CAN/DGSI 100-8, Data Governance - Part 8: Framework for Geo-Residency and Sovereignty
This Standard specifies the minimum requirements for Organizations to protect data assets in their custody from jurisdictional risks while taking advantage of the global technology ecosystem.
The Standard is not intended to prescribe how an Organization should implement specific security controls. Instead, the standard will guide Organizations using jurisdictional and technology-agnostic approaches that can be adapted to address specific business requirements.
Considerations are given to:
• Identification and categorization of data assets;
• Development of an appropriate threat model;
• Identification of potential risks, including from laws in foreign jurisdictions;
• Options to mitigate associated risks; and
• Adherence to data sovereignty due diligence and transfer requirements under applicable law and regulations
This Standard applies to all sectors, including public and private companies, government entities, and not-for-profit Organizations.
This Standard assumes that the Organization implementing the following requirements has existing risk management policies and procedures.
Note: For those applying the standard, the law shall prevail in the event of a potential inconsistency or ambiguity between this Standard and applicable data privacy legislation. Where personally identifiable information (PII) is used in the standard, local jurisdictional, legal and/or regulatory definitions shall apply.
DATE POSTED: September 5th, 2024
DEADLINE FOR COMMENTS: October 18, 2024
Read Draft
Comments
Close