AICM AtlasCSA AI Controls Matrix
DSP · Data Security and Privacy Lifecycle Management
DSP-12Cloud & AI Related

Limitation of Purpose in Personal Data Processing

Specification

Define, implement and evaluate processes, procedures and technical measures to ensure that personal data is processed according to any applicable laws and regulations and for the purposes declared to the data subject.

Threat coverage

Model manipulation
Data poisoning
Sensitive data disclosure
Model theft
Model/Service Failure
Insecure supply chain
Insecure apps/plugins
Denial of Service
Loss of governance

Architectural relevance

Physical infrastructure
Network
Compute
Storage
Application
Data

Lifecycle

Preparation

Data collection, Resource provisioning

Development

Design, Guardrails

Evaluation

Evaluation, Validation/Red Teaming

Deployment

Orchestration, AI Services supply chain

Delivery

Operations, Maintenance, Continuous monitoring

Retirement

Data deletion, Archiving

Ownership / SSRM

PI

Owned by the Customer (AIC)

The Customer (AIC) is responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies services or products they consume.

Model

Owned by the Customer (AIC)

The Customer (AIC) is responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies services or products they consume.

Orchestrated

Owned by the Customer (AIC)

The Customer (AIC) is responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies services or products they consume.

Application

Owned by the Customer (AIC)

The Customer (AIC) is responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies services or products they consume.

Implementation guidelines

[All Actors]
1. Provide legal accountability and governance enforcement.

2. Maintain data-processing agreements (DPAs) or equivalent contracts with third-party processors for any personal data the actor shares, ensuring it is handled strictly for the declared purposes and in line with applicable laws.

[Shared among: CSP, AP, OSP]
1. Apply technical controls for lawful data location and access.

[Shared among: MP, AIC, OSP]
1. Enforce purpose-bound model training and privacy-by-design.

[Shared among: OSP, CSP, AP]
1. Restrict processing paths through policy-driven routing.

[Shared among: AP, AIC, OSP]
1. Declare purpose and manage consent at the application interface.

Auditing guidelines

1. Examine whether the CSP’s policy and procedures related to data privacy address the requirement that data the CSP is responsible for is processed lawfully and used only for the purposes stated to data subjects.

2. Establish whether the CSP has documented the roles and responsibilities for this process.

3. Review the CSP’s data breaches and confirm that action plans were identified and carried out appropriately. Confirm that all supporting evidence was formally documented.

4. Review the CSP’s processes that inform data subjects why it requests this data and what it will be used for. Confirm that any CSP documentation (including web page content) is subject to formal periodic review for relevance and compliance with legislation and regulation.

5. Review the technical measures implemented to ensure that personal data is processed according to applicable laws and regulations.

6. Verify that the purposes for processing personal data are declared and documented to the data subject.

7. Verify the effectiveness of technical measures such as encryption, access controls, and data anonymization used during data processing.

8. Verify that all processes, procedures, and technical measures related to data processing are thoroughly documented and regularly updated to reflect changes in laws and regulations.

9. Determine if the CSP evaluates third-party providers to ensure that personal data is processed according to applicable laws and regulations and for the purposes declared to the data subject.

10. Examine infrastructure capabilities that support data segregation and isolation based on processing purposes. 

11. Verify implementation of data tagging or labeling mechanisms that can associate processing purpose limitations with stored data. 

12. Review access control systems to assess whether they can restrict data access based on approved processing purposes. 

13. Assess audit logging capabilities that track data processing activities at the infrastructure level, including purpose identification. 

14. Verify that infrastructure design facilitates the enforcement of purpose limitation controls for higher-level components.

Standards mappings

ISO 42001No Gap
42001: A.7.2 Data for development and enhancement of AI system
42001: A.7.4 Quality of data for AI systems
42001: A.2.3 Alignment with other organizational policies
27001: A.5.34 - Privacy and protection of personal identifiable information (PII)
27002: 5.34 - Privacy and protection of personal identifiable information (PII)
Addendum

N/A

EU AI ActNo Gap
Article 10 (2)
Article 52
Addendum

N/A

NIST AI 600-1No Gap
GV-1.1-001
GV-6.1-004
MP-4.1-010
Addendum

N/A

BSI AIC4Partial Gap
OPS-10
OPS-11
Addendum

For such topics, there is the GDPR in the EU. The GDPR is translated to local regulations for every country in the EU. This is a explicit target of GDPR.

AI-CAIQ questions (1)

DSP-12.1

Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure that personal data is processed according to applicable laws and regulations and for the purposes declared to the data subject?