Your Data Processing Obligations form a core part of your Compliance Obligations and are defined separately here to ensure the policy objectives for Product Teams and the Technology Community Of Practice are as clear as possible.

A Product Lead cannot perform their role without an understanding of the regulatory environment that their Product operates in. Having accountability for Product Teams understanding their Data Processing Obligations with a central compliance or security awareness team is not effective and doesn’t scale, so this framework assigns it to Product Leads, who are accountable for their Product’s and Product Team’s security.

This is one of two policy objectives that look very similar. This one ensures that data is handled in a compliant way by the Product Team, which encompasses the development, operational and administrative staff for the product. Mishandling of data by the people on the Product Team is a source of data breaches and the Product Lead is accountable for the Product Team’s manual processes handling data correctly.

This is one of two policy objectives that look very similar. This one ensures that data is handled in a compliant way by the Product, which encompasses all processes and operations of the technology Product itself. Mishandling of data by technology Products is a source of data breaches and the Product Lead is accountable for the Product’s automated processes handling data correctly.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Security Levels for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.