Question: Are external sharing and cross-border transfers governed by approvals, contracts, and technical safeguards aligned to classification?
Objective — Why This Matters
Data often leaves your boundary through vendors, partners, or collaboration tools. Governing external sharing and cross-border movement prevents unlawful disclosure and ensures appropriate safeguards are in place.
Maturity Levels (0–5)
0 — Unaware
No formal approvals; sharing links unrestricted; transfers untracked.
No formal approvals; sharing links unrestricted; transfers untracked.
1 — Ad Hoc
Case-by-case emails; contractual terms vague.
Case-by-case emails; contractual terms vague.
2 — Defined
Policy defines when external sharing and transfers are allowed; approval matrix set.
Policy defines when external sharing and transfers are allowed; approval matrix set.
3 — Managed
Technical controls enforce sharing rules; DPAs and clauses in place; logs retained.
Technical controls enforce sharing rules; DPAs and clauses in place; logs retained.
4 — Integrated
Geo-restrictions, DLP, watermarking; periodic review of transfers and recipients.
Geo-restrictions, DLP, watermarking; periodic review of transfers and recipients.
5 — Optimized
Automation of approvals and expiry; analytics on sharing events and vendor geography.
Automation of approvals and expiry; analytics on sharing events and vendor geography.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Disable public links for Restricted data; require approval for external sharing. |
| 1 → 2 | Publish policy for cross-border transfers with legal basis and safeguards. |
| 2 → 3 | Enforce DLP and link expiry; use DPAs and confidentiality clauses. |
| 3 → 4 | Apply geo controls and audit sharing logs; review recipients quarterly. |
| 4 → 5 | Automate approvals and expiries; monitor anomalies and revoke access proactively. |
People / Process / Technology Enablers
- People: Privacy Lead, Legal, System Owners.
- Process: Sharing approval workflow, transfer assessment, contractual templates.
- Technology: DLP, link expiry and watermarking, geo-restrictions, logging.
Evidence Required
- External sharing and cross-border policy.
- Sample approvals and active DPAs/clauses.
- Sharing logs and DLP rule screenshots.
Metrics / KPIs
- External sharing events with approval versus blocked.
- Transfers involving Restricted data and their safeguards.
- Links expired or revoked within policy timeframe.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Controls | Suite-native DLP, link expiry | Start with restrictive defaults. |
| Contracts | Standard DPA templates | Maintain signed copies centrally. |
| Monitoring | Metabase over audit logs | Trends and anomalies. |
Common Pitfalls
- Permanent external links without expiry.
- No record of legal basis or safeguards for cross-border movement.
- DLP rules only monitor; never enforce.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | A.5.24 (information transfer), A.5.23 (supplier agreements). |
| NIST CSF 2.0 | PR.DS-5/6, ID.SC-3. |
| DPDP Act 2023 | Cross-border transfer conditions and contracts. |
| NIRMATA Scoring | AD-Q11 Level ≥3 requires enforceable controls + contracts + logs. |