management	Behavior
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059	Human Resources management	Behavior
Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052	Human Resources management	Behavior
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Establish/Maintain Documentation
Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c) {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]	Operational management	Establish/Maintain Documentation
Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c) {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]	Operational management	Establish/Maintain Documentation
Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c) {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]	Operational management	Establish/Maintain Documentation
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Business Processes
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data; Section 11(a) (1)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Asset Management program. CC ID 06630	Operational management	Business Processes
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Operational management	Establish/Maintain Documentation
Apply security controls to each level of the information classification standard. CC ID 01903	Operational management	Systems Design, Build, and Implementation
Establish, implement, and maintain the systems' integrity level. CC ID 01906 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Management program. CC ID 00853 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Operational management	Business Processes
Establish, implement, and maintain an incident management policy. CC ID 16414	Operational management	Establish/Maintain Documentation
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885	Operational management	Communicate
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055	Operational management	Human Resources Management
Define the uses and capabilities of the Incident Management program. CC ID 00854	Operational management	Establish/Maintain Documentation
Include incident escalation procedures in the Incident Management program. CC ID 00856	Operational management	Establish/Maintain Documentation
Define the characteristics of the Incident Management program. CC ID 00855	Operational management	Establish/Maintain Documentation
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Operational management	Establish/Maintain Documentation
Include the criteria for an incident in the Incident Management program. CC ID 12173	Operational management	Establish/Maintain Documentation
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Operational management	Establish/Maintain Documentation
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Operational management	Establish/Maintain Documentation
Categorize the incident following an incident response. CC ID 13208	Operational management	Technical Security
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033	Operational management	Establish/Maintain Documentation
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Operational management	Establish/Maintain Documentation
Include the investigation methodology in the forensic investigation report. CC ID 17071	Operational management	Establish/Maintain Documentation
Include corrective actions in the forensic investigation report. CC ID 17070	Operational management	Establish/Maintain Documentation
Include the investigation results in the forensic investigation report. CC ID 17069	Operational management	Establish/Maintain Documentation
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Data and Information Management
Redact restricted data before sharing incident information. CC ID 16994	Operational management	Data and Information Management
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Communicate
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Communicate
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Establish/Maintain Documentation
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Communicate
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Communicate
Remediate security violations according to organizational standards. CC ID 12338	Operational management	Business Processes
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Establish/Maintain Documentation
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954	Operational management	Establish/Maintain Documentation
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Establish/Maintain Documentation
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Communicate
Revoke the written request to delay the notification. CC ID 16843	Operational management	Process or Activity
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Operational management	Establish/Maintain Documentation
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Business Processes
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Establish/Maintain Documentation
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Establish/Maintain Documentation
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Establish/Maintain Documentation
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Establish/Maintain Documentation
Use plain language to write incident response notifications. CC ID 12976	Operational management	Establish/Maintain Documentation
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Establish/Maintain Documentation
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Actionable Reports or Measurements
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Establish/Maintain Documentation
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Establish/Maintain Documentation
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Establish/Maintain Documentation
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Establish/Maintain Documentation
Include a general description of the data loss event in incident response notifications. CC ID 04734	Operational management	Establish/Maintain Documentation
Include time information in incident response notifications. CC ID 04745	Operational management	Establish/Maintain Documentation
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Establish/Maintain Documentation
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Establish/Maintain Documentation
Include the type of information that was lost in incident response notifications. CC ID 04735	Operational management	Establish/Maintain Documentation
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Establish/Maintain Documentation
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Establish/Maintain Documentation
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Establish/Maintain Documentation
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Establish/Maintain Documentation
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Establish/Maintain Documentation
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Establish/Maintain Documentation
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Establish/Maintain Documentation
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Establish/Maintain Documentation
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Establish/Maintain Documentation
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Establish/Maintain Documentation
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Establish/Maintain Documentation
Include contact information in incident response notifications. CC ID 04739	Operational management	Establish/Maintain Documentation
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Communicate
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Process or Activity
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Process or Activity
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Operational management	Behavior
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Establish/Maintain Documentation
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Operational management	Establish/Maintain Documentation
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Operational management	Behavior
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Operational management	Behavior
Establish, implement, and maintain a containment strategy. CC ID 13480	Operational management	Establish/Maintain Documentation
Include the containment approach in the containment strategy. CC ID 13486	Operational management	Establish/Maintain Documentation
Include response times in the containment strategy. CC ID 13485	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a restoration log. CC ID 12745	Operational management	Establish/Maintain Documentation
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Operational management	Data and Information Management
Include a description of the restored data in the restoration log. CC ID 15462	Operational management	Data and Information Management
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Operational management	Establish/Maintain Documentation
Analyze security violations in Suspicious Activity Reports. CC ID 00591	Operational management	Establish/Maintain Documentation
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234	Operational management	Monitor and Evaluate Occurrences
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298	Operational management	Investigate
Update the incident response procedures using the lessons learned. CC ID 01233	Operational management	Establish/Maintain Documentation
Include incident response procedures in the Incident Management program. CC ID 01218	Operational management	Establish/Maintain Documentation
Integrate configuration management procedures into the incident management program. CC ID 13647	Operational management	Technical Security
Include incident management procedures in the Incident Management program. CC ID 12689	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Establish/Maintain Documentation
Include after-action analysis procedures in the Incident Management program. CC ID 01219	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Operational management	Establish/Maintain Documentation
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Operational management	Establish/Maintain Documentation
Destroy investigative materials, as necessary. CC ID 17082	Operational management	Data and Information Management
Establish, implement, and maintain incident management audit logs. CC ID 13514	Operational management	Records Management
Log incidents in the Incident Management audit log. CC ID 00857	Operational management	Establish/Maintain Documentation
Include who the incident was reported to in the incident management audit log. CC ID 16487	Operational management	Log Management
Include the information that was exchanged in the incident management audit log. CC ID 16995	Operational management	Log Management
Include corrective actions in the incident management audit log. CC ID 16466	Operational management	Establish/Maintain Documentation
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Operational management	Log Management
Include emergency processing priorities in the Incident Management program. CC ID 00859	Operational management	Establish/Maintain Documentation
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387	Operational management	Establish/Maintain Documentation
Include incident record closure procedures in the Incident Management program. CC ID 01620	Operational management	Establish/Maintain Documentation
Include incident reporting procedures in the Incident Management program. CC ID 11772 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Operational management	Communicate
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Establish/Maintain Documentation
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Establish/Maintain Documentation
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Operational management	Establish Roles
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Establish Roles
Include references to industry best practices in the incident response procedures. CC ID 11956	Operational management	Establish/Maintain Documentation
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Establish/Maintain Documentation
Establish, implement, and maintain authorization records. CC ID 14367	Records management	Establish/Maintain Documentation
Include the reasons for granting the authorization in the authorization records. CC ID 14371	Records management	Establish/Maintain Documentation
Include the date and time the authorization was granted in the authorization records. CC ID 14370	Records management	Establish/Maintain Documentation
Include the person's name who approved the authorization in the authorization records. CC ID 14369	Records management	Establish/Maintain Documentation
Establish, implement, and maintain electronic health records. CC ID 14436	Records management	Data and Information Management
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437	Records management	Data and Information Management
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438	Records management	Records Management
Display required information automatically in electronic health records. CC ID 14442	Records management	Process or Activity
Create summary of care records in accordance with applicable standards. CC ID 14440	Records management	Establish/Maintain Documentation
Provide the patient with a summary of care record, as necessary. CC ID 14441	Records management	Actionable Reports or Measurements
Create export summaries, as necessary. CC ID 14446	Records management	Process or Activity
Import data files into a patient's electronic health record. CC ID 14448	Records management	Data and Information Management
Export requested sections of the electronic health record. CC ID 14447	Records management	Data and Information Management
Establish and maintain an implantable device list. CC ID 14444	Records management	Records Management
Display the implantable device list to authorized users. CC ID 14445	Records management	Data and Information Management
Establish, implement, and maintain decision support interventions. CC ID 14443	Records management	Business Processes
Include attributes in the decision support intervention. CC ID 16766	Records management	Data and Information Management
Establish, implement, and maintain a recordkeeping system. CC ID 15709	Records management	Records Management
Log the termination date in the recordkeeping system. CC ID 16181	Records management	Records Management
Log the name of the requestor in the recordkeeping system. CC ID 15712	Records management	Records Management
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711	Records management	Records Management
Log records as being received into the recordkeeping system. CC ID 11696	Records management	Records Management
Log the date and time each item is received into the recordkeeping system. CC ID 11709	Records management	Log Management
Log the date and time each item is made available into the recordkeeping system. CC ID 11710	Records management	Log Management
Log the number of routine items received into the recordkeeping system. CC ID 11701	Records management	Establish/Maintain Documentation
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707	Records management	Log Management
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705	Records management	Log Management
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703	Records management	Log Management
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711	Records management	Log Management
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718	Records management	Log Management
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719	Records management	Log Management
Log the number of non-routine items received into the recordkeeping system. CC ID 11706	Records management	Log Management
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716	Records management	Log Management
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708	Records management	Log Management
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704	Records management	Log Management
Log performance monitoring into the recordkeeping system. CC ID 11724	Records management	Log Management
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728	Records management	Log Management
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727	Records management	Log Management
Establish, implement, and maintain a transfer journal. CC ID 11729	Records management	Records Management
Log any notices filed by the organization into the recordkeeping system. CC ID 11725	Records management	Log Management
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723	Records management	Log Management
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720	Records management	Log Management
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717	Records management	Log Management
Provide a receipt of records logged into the recordkeeping system. CC ID 11697	Records management	Records Management
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712	Records management	Log Management
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726	Records management	Log Management
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715	Records management	Log Management
Plan for selling facilities, technology, or services. CC ID 06893	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Refrain from providing products and services, as necessary. CC ID 15580 [{not require} A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: require a controller to provide a good or service that requires the consumer's personal data that the controller does not collect or maintain; or Section 8 Subdivision 3(b) (1)]	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{administrative data security practice} {technical data security practice} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item; Section 10(a) (2)(iii)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Data and Information Management
Establish and maintain privacy notices, as necessary. CC ID 13443	Privacy protection for information and data	Establish/Maintain Documentation
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Privacy protection for information and data	Establish/Maintain Documentation
Include the processing purpose in the privacy notice. CC ID 16543 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the purposes for which the categories of personal data are processed; Section 8 Subdivision 1(a) (2) If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request. Section 8 Subdivision 1(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Include contact information in the privacy notice. CC ID 14432 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the controller's contact information, including an active email address or other online mechanism that the consumer may use to contact the controller; Section 8 Subdivision 1(a) (6)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: an explanation of the rights contained in section 325O.05 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request; Section 8 Subdivision 1(a) (3)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of third parties, if any, with whom the controller sells or shares personal data; Section 8 Subdivision 1(a) (5)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: a description of the controller's retention policies for personal data; and Section 8 Subdivision 1(a) (7)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Privacy protection for information and data	Establish/Maintain Documentation
Include the personal data collection categories in the privacy notice. CC ID 13457 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data processed by the controller; Section 8 Subdivision 1(a) (1)]	Privacy protection for information and data	Establish/Maintain Documentation
Include disclosure exceptions in the privacy notice. CC ID 13447	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of personal data disclosed in the privacy notice. CC ID 13446 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data that the controller sells to or shares with third parties, if any; Section 8 Subdivision 1(a) (4)]	Privacy protection for information and data	Establish/Maintain Documentation
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Privacy protection for information and data	Establish/Maintain Documentation
Specify the time frame that notice will be given. CC ID 00385	Privacy protection for information and data	Establish/Maintain Documentation
Include the information about the appeal process in the privacy notice. CC ID 15312 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: an explanation of the rights contained in section 325O.05 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request; Section 8 Subdivision 1(a) (3)]	Privacy protection for information and data	Establish/Maintain Documentation
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 [{be specific} {state} A controller is not required to provide a separate Minnesota-specific privacy notice or section of a privacy notice if the controller's general privacy notice contains all the information required by this section. Section 8 Subdivision 1(f)]	Privacy protection for information and data	Communicate
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: Section 8 Subdivision 1(a) {be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g) The controller must provide the privacy notice in a manner that is reasonably accessible to and usable by individuals with disabilities. Section 8 Subdivision 1(d)]	Privacy protection for information and data	Communicate
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Privacy protection for information and data	Establish/Maintain Documentation
Update privacy notices, as necessary. CC ID 13474	Privacy protection for information and data	Communicate
Redeliver privacy notices, as necessary. CC ID 14850	Privacy protection for information and data	Communicate
Deliver privacy notices to third parties, as necessary. CC ID 13473	Privacy protection for information and data	Communicate
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Privacy protection for information and data	Communicate
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Privacy protection for information and data	Establish/Maintain Documentation
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Privacy protection for information and data	Establish/Maintain Documentation
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain opt-out notices. CC ID 13448	Privacy protection for information and data	Establish/Maintain Documentation
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Privacy protection for information and data	Establish/Maintain Documentation
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Privacy protection for information and data	Establish/Maintain Documentation
Explain the right to opt out in the opt-out notice. CC ID 13462	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Privacy protection for information and data	Establish/Maintain Documentation
Deliver opt-out notices, as necessary. CC ID 13449	Privacy protection for information and data	Communicate
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Privacy protection for information and data	Communicate
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Privacy protection for information and data	Communicate
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Privacy protection for information and data	Communicate
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391	Privacy protection for information and data	Communicate
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819	Privacy protection for information and data	Data and Information Management
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Privacy protection for information and data	Communicate
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Privacy protection for information and data	Communicate
Provide the data subject with a notice of participation procedures. CC ID 06241	Privacy protection for information and data	Establish/Maintain Documentation
Deliver notices to the intended parties. CC ID 06240	Privacy protection for information and data	Data and Information Management
Notify data subjects about their privacy rights. CC ID 12989	Privacy protection for information and data	Communicate
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Privacy protection for information and data	Communicate
Establish, implement, and maintain adequate openness procedures. CC ID 00377 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: reflect the requirements of this chapter in the design of the controller's systems; Section 10(a) (2)(i)]	Privacy protection for information and data	Data and Information Management
Provide public proof the organization participates in a privacy program. CC ID 12349	Privacy protection for information and data	Communicate
Publish a description of processing activities in an official register. CC ID 00379	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a records request manual. CC ID 00381	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Privacy protection for information and data	Establish/Maintain Documentation
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Privacy protection for information and data	Behavior
Define what is included in registration notices. CC ID 00386	Privacy protection for information and data	Establish/Maintain Documentation
Include roles and responsibilities in the registration notice. CC ID 16803	Privacy protection for information and data	Establish Roles
Include the verification method in the registration notice. CC ID 16798	Privacy protection for information and data	Establish/Maintain Documentation
Include the statutory authority in the registration notice. CC ID 16799	Privacy protection for information and data	Establish/Maintain Documentation
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Privacy protection for information and data	Establish/Maintain Documentation
Include a purpose specification description in the registration notice. CC ID 00388	Privacy protection for information and data	Establish/Maintain Documentation
Include information about the dispute resolution body in the registration notice. CC ID 16800	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject category being processed in the registration notice. CC ID 00389	Privacy protection for information and data	Establish/Maintain Documentation
Include the time period for data processing in the registration notice. CC ID 00390	Privacy protection for information and data	Establish/Maintain Documentation
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Privacy protection for information and data	Establish/Maintain Documentation
Provide legal authorities access to personal data, upon request. CC ID 06818	Privacy protection for information and data	Data and Information Management
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]	Privacy protection for information and data	Process or Activity
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g) {be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Privacy protection for information and data	Process or Activity
Document the countries where restricted data may be stored. CC ID 12750	Privacy protection for information and data	Data and Information Management
Protect the rights of students and their parents or legal representatives. CC ID 00222	Privacy protection for information and data	Data and Information Management
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Privacy protection for information and data	Technical Security
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Privacy protection for information and data	Records Management
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Privacy protection for information and data	Records Management
Define the criteria for waivers of data subjects' rights. CC ID 16858	Privacy protection for information and data	Behavior
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Privacy protection for information and data	Behavior
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Privacy protection for information and data	Establish/Maintain Documentation
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Privacy protection for information and data	Establish/Maintain Documentation
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Privacy protection for information and data	Establish/Maintain Documentation
Disclose educational data, as necessary. CC ID 00223	Privacy protection for information and data	Data and Information Management
Grant access to education records in support of educational program audits. CC ID 13032	Privacy protection for information and data	Records Management
Grant access to education records in support of external requirements. CC ID 13033	Privacy protection for information and data	Records Management
Disclose statements added to education records, as necessary. CC ID 12990	Privacy protection for information and data	Communicate
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Privacy protection for information and data	Data and Information Management
Disclose education records when written consent is received. CC ID 00224	Privacy protection for information and data	Data and Information Management
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Privacy protection for information and data	Establish/Maintain Documentation
Specify the purpose of the disclosure in the written consent. CC ID 13001	Privacy protection for information and data	Establish/Maintain Documentation
Specify which education records may be disclosed in the written consent. CC ID 13000	Privacy protection for information and data	Establish/Maintain Documentation
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Privacy protection for information and data	Establish/Maintain Documentation
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Privacy protection for information and data	Communicate
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Privacy protection for information and data	Communicate
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Privacy protection for information and data	Communicate
Disclose educational data absent consent to other school officials. CC ID 00226	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Privacy protection for information and data	Communicate
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to a crime victim. CC ID 00236	Privacy protection for information and data	Data and Information Management
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from providing information to the data subject, as necessary. CC ID 12625	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Privacy protection for information and data	Communicate
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data; Section 7(a) (3)(i)]	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Privacy protection for information and data	Communicate
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g) A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and provide personal data to a consumer as required by this chapter; Section 10(a) (2)(ii)]	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the data retention period for personal data. CC ID 12587	Privacy protection for information and data	Process or Activity
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Privacy protection for information and data	Process or Activity
Provide the data subject with the adequacy decision. CC ID 12586	Privacy protection for information and data	Process or Activity
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Privacy protection for information and data	Process or Activity
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Privacy protection for information and data	Process or Activity
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing. Section 6 Subdivision 1(b)]	Privacy protection for information and data	Data and Information Management
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 [A controller may not require a consumer to create a new account in order to exercise a right, but a controller may require a consumer to use an existing account to exercise the consumer's rights under this section. Section 6 Subdivision 4(c)]	Privacy protection for information and data	Business Processes
Provide the data subject with the data protection officer's contact information. CC ID 12573	Privacy protection for information and data	Business Processes
Notify the data subject of the right to data portability. CC ID 12603	Privacy protection for information and data	Process or Activity
Provide the data subject with information about the right to erasure. CC ID 12602	Privacy protection for information and data	Process or Activity
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing. Section 6 Subdivision 1(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Privacy protection for information and data	Data and Information Management
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Establish/Maintain Documentation
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Privacy protection for information and data	Establish/Maintain Documentation
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Privacy protection for information and data	Establish/Maintain Documentation
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Privacy protection for information and data	Establish/Maintain Documentation
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Privacy protection for information and data	Establish/Maintain Documentation
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure date in the disclosure accounting record. CC ID 07133	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Privacy protection for information and data	Establish/Maintain Documentation
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Privacy protection for information and data	Establish/Maintain Documentation
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Privacy protection for information and data	Establish/Maintain Documentation
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Privacy protection for information and data	Establish/Maintain Documentation
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Privacy protection for information and data	Establish/Maintain Documentation
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Privacy protection for information and data	Establish/Maintain Documentation
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 [A consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data may be provided instead. Section 6 Subdivision 1(h)]	Privacy protection for information and data	Data and Information Management
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Privacy protection for information and data	Communicate
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Privacy protection for information and data	Establish/Maintain Documentation
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Privacy protection for information and data	Process or Activity
Make telephone directory information available to the public. CC ID 08698	Privacy protection for information and data	Establish/Maintain Documentation
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Privacy protection for information and data	Technical Security
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Privacy protection for information and data	Process or Activity
Establish, implement, and maintain a privacy policy. CC ID 06281	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject's rights in the privacy policy. CC ID 16355	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a privacy policy model document. CC ID 14720	Privacy protection for information and data	Establish/Maintain Documentation
Write privacy notices in the official languages required by law. CC ID 16529 [The privacy notice must be made available to the public in each language in which the controller provides a product or service that is subject to the privacy notice or carries out activities related to the product or service. Section 8 Subdivision 1(c)]	Privacy protection for information and data	Establish/Maintain Documentation
Define what is included in the privacy policy. CC ID 00404	Privacy protection for information and data	Establish/Maintain Documentation
Define the information being collected in the privacy policy. CC ID 13115	Privacy protection for information and data	Establish/Maintain Documentation
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110	Privacy protection for information and data	Establish/Maintain Documentation
Include the means by which information is collected in the privacy policy. CC ID 13114	Privacy protection for information and data	Establish/Maintain Documentation
Include roles and responsibilities in the privacy policy. CC ID 14669	Privacy protection for information and data	Establish/Maintain Documentation
Include management commitment in the privacy policy. CC ID 14668	Privacy protection for information and data	Establish/Maintain Documentation
Include coordination amongst entities in the privacy policy. CC ID 14667	Privacy protection for information and data	Establish/Maintain Documentation
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854	Privacy protection for information and data	Establish/Maintain Documentation
Include compliance requirements in the privacy policy. CC ID 14666	Privacy protection for information and data	Establish/Maintain Documentation
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111	Privacy protection for information and data	Establish/Maintain Documentation
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366	Privacy protection for information and data	Establish/Maintain Documentation
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365	Privacy protection for information and data	Establish/Maintain Documentation
Include a complaint form in the privacy policy. CC ID 12364	Privacy protection for information and data	Establish/Maintain Documentation
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405	Privacy protection for information and data	Establish/Maintain Documentation
Include the processing purpose in the privacy policy. CC ID 00406	Privacy protection for information and data	Establish/Maintain Documentation
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject categories being processed in the privacy policy. CC ID 00407	Privacy protection for information and data	Establish/Maintain Documentation
Define the retention period for collected information in the privacy policy. CC ID 13116	Privacy protection for information and data	Establish/Maintain Documentation
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408	Privacy protection for information and data	Establish/Maintain Documentation
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409	Privacy protection for information and data	Establish/Maintain Documentation
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions on how to opt-out in the privacy policy. CC ID 00411	Privacy protection for information and data	Establish/Maintain Documentation
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 [{be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)]	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454	Privacy protection for information and data	Establish/Maintain Documentation
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452	Privacy protection for information and data	Establish/Maintain Documentation
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390	Privacy protection for information and data	Establish/Maintain Documentation
Post the privacy policy in an easily seen location. CC ID 00401 [{be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)]	Privacy protection for information and data	Establish/Maintain Documentation
Define who will receive the privacy policy. CC ID 00402	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346	Privacy protection for information and data	Communicate
Establish, implement, and maintain privacy procedures. CC ID 14665	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664	Privacy protection for information and data	Communicate
Establish, implement, and maintain a privacy plan. CC ID 14672	Privacy protection for information and data	Establish/Maintain Documentation
Align the enterprise architecture with the privacy plan. CC ID 14705	Privacy protection for information and data	Process or Activity
Approve the privacy plan. CC ID 14700	Privacy protection for information and data	Business Processes
Include privacy requirements in the privacy plan. CC ID 14699	Privacy protection for information and data	Establish/Maintain Documentation
Include the information types in the privacy plan. CC ID 14695	Privacy protection for information and data	Establish/Maintain Documentation
Include threats in the privacy plan. CC ID 14694	Privacy protection for information and data	Establish/Maintain Documentation
Include roles and responsibilities in the privacy plan. CC ID 14702	Privacy protection for information and data	Establish/Maintain Documentation
Include a description of the operational context in the privacy plan. CC ID 14692	Privacy protection for information and data	Establish/Maintain Documentation
Include risk assessment results in the privacy plan. CC ID 14701	Privacy protection for information and data	Establish/Maintain Documentation
Include the security categorizations and rationale in the privacy plan. CC ID 14690	Privacy protection for information and data	Establish/Maintain Documentation
Include security controls in the privacy plan. CC ID 14681	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680	Privacy protection for information and data	Communicate
Include a description of the operational environment in the privacy plan. CC ID 14679	Privacy protection for information and data	Establish/Maintain Documentation
Include network diagrams in the privacy plan. CC ID 14678	Privacy protection for information and data	Establish/Maintain Documentation
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677	Privacy protection for information and data	Establish/Maintain Documentation
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 [Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e) Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)]	Privacy protection for information and data	Behavior
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a privacy report. CC ID 14754	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761	Privacy protection for information and data	Communicate
Protect private communications in keeping with compliance requirements. CC ID 14334 [A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)]	Privacy protection for information and data	Business Processes
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data request procedures. CC ID 16546 [A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b) A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: Section 8 Subdivision 3(b)]	Privacy protection for information and data	Human Resources Management
Refrain from charging a fee to implement an opt-out request. CC ID 13877	Privacy protection for information and data	Business Processes
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433	Privacy protection for information and data	Establish/Maintain Documentation
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438	Privacy protection for information and data	Establish/Maintain Documentation
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Privacy protection for information and data	Establish/Maintain Documentation
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Privacy protection for information and data	Establish/Maintain Documentation
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Privacy protection for information and data	Establish/Maintain Documentation
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Privacy protection for information and data	Establish/Maintain Documentation
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Privacy protection for information and data	Establish/Maintain Documentation
Include agreement termination information in the disclosure authorization form. CC ID 13437	Privacy protection for information and data	Establish/Maintain Documentation
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{not prohibit} {be different} A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program. Section 8 Subdivision 3(b) (2)]	Privacy protection for information and data	Business Processes
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Privacy protection for information and data	Business Processes
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. Section 6 Subdivision 1(f) A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: Section 6 Subdivision 3(a) If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request. Section 8 Subdivision 1(b) {be easy} A controller shall provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, the child's parent or lawful guardian, to revoke previously given consent under this subdivision. The mechanism provided shall be at least as easy as the mechanism by which the consent was previously given. Upon revocation of consent, a controller shall cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request. Section 8 Subdivision 2(e)]	Privacy protection for information and data	Data and Information Management
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Privacy protection for information and data	Business Processes
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Privacy protection for information and data	Business Processes
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 [{refrain from disadvantaging} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: not unfairly disadvantage another controller; Section 6 Subdivision 3(a) (1) {refrain from using} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: not make use of a default setting, but require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of the processing of the consumer's personal data; Section 6 Subdivision 3(a) (2) {be easy to use} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: be consumer-friendly and easy to use by the average consumer; Section 6 Subdivision 3(a) (3) {be consistent} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and Section 6 Subdivision 3(a) (4) A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: enable the controller to accurately determine whether the consumer is a Minnesota resident and whether the consumer has made a legitimate request to opt out of any sale of the consumer's personal data or targeted advertising. For purposes of this paragraph, the use of an Internet protocol address to estimate the consumer's location is sufficient to determine the consumer's residence. Section 6 Subdivision 3(a) (5) {opt-out mechanism} The platform, technology, or mechanism required under paragraph (a) is subject to the requirements of subdivision 4. Section 6 Subdivision 3(c) Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880	Privacy protection for information and data	Technical Security
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d) {loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b) {opt out} A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: opting the consumer out of the processing of personal data for any purpose except for the purposes exempted pursuant to the provisions of this chapter. Section 6 Subdivision 4(k) (2) {be easy} A controller shall provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, the child's parent or lawful guardian, to revoke previously given consent under this subdivision. The mechanism provided shall be at least as easy as the mechanism by which the consent was previously given. Upon revocation of consent, a controller shall cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request. Section 8 Subdivision 2(e)]	Privacy protection for information and data	Business Processes
Confirm the individual's identity before granting an opt-out request. CC ID 16813	Privacy protection for information and data	Process or Activity
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Privacy protection for information and data	Establish/Maintain Documentation
Allow consent requests to be provided in any official languages. CC ID 16530	Privacy protection for information and data	Business Processes
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]	Privacy protection for information and data	Communicate
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Privacy protection for information and data	Records Management
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605	Privacy protection for information and data	Data and Information Management
Refrain from obtaining consent through deception. CC ID 13556	Privacy protection for information and data	Data and Information Management
Give individuals the ability to change the uses of their personal data. CC ID 00469 [{loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)]	Privacy protection for information and data	Data and Information Management
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [{loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Establish/Maintain Documentation
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848	Privacy protection for information and data	Human Resources Management
Require data controllers to be accountable for their actions. CC ID 00470	Privacy protection for information and data	Establish Roles
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Privacy protection for information and data	Human Resources Management
Notify the supervisory authority. CC ID 00472	Privacy protection for information and data	Behavior
Establish, implement, and maintain approval applications. CC ID 16778	Privacy protection for information and data	Establish/Maintain Documentation
Define the requirements for approving or denying approval applications. CC ID 16780	Privacy protection for information and data	Business Processes
Submit approval applications to the supervisory authority. CC ID 16627	Privacy protection for information and data	Communicate
Include required information in the approval application. CC ID 16628	Privacy protection for information and data	Establish/Maintain Documentation
Extend the time limit for approving or denying approval applications. CC ID 16779	Privacy protection for information and data	Business Processes
Approve the approval application unless applicant has been convicted. CC ID 16603	Privacy protection for information and data	Process or Activity
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]	Privacy protection for information and data	Process or Activity
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Privacy protection for information and data	Communicate
Respond to questions about submissions in a timely manner. CC ID 16930	Privacy protection for information and data	Communicate
Cooperate with Data Protection Authorities. CC ID 06870 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined: Section 11(a) (9)]	Privacy protection for information and data	Data and Information Management
Submit a safe harbor self-certification letter. CC ID 06871	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647	Privacy protection for information and data	Human Resources Management
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584	Privacy protection for information and data	Establish/Maintain Documentation
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Privacy protection for information and data	Establish/Maintain Documentation
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Privacy protection for information and data	Establish/Maintain Documentation
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Privacy protection for information and data	Establish/Maintain Documentation
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Privacy protection for information and data	Establish/Maintain Documentation
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Privacy protection for information and data	Establish/Maintain Documentation
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Privacy protection for information and data	Establish/Maintain Documentation
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Privacy protection for information and data	Establish/Maintain Documentation
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Privacy protection for information and data	Establish/Maintain Documentation
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Privacy protection for information and data	Establish/Maintain Documentation
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Privacy protection for information and data	Establish/Maintain Documentation
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Privacy protection for information and data	Establish/Maintain Documentation
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Privacy protection for information and data	Establish/Maintain Documentation
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Privacy protection for information and data	Establish/Maintain Documentation
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Privacy protection for information and data	Establish/Maintain Documentation
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Privacy protection for information and data	Establish/Maintain Documentation
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Privacy protection for information and data	Establish/Maintain Documentation
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Privacy protection for information and data	Establish/Maintain Documentation
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Privacy protection for information and data	Establish/Maintain Documentation
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Privacy protection for information and data	Establish/Maintain Documentation
Notify the data controller of any changes in data processors. CC ID 12648	Privacy protection for information and data	Communicate
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet the controller's obligations under this chapter. Assistance under this paragraph shall include the following: Section 5(b) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Privacy protection for information and data	Establish/Maintain Documentation
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and Section 5(c) (1)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the duration of processing in the Data Processing Contract. CC ID 14935 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: upon a reasonable request from the controller, the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this chapter; and Section 5(e) (2) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet the controller's obligations under this chapter. Assistance under this paragraph shall include the following: Section 5(b) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c) {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e) Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under this chapter is contrary to public policy and is void and unenforceable. Section 8 Subdivision 4 ¶ 1 The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: assist another controller, processor, or third party with any of the obligations under this paragraph; Section 11(a) (8)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: engage a subcontractor only (i) after providing the controller with an opportunity to object, and (ii) pursuant to a written contract in accordance with paragraph (e) that requires the subcontractor to meet the obligations of the processor with respect to the personal data. Section 5(c) (2)]	Privacy protection for information and data	Human Resources Management
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: at the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; Section 5(e) (1) {no longer necessary} A controller may not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09. Section 8 Subdivision 2(g)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Privacy protection for information and data	Establish/Maintain Documentation
Display or print the least amount of personal data necessary. CC ID 04643	Privacy protection for information and data	Data and Information Management
Redact confidential information from public information, as necessary. CC ID 06872	Privacy protection for information and data	Data and Information Management
Notify the data subject of the collection purpose. CC ID 00095	Privacy protection for information and data	Behavior
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Privacy protection for information and data	Data and Information Management
Document the law that requires restricted data to be collected. CC ID 00103	Privacy protection for information and data	Establish/Maintain Documentation
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Privacy protection for information and data	Behavior
Notify the data subject of changes to personal data use. CC ID 00105	Privacy protection for information and data	Behavior
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [{not be necessary} Except as provided in this chapter, a controller may not process personal data for purposes that are not reasonably necessary to, or compatible with, the purposes for which the personal data are processed, as disclosed to the consumer, unless the controller obtains the consumer's consent. Section 8 Subdivision 2(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; Section 11(a) (6)]	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Privacy protection for information and data	Establish/Maintain Documentation
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Privacy protection for information and data	Behavior
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Privacy protection for information and data	Establish/Maintain Documentation
Dispose of media and restricted data in a timely manner. CC ID 00125	Privacy protection for information and data	Data and Information Management
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Records Management
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Communicate
Establish, implement, and maintain data access procedures. CC ID 00414 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]	Privacy protection for information and data	Establish/Maintain Documentation
Allow data subjects to submit data requests. CC ID 16545 [A consumer may exercise the rights set forth in this section by submitting a request, at any time, to a controller specifying which rights the consumer wishes to exercise. Section 6 Subdivision 2(a)]	Privacy protection for information and data	Process or Activity
Provide individuals with information about where their personal data was processed. CC ID 00415	Privacy protection for information and data	Data and Information Management
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [{be adequate} {be relevant} {be necessary} A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer. Section 8 Subdivision 2(a)]	Privacy protection for information and data	Data and Information Management
Provide individuals with information about disclosure of their personal data. CC ID 00417	Privacy protection for information and data	Data and Information Management
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Privacy protection for information and data	Data and Information Management
Provide assistance to requesters in preparing data access requests. CC ID 13588	Privacy protection for information and data	Data and Information Management
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Privacy protection for information and data	Establish/Maintain Documentation
Define what is to be included in a data access request. CC ID 08699	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Privacy protection for information and data	Business Processes
Respond to data access requests in a timely manner. CC ID 00421 [Except as provided in this chapter, a controller must comply with a request to exercise the consumer rights provided in this subdivision. Section 6 Subdivision 1(a) Except as provided in this chapter, a controller must comply with a request to exercise the rights pursuant to subdivision 1. Section 6 Subdivision 4(a) A controller must comply with a request to exercise the right in subdivision 1, paragraph (f), as soon as feasibly possible, but no later than 45 days of receipt of the request. Section 6 Subdivision 4(d) A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)]	Privacy protection for information and data	Behavior
Respond to data access requests in an official language. CC ID 17176	Privacy protection for information and data	Communicate
Delay responding to data access requests, as necessary. CC ID 15504 [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Privacy protection for information and data	Data and Information Management
Expedite the processing of data access requests, as necessary. CC ID 15496	Privacy protection for information and data	Data and Information Management
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Privacy protection for information and data	Business Processes
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Privacy protection for information and data	Process or Activity
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Privacy protection for information and data	Establish/Maintain Documentation
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Privacy protection for information and data	Data and Information Management
Document the outcome of the personal data access request review procedure. CC ID 00455	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811	Privacy protection for information and data	Establish/Maintain Documentation
Submit personal data removal requests in writing. CC ID 11973	Privacy protection for information and data	Records Management
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Privacy protection for information and data	Establish/Maintain Documentation
Notify third parties of data access requests that relates to the third party. CC ID 08703	Privacy protection for information and data	Establish/Maintain Documentation
Allow affected third parties to consent or object to a data access request. CC ID 08704	Privacy protection for information and data	Process or Activity
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Privacy protection for information and data	Establish/Maintain Documentation
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299	Privacy protection for information and data	Data and Information Management
Disclose de-identified data, as necessary. CC ID 13034	Privacy protection for information and data	Communicate
Notify the data subject after personal data is used or disclosed. CC ID 06247 [Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Privacy protection for information and data	Behavior
Refrain from processing restricted data, as necessary. CC ID 12551	Privacy protection for information and data	Records Management
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Privacy protection for information and data	Process or Activity
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data; Section 7(a) (3)(i)]	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Privacy protection for information and data	Business Processes
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Privacy protection for information and data	Process or Activity
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [A controller shall not process personal data on the basis of a consumer's or a class of consumers' actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the consumer or class of consumers with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation. Section 8 Subdivision 3(a)]	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Privacy protection for information and data	Business Processes
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Privacy protection for information and data	Business Processes
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Privacy protection for information and data	Business Processes
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Privacy protection for information and data	Business Processes
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Privacy protection for information and data	Process or Activity
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Privacy protection for information and data	Establish/Maintain Documentation
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Privacy protection for information and data	Records Management
Include the data processor's contact information in the record of processing activities. CC ID 12657	Privacy protection for information and data	Records Management
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Privacy protection for information and data	Records Management
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Privacy protection for information and data	Records Management
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Privacy protection for information and data	Records Management
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Privacy protection for information and data	Records Management
Include the personal data processing categories in the record of processing activities. CC ID 12661	Privacy protection for information and data	Records Management
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Privacy protection for information and data	Records Management
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Privacy protection for information and data	Records Management
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Privacy protection for information and data	Records Management
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Privacy protection for information and data	Records Management
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Privacy protection for information and data	Records Management
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Privacy protection for information and data	Records Management
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Privacy protection for information and data	Records Management
Include the data controller's contact information in the record of processing activities. CC ID 12637	Privacy protection for information and data	Records Management
Process restricted data lawfully and carefully. CC ID 00086 [Except as otherwise provided in this act, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its implementing regulations, rules, and exemptions. Section 8 Subdivision 2(d)]	Privacy protection for information and data	Establish Roles
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Privacy protection for information and data	Technical Security
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Data and Information Management
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Privacy protection for information and data	Records Management
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Privacy protection for information and data	Data and Information Management
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Privacy protection for information and data	Records Management
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Privacy protection for information and data	Process or Activity
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Privacy protection for information and data	Records Management
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Privacy protection for information and data	Data and Information Management
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Privacy protection for information and data	Establish/Maintain Documentation
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Privacy protection for information and data	Data and Information Management
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Privacy protection for information and data	Establish/Maintain Documentation
Define and implement valid authorization control requirements. CC ID 06258	Privacy protection for information and data	Establish/Maintain Documentation
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Privacy protection for information and data	Data and Information Management
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Privacy protection for information and data	Data and Information Management
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Privacy protection for information and data	Data and Information Management
Process personal data after the data subject has granted explicit consent. CC ID 00180	Privacy protection for information and data	Data and Information Management
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Privacy protection for information and data	Data and Information Management
Process personal data relating to criminal offenses when required by law. CC ID 00237	Privacy protection for information and data	Data and Information Management
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Privacy protection for information and data	Data and Information Management
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Privacy protection for information and data	Data and Information Management
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Privacy protection for information and data	Data and Information Management
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is: subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and Section 11(a) (10)(i) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is: under the responsibility of a professional individual who is subject to confidentiality obligations under federal, state, or local law. Section 11(a) (10)(ii) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1) {not adversely affect} Obligations imposed on controllers and processors under this chapter shall not: adversely affect the rights or freedoms of any persons, including exercising the right of free speech pursuant to the First Amendment of the United States Constitution; or Section 11(e) (1)]	Privacy protection for information and data	Data and Information Management
Process traffic data in a controlled manner. CC ID 00130	Privacy protection for information and data	Data and Information Management
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Privacy protection for information and data	Data and Information Management
Process personal data when it is publicly accessible. CC ID 00187	Privacy protection for information and data	Data and Information Management
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [{refrain from selling} {absent consent} {minor} A controller may not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data, without the consumer's consent, under circumstances where the controller knows that the consumer is between the ages of 13 and 16. Section 8 Subdivision 2(f)]	Privacy protection for information and data	Business Processes
Process personal data for the purposes of employment. CC ID 16527	Privacy protection for information and data	Data and Information Management
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Privacy protection for information and data	Data and Information Management
Process personal data for debt collection or benefit payments. CC ID 00190	Privacy protection for information and data	Data and Information Management
Process personal data in order to advance the public interest. CC ID 00191	Privacy protection for information and data	Data and Information Management
Process personal data for surveys, archives, or scientific research. CC ID 00192 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined: Section 11(a) (9)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Privacy protection for information and data	Data and Information Management
Process personal data for academic purposes or religious purposes. CC ID 00194	Privacy protection for information and data	Data and Information Management
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Privacy protection for information and data	Data and Information Management
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Privacy protection for information and data	Data and Information Management
Follow legal obligations while processing personal data. CC ID 04794	Privacy protection for information and data	Data and Information Management
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Privacy protection for information and data	Data and Information Management
Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Privacy protection for information and data	Process or Activity
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to perform a contract. CC ID 13586	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is needed by law. CC ID 13577	Privacy protection for information and data	Data and Information Management
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is from publicly available information. CC ID 13576	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to create a credit report. CC ID 15288	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when produced for business purposes. CC ID 13563	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for handling insurance claims. CC ID 13561	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Privacy protection for information and data	Data and Information Management
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: Social Security number; Section 6 Subdivision 4(i) (1) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: driver's license number or other government-issued identification number; Section 6 Subdivision 4(i) (2) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: financial account number; Section 6 Subdivision 4(i) (3) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: health insurance account number or medical identification number; Section 6 Subdivision 4(i) (4) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: account password, security questions, or answers; or Section 6 Subdivision 4(i) (5) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: biometric data. Section 6 Subdivision 4(i) (6)]	Privacy protection for information and data	Behavior
Define security breach notification requirement exceptions. CC ID 04797	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: Social Security number; Section 6 Subdivision 4(i) (1) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: driver's license number or other government-issued identification number; Section 6 Subdivision 4(i) (2) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: financial account number; Section 6 Subdivision 4(i) (3) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: health insurance account number or medical identification number; Section 6 Subdivision 4(i) (4) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: account password, security questions, or answers; or Section 6 Subdivision 4(i) (5) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: biometric data. Section 6 Subdivision 4(i) (6)]	Privacy protection for information and data	Records Management
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157	Privacy protection for information and data	Data and Information Management
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Privacy protection for information and data	Establish/Maintain Documentation
Define the exceptions to disclosure absent consent. CC ID 00135	Privacy protection for information and data	Establish/Maintain Documentation
Define opt-out exceptions for disclosing restricted data. CC ID 00159 [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]	Privacy protection for information and data	Establish/Maintain Documentation
Define how a data subject may give consent. CC ID 00160	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267	Privacy protection for information and data	Communicate
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Privacy protection for information and data	Data and Information Management
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270	Privacy protection for information and data	Data and Information Management
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to create a credit report. CC ID 15297	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to perform a contract. CC ID 00139	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent for public economic interests. CC ID 00148	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Privacy protection for information and data	Data and Information Management
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Privacy protection for information and data	Data and Information Management
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Privacy protection for information and data	Communicate
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1) This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2) {no longer necessary} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: prevent the retention of personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09; and Section 10(a) (2)(v) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data; Section 11(a) (1) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Privacy protection for information and data	Establish/Maintain Documentation
Capture personal data removal requests. CC ID 13507 [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1)]	Privacy protection for information and data	Communicate
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A consumer has the right to delete personal data concerning the consumer. Section 6 Subdivision 1(d)]	Privacy protection for information and data	Records Management
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Privacy protection for information and data	Process or Activity
Dispose of personal data removal requests, as necessary. CC ID 13512	Privacy protection for information and data	Business Processes
Refrain from selling restricted data, as necessary. CC ID 17165 [{absent consent} A small business, as defined by the United States Small Business Administration under Code of Federal Regulations, title 13, part 121, that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota, must not sell a consumer's sensitive data without the consumer's prior consent. Section 9(a)]	Privacy protection for information and data	Data and Information Management
Limit the redisclosure and reuse of restricted data. CC ID 00168	Privacy protection for information and data	Data and Information Management
Refrain from redisclosing or reusing restricted data. CC ID 00169	Privacy protection for information and data	Data and Information Management
Document the redisclosing restricted data exceptions. CC ID 00170	Privacy protection for information and data	Establish/Maintain Documentation
Redisclose restricted data when the data subject consents. CC ID 00171	Privacy protection for information and data	Data and Information Management
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to protect public revenue. CC ID 00173	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Privacy protection for information and data	Data and Information Management
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Privacy protection for information and data	Data and Information Management
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [Except as otherwise provided in this act, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its implementing regulations, rules, and exemptions. Section 8 Subdivision 2(d)]	Privacy protection for information and data	Data and Information Management
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Privacy protection for information and data	Data and Information Management
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Privacy protection for information and data	Data and Information Management
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Privacy protection for information and data	Data and Information Management
Process Personal Identification Numbers with consent. CC ID 00239	Privacy protection for information and data	Data and Information Management
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Privacy protection for information and data	Behavior
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Privacy protection for information and data	Data and Information Management
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Privacy protection for information and data	Data and Information Management
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Privacy protection for information and data	Data and Information Management
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Privacy protection for information and data	Data and Information Management
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Privacy protection for information and data	Establish/Maintain Documentation
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Privacy protection for information and data	Data and Information Management
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Privacy protection for information and data	Data and Information Management
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Privacy protection for information and data	Data and Information Management
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Privacy protection for information and data	Data and Information Management
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901	Privacy protection for information and data	Communicate
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Privacy protection for information and data	Data and Information Management
Review personal data disclosure requests. CC ID 07129	Privacy protection for information and data	Data and Information Management
Notify the data subject of the disclosure purpose. CC ID 15268	Privacy protection for information and data	Communicate
Establish, implement, and maintain data request denial procedures. CC ID 00434 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and Section 7(a) (3)(ii) This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. Section 7(a) (3)(iii) If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f) A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]	Privacy protection for information and data	Establish/Maintain Documentation
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)]	Privacy protection for information and data	Data and Information Management
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Privacy protection for information and data	Data and Information Management
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Data and Information Management
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [In response to a consumer request under subdivision 1, a controller is not required to reveal any trade secret. Section 6 Subdivision 4(j)]	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Process or Activity
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Data and Information Management
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Data and Information Management
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Privacy protection for information and data	Data and Information Management
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Privacy protection for information and data	Data and Information Management
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Data and Information Management
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Privacy protection for information and data	Data and Information Management
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g) If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)]	Privacy protection for information and data	Data and Information Management
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Communicate
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Data and Information Management
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Process or Activity
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication. Section 11(c)]	Privacy protection for information and data	Data and Information Management
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Privacy protection for information and data	Data and Information Management
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Privacy protection for information and data	Communicate
Provide data or records in a reasonable time frame. CC ID 00429	Privacy protection for information and data	Data and Information Management
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Privacy protection for information and data	Communicate
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Privacy protection for information and data	Data and Information Management
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Privacy protection for information and data	Data and Information Management
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Privacy protection for information and data	Data and Information Management
Provide data at a cost that is not excessive. CC ID 00430 [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g) {be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)]	Privacy protection for information and data	Data and Information Management
Provide records or data in a reasonable manner. CC ID 00431 [A consumer has the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. Section 6 Subdivision 1(e)]	Privacy protection for information and data	Data and Information Management
Provide personal data in a form that is intelligible. CC ID 00432	Privacy protection for information and data	Data and Information Management
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Privacy protection for information and data	Data and Information Management
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Privacy protection for information and data	Data and Information Management
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Privacy protection for information and data	Data and Information Management
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Privacy protection for information and data	Establish/Maintain Documentation
Include cookie management in the privacy framework. CC ID 13809	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain cookie management procedures. CC ID 13810	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from using cookies unless legitimate reasons have been defined. CC ID 16953	Privacy protection for information and data	Data and Information Management
Include the acceptable uses of cookies in the cookie management procedures. CC ID 16952	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data collection program. CC ID 06487	Privacy protection for information and data	Establish/Maintain Documentation
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279	Privacy protection for information and data	Data and Information Management
Refrain from collecting personal data, as necessary. CC ID 15269 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 [{be relevant} {be necessary} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed; Section 10(a) (2)(iv)]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use policy. CC ID 00076	Privacy protection for information and data	Establish/Maintain Documentation
Use personal data for specified purposes. CC ID 11831 [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1) {be necessary} {be reasonable} {be proportionate} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: necessary, reasonable, and proportionate to the purposes listed in this section; Section 11(f) (1) {be adequate} {be relevant} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: adequate, relevant, and limited to what is necessary in relation to the specific purpose or purposes listed in this section; and Section 11(f) (2) {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]	Privacy protection for information and data	Data and Information Management
Post the collection purpose. CC ID 00101	Privacy protection for information and data	Establish/Maintain Documentation
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012	Privacy protection for information and data	Data and Information Management
Document each individual's personal data collection consent preferences. CC ID 06945	Privacy protection for information and data	Establish/Maintain Documentation
Provide explicit consent that is clear and unambiguous. CC ID 00181	Privacy protection for information and data	Data and Information Management
Allow individuals to change their personal data collection consent preferences. CC ID 06946	Privacy protection for information and data	Data and Information Management
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Privacy protection for information and data	Data and Information Management
Notify the data subject of the source of collected personal data. CC ID 00083	Privacy protection for information and data	Behavior
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Privacy protection for information and data	Data and Information Management
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Privacy protection for information and data	Data and Information Management
Establish and maintain a personal data definition. CC ID 00028	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's name in the personal data definition. CC ID 04710	Privacy protection for information and data	Data and Information Management
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Privacy protection for information and data	Data and Information Management
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Privacy protection for information and data	Data and Information Management
Include an individual's signature in the personal data definition. CC ID 04711	Privacy protection for information and data	Data and Information Management
Include an individual's date of birth in the personal data definition. CC ID 04770	Privacy protection for information and data	Data and Information Management
Include the number of children in the personal data definition. CC ID 13759	Privacy protection for information and data	Establish/Maintain Documentation
Include the individual's religion in the personal data definition. CC ID 13765	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Privacy protection for information and data	Data and Information Management
Include an individual's biometric data in the personal data definition. CC ID 04698	Privacy protection for information and data	Data and Information Management
Include an individual's photographic image in the personal data definition. CC ID 04779	Privacy protection for information and data	Data and Information Management
Include an individual's fingerprints in the personal data definition. CC ID 04689	Privacy protection for information and data	Data and Information Management
Include an individual's address in the personal data definition. CC ID 04687	Privacy protection for information and data	Data and Information Management
Include an individual's telephone number in the personal data definition. CC ID 04688	Privacy protection for information and data	Data and Information Management
Include an individual's fax number in the personal data definition. CC ID 07120	Privacy protection for information and data	Data and Information Management
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's license plate number in the personal data definition. CC ID 13763	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's financial account number in the personal data definition. CC ID 04692	Privacy protection for information and data	Data and Information Management
Include an individual's account balances in the personal data definition. CC ID 13770	Privacy protection for information and data	Establish/Maintain Documentation
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Privacy protection for information and data	Data and Information Management
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Privacy protection for information and data	Data and Information Management
Include an individual's logon credentials in the personal data definition. CC ID 13771	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Privacy protection for information and data	Data and Information Management
Include an individual's passport number in the personal data definition. CC ID 04713	Privacy protection for information and data	Data and Information Management
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Privacy protection for information and data	Data and Information Management
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Privacy protection for information and data	Data and Information Management
Include an individual's military identification number in the personal data definition. CC ID 13083	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's e-mail address in the personal data definition. CC ID 04696	Privacy protection for information and data	Data and Information Management
Include electronic signatures in the personal data definition. CC ID 04697	Privacy protection for information and data	Data and Information Management
Include an individual's payment card information in the personal data definition. CC ID 04751	Privacy protection for information and data	Data and Information Management
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Privacy protection for information and data	Data and Information Management
Include an individual's payment card service code in the personal data definition. CC ID 04753	Privacy protection for information and data	Data and Information Management
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Privacy protection for information and data	Data and Information Management
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Privacy protection for information and data	Data and Information Management
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Privacy protection for information and data	Data and Information Management
Include an individual's medical history in the personal data definition. CC ID 04701	Privacy protection for information and data	Data and Information Management
Include an individual's medical treatment in the personal data definition. CC ID 04702	Privacy protection for information and data	Data and Information Management
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Privacy protection for information and data	Data and Information Management
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Privacy protection for information and data	Data and Information Management
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Privacy protection for information and data	Data and Information Management
Include an individual's health insurance information in the personal data definition. CC ID 04705	Privacy protection for information and data	Data and Information Management
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Privacy protection for information and data	Data and Information Management
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Privacy protection for information and data	Data and Information Management
Include an individual's education information in the personal data definition. CC ID 04714	Privacy protection for information and data	Data and Information Management
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Privacy protection for information and data	Data and Information Management
Include an individual's employment information in the personal data definition. CC ID 04715	Privacy protection for information and data	Data and Information Management
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Privacy protection for information and data	Data and Information Management
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Privacy protection for information and data	Data and Information Management
Include an individual's employment history in the personal data definition. CC ID 04716	Privacy protection for information and data	Data and Information Management
Include an individual's place of employment in the personal data definition. CC ID 04765	Privacy protection for information and data	Data and Information Management
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Privacy protection for information and data	Data and Information Management
Include an individual's property information in the personal data definition. CC ID 04780	Privacy protection for information and data	Data and Information Management
Include an individual's property title in the personal data definition. CC ID 04781	Privacy protection for information and data	Data and Information Management
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Privacy protection for information and data	Data and Information Management
Include hardware asset identification information in the personal data definition. CC ID 07123	Privacy protection for information and data	Data and Information Management
Include MAC addresses in the personal data definition. CC ID 04778	Privacy protection for information and data	Data and Information Management
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Privacy protection for information and data	Data and Information Management
Include asset serial numbers in the personal data definition. CC ID 07124	Privacy protection for information and data	Data and Information Management
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Privacy protection for information and data	Data and Information Management
Refrain from including publicly available information in the personal data definition. CC ID 13084	Privacy protection for information and data	Establish/Maintain Documentation
Define specially restricted data. CC ID 00037	Privacy protection for information and data	Data and Information Management
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Privacy protection for information and data	Data and Information Management
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Privacy protection for information and data	Data and Information Management
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Privacy protection for information and data	Data and Information Management
Implement a nondiscrimination principle. CC ID 00081	Privacy protection for information and data	Data and Information Management
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Privacy protection for information and data	Data and Information Management
Preserve each individual's right to human dignity. CC ID 00082	Privacy protection for information and data	Data and Information Management
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Privacy protection for information and data	Data and Information Management
Employ a random number generator to create authenticators. CC ID 13782	Privacy protection for information and data	Technical Security
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Privacy protection for information and data	Data and Information Management
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Privacy protection for information and data	Data and Information Management
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Privacy protection for information and data	Data and Information Management
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Privacy protection for information and data	Data and Information Management
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Privacy protection for information and data	Behavior
Manage health data collection. CC ID 00050	Privacy protection for information and data	Data and Information Management
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Privacy protection for information and data	Data and Information Management
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Privacy protection for information and data	Data and Information Management
Collect Individually Identifiable Health Information for research. CC ID 00054	Privacy protection for information and data	Data and Information Management
Remove personal data before disclosing health data. CC ID 00055	Privacy protection for information and data	Data and Information Management
Give special attention to collecting children's data. CC ID 00038	Privacy protection for information and data	Data and Information Management
Use simple understandable language to collect information from children. CC ID 00039	Privacy protection for information and data	Behavior
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Privacy protection for information and data	Establish/Maintain Documentation
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Privacy protection for information and data	Establish/Maintain Documentation
Collect personal data directly from the data subject. CC ID 00011	Privacy protection for information and data	Data and Information Management
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Privacy protection for information and data	Data and Information Management
Provide unlinkability for users and resources. CC ID 04550	Privacy protection for information and data	Data and Information Management
Provide unobservability of users and resources. CC ID 04551	Privacy protection for information and data	Technical Security
Collect restricted data in a fair and lawful manner. CC ID 00010	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to make a disclosure. CC ID 13550	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent for handling insurance claims. CC ID 13543	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277	Privacy protection for information and data	Data and Information Management
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent from publicly available information. CC ID 00019	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when needed by law. CC ID 00020	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent to create a credit report. CC ID 15287	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022	Privacy protection for information and data	Data and Information Management
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be adequate} {be relevant} {be necessary} A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer. Section 8 Subdivision 2(a)]	Privacy protection for information and data	Data and Information Management
Collect restricted data in a proper information framework. CC ID 00009	Privacy protection for information and data	Data and Information Management
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)]	Privacy protection for information and data	Data and Information Management
Collect restricted data when required by law. CC ID 00031	Privacy protection for information and data	Data and Information Management
Collect restricted data to prevent life-threatening emergencies. CC ID 00032	Privacy protection for information and data	Data and Information Management
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034	Privacy protection for information and data	Data and Information Management
Collect restricted data for legal purposes. CC ID 00036	Privacy protection for information and data	Data and Information Management
Validate the business need for maintaining collected restricted data. CC ID 17090	Privacy protection for information and data	Data and Information Management
Provide the data subject with information about the data controller during the collection process. CC ID 00023	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760	Privacy protection for information and data	Communicate
Provide the data subject with the data collector's name and contact information. CC ID 00024	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Privacy protection for information and data	Establish/Maintain Documentation
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Privacy protection for information and data	Data and Information Management
Protect electronic messaging information. CC ID 12022	Privacy protection for information and data	Technical Security
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Privacy protection for information and data	Data and Information Management
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Privacy protection for information and data	Configuration
Store payment card data in secure chips, if possible. CC ID 13065	Privacy protection for information and data	Configuration
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Privacy protection for information and data	Configuration
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Privacy protection for information and data	Technical Security
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Privacy protection for information and data	Data and Information Management
Log the disclosure of personal data. CC ID 06628	Privacy protection for information and data	Log Management
Log the modification of personal data. CC ID 11844	Privacy protection for information and data	Log Management
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Privacy protection for information and data	Technical Security
Implement security measures to protect personal data. CC ID 13606 [{technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]	Privacy protection for information and data	Technical Security
Implement physical controls to protect personal data. CC ID 00355	Privacy protection for information and data	Testing
Limit data leakage. CC ID 00356	Privacy protection for information and data	Data and Information Management
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Monitor and Evaluate Occurrences
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Privacy protection for information and data	Business Processes
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Privacy protection for information and data	Acquisition/Sale of Assets or Services
Alert appropriate personnel when data leakage is detected. CC ID 14715	Privacy protection for information and data	Process or Activity
Include text about data ownership in the data handling policy. CC ID 15720	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain call metadata controls. CC ID 04790	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: reidentify deidentified data; Section 7(a) (1) A processor or third party must not attempt to identify the subjects of deidentified or pseudonymous data without the express authority of the controller that caused the data to be deidentified or pseudonymized. Section 7(d) A controller, processor, or third party must not attempt to identify the subjects of data that has been collected with only pseudonymous identifiers. Section 7(e) This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]	Privacy protection for information and data	Data and Information Management
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127	Privacy protection for information and data	Data and Information Management
Store de-identifying code and re-identifying code separately. CC ID 16535 [The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (e) and (h), do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. Section 7(b)]	Privacy protection for information and data	Data and Information Management
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128	Privacy protection for information and data	Data and Information Management
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465	Privacy protection for information and data	Communicate
Establish, implement, and maintain data handling procedures. CC ID 11756	Privacy protection for information and data	Establish/Maintain Documentation
Define personal data that falls under breach notification rules. CC ID 00800	Privacy protection for information and data	Establish/Maintain Documentation
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Privacy protection for information and data	Data and Information Management
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Privacy protection for information and data	Data and Information Management
Define an out of scope privacy breach. CC ID 04677	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Privacy protection for information and data	Business Processes
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Privacy protection for information and data	Monitor and Evaluate Occurrences
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Privacy protection for information and data	Monitor and Evaluate Occurrences
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Privacy protection for information and data	Monitor and Evaluate Occurrences
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Privacy protection for information and data	Communicate
Establish, implement, and maintain a personal data transfer program. CC ID 00307	Privacy protection for information and data	Establish/Maintain Documentation
Obtain consent from an individual prior to transferring personal data. CC ID 06948	Privacy protection for information and data	Data and Information Management
Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528	Privacy protection for information and data	Business Processes
Notify data subjects when their personal data is transferred. CC ID 00352	Privacy protection for information and data	Behavior
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333	Privacy protection for information and data	Establish/Maintain Documentation
Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414	Privacy protection for information and data	Communicate
Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314	Privacy protection for information and data	Data and Information Management
Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312	Privacy protection for information and data	Data and Information Management
Prohibit the transfer of personal data when security is inadequate. CC ID 00345	Privacy protection for information and data	Data and Information Management
Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346	Privacy protection for information and data	Data and Information Management
Refrain from transferring past the first transfer. CC ID 00347	Privacy protection for information and data	Data and Information Management
Document transfer disagreements by the data subject in writing. CC ID 00348	Privacy protection for information and data	Establish/Maintain Documentation
Allow the data subject the right to object to the personal data transfer. CC ID 00349	Privacy protection for information and data	Data and Information Management
Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428	Privacy protection for information and data	Records Management
Follow the instructions of the data transferrer. CC ID 00334	Privacy protection for information and data	Behavior
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315	Privacy protection for information and data	Establish/Maintain Documentation
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316	Privacy protection for information and data	Data and Information Management
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317	Privacy protection for information and data	Data and Information Management
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318	Privacy protection for information and data	Data and Information Management
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319	Privacy protection for information and data	Data and Information Management
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320	Privacy protection for information and data	Data and Information Management
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321	Privacy protection for information and data	Data and Information Management
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322	Privacy protection for information and data	Data and Information Management
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323	Privacy protection for information and data	Data and Information Management
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324	Privacy protection for information and data	Data and Information Management
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325	Privacy protection for information and data	Data and Information Management
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326	Privacy protection for information and data	Data and Information Management
Require transferees to implement adequate data protection levels for the personal data. CC ID 00335	Privacy protection for information and data	Data and Information Management
Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527	Privacy protection for information and data	Business Processes
Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337	Privacy protection for information and data	Data and Information Management
Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338	Privacy protection for information and data	Data and Information Management
Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339	Privacy protection for information and data	Data and Information Management
Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340	Privacy protection for information and data	Data and Information Management
Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341	Privacy protection for information and data	Data and Information Management
Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342	Privacy protection for information and data	Data and Information Management
Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343	Privacy protection for information and data	Data and Information Management
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344	Privacy protection for information and data	Data and Information Management
Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353	Privacy protection for information and data	Communicate
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350	Privacy protection for information and data	Behavior
Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949	Privacy protection for information and data	Establish/Maintain Documentation
Obtain consent prior to storing cookies on an individual's browser. CC ID 06950	Privacy protection for information and data	Data and Information Management
Obtain consent prior to downloading software to an individual's computer. CC ID 06951	Privacy protection for information and data	Data and Information Management
Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000	Privacy protection for information and data	Process or Activity
Remove or uninstall software from an individual's computer, as necessary. CC ID 13998	Privacy protection for information and data	Process or Activity
Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997	Privacy protection for information and data	Process or Activity
Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a privacy impact assessment. CC ID 13712	Privacy protection for information and data	Establish/Maintain Documentation
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520	Privacy protection for information and data	Establish/Maintain Documentation
Include how to grant consent in the privacy impact assessment. CC ID 15519	Privacy protection for information and data	Establish/Maintain Documentation
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518	Privacy protection for information and data	Establish/Maintain Documentation
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517	Privacy protection for information and data	Establish/Maintain Documentation
Include data handling procedures in the privacy impact assessment. CC ID 15516	Privacy protection for information and data	Establish/Maintain Documentation
Include the intended use of information in the privacy impact assessment. CC ID 15515	Privacy protection for information and data	Establish/Maintain Documentation
Include the reason information is being collected in the privacy impact assessment. CC ID 15514	Privacy protection for information and data	Establish/Maintain Documentation
Include the type of information to be collected in the privacy impact assessment. CC ID 15513	Privacy protection for information and data	Business Processes
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458	Privacy protection for information and data	Communicate
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and remediate violations of this chapter. Section 10(a) (2)(vi)]	Privacy protection for information and data	Data and Information Management
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Privacy protection for information and data	Behavior
Include supporting documentation in the privacy rights violation complaint. CC ID 16997	Privacy protection for information and data	Establish/Maintain Documentation
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807	Privacy protection for information and data	Business Processes
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526	Privacy protection for information and data	Establish/Maintain Documentation
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Privacy protection for information and data	Establish/Maintain Documentation
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529	Privacy protection for information and data	Establish/Maintain Documentation
Document unresolved challenges. CC ID 13568	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Privacy protection for information and data	Establish/Maintain Documentation
Notify individuals of their right to challenge personal data. CC ID 00457 [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]	Privacy protection for information and data	Data and Information Management
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Privacy protection for information and data	Data and Information Management
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Privacy protection for information and data	Configuration
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Privacy protection for information and data	Human Resources Management
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Privacy protection for information and data	Data and Information Management
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Privacy protection for information and data	Communicate
Investigate the disputed accuracy of personal data. CC ID 00461	Privacy protection for information and data	Data and Information Management
Notify third parties of unresolved challenges. CC ID 13559	Privacy protection for information and data	Communicate
Document disagreements as to whether personal data is complete and accurate. CC ID 06952	Privacy protection for information and data	Establish/Maintain Documentation
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954	Privacy protection for information and data	Establish/Maintain Documentation
Include the allegations against the organization in the notice of investigation. CC ID 13031	Privacy protection for information and data	Establish/Maintain Documentation
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]	Privacy protection for information and data	Behavior
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Privacy protection for information and data	Behavior
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Privacy protection for information and data	Behavior
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Privacy protection for information and data	Behavior
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Privacy protection for information and data	Behavior
Define the organization's liability based on the applicable law. CC ID 00504 [{not relieve} In no event shall any contract relieve a controller or a processor from the liabilities imposed on a controller or processor by virtue of the controller's or processor's roles in the processing relationship under this chapter. Section 5(f) A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter if the recipient processes the personal data in violation of this chapter, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is not in violation of this chapter for the obligations of the controller or processor from which the third-party controller or processor receives the personal data. Section 11(d) {is liable} Any controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation. Section 12(c)]	Privacy protection for information and data	Establish/Maintain Documentation
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Privacy protection for information and data	Establish/Maintain Documentation
Define the appeal process based on the applicable law. CC ID 00506 [A controller must establish an internal process whereby a consumer may appeal a refusal to take action on a request to exercise any of the rights under subdivision 1 within a reasonable period of time after the consumer's receipt of the notice sent by the controller under subdivision 4, paragraph (f). Section 6 Subdivision 5(a) The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests. Section 6 Subdivision 5(b) The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests. Section 6 Subdivision 5(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Define the fee structure for the appeal process. CC ID 16532	Privacy protection for information and data	Process or Activity
Define the time requirements for the appeal process. CC ID 16531	Privacy protection for information and data	Process or Activity
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)]	Privacy protection for information and data	Communicate
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]	Privacy protection for information and data	Communicate
Provide notice of proposed penalties. CC ID 06216	Privacy protection for information and data	Establish/Maintain Documentation
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Privacy protection for information and data	Behavior
Establish, implement, and maintain a Customer Information Management program. CC ID 00084	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h) A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]	Privacy protection for information and data	Establish/Maintain Documentation
Check the accuracy of restricted data. CC ID 00088	Privacy protection for information and data	Data and Information Management
Check the data accuracy of new accounts. CC ID 04859	Privacy protection for information and data	Data and Information Management
Use documents for identification that do not appear altered or forged. CC ID 04860	Privacy protection for information and data	Establish/Maintain Documentation
Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862	Privacy protection for information and data	Data and Information Management
Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863	Privacy protection for information and data	Data and Information Management
Correlate the applicant's social security number with their date of birth. CC ID 04864	Privacy protection for information and data	Data and Information Management
Compare the applicant's social security number against existing accounts or different applications. CC ID 04867	Privacy protection for information and data	Data and Information Management
Compare the applicant's personal data against known fraudulent activities. CC ID 04865	Privacy protection for information and data	Data and Information Management
Compare the applicant's address against known suspicious addresses. CC ID 04866	Privacy protection for information and data	Data and Information Management
Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868	Privacy protection for information and data	Data and Information Management
Provide additional personal data when the application is incomplete. CC ID 04869	Privacy protection for information and data	Data and Information Management
Interview appropriate parties to validate consumer information. CC ID 16902	Privacy protection for information and data	Process or Activity
Validate a consumer's identity in accordance with applicable requirements. CC ID 16899	Privacy protection for information and data	Business Processes
Use contact methods specified by the consumer for identity verification. CC ID 16878	Privacy protection for information and data	Process or Activity
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract; Section 11(a) (5)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Review and update all contracts, as necessary. CC ID 11612	Third Party and supply chain oversight	Establish/Maintain Documentation
Conduct all parts of the supply chain due diligence process. CC ID 08854	Third Party and supply chain oversight	Business Processes
Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139	Third Party and supply chain oversight	Communicate
Include the audit scope in the third party external audit report. CC ID 13138	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878	Third Party and supply chain oversight	Business Processes
Provide products or services per customer requests. CC ID 08893 [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract; Section 11(a) (5)]	Third Party and supply chain oversight	Business Processes