Control mechanisms such as access rights management, compliance with legal frameworks such as the General Data Protection Regulation or the EU AI Act, cybersecurity measures, and (technical/organisational) monitoring options.

Autonomy refers to your ability to manage and control your data independently. This includes aspects of keeping data confidential (e.g. business secrets, strategic knowledge), avoiding vendor lock-in, flexibility in data migration, having a documented exit policy, adherence to open standards, and the ability to influence future development.

Privacy involves ensuring lawful, transparent processing of personal data, minimizing data collection, maintaining data accuracy, and implementing strong information security measures. It also includes managing cookies and usage data responsibly.

This relates to potential financial, reputational, and operational impacts that your organization might face in case of data management failures. Think of things ‘going wrong’ because your organisations has made under considered or negligent choices and just went with the easiest option without thinking everything through.

A data processing agreement is a legal contract that outlines the terms and conditions under which data is processed. It typically includes details about the purpose, duration, security measures, and the rights and responsibilities of both parties involved in data processing.

Granularity in permissions refers to the degree of detail in assigning access rights to users or systems. It involves specifying precisely which actions or data each user or system is allowed to access, providing a more fine-grained control over security.

This refers to the methods and techniques used to convert data into a coded format to protect it from unauthorized access.

The Software Bill of Materials (SBOM) is a detailed inventory or electronic document that outlines the components and origins of a piece of software, providing transparency to enhance cybersecurity risk management.

Can the assessed tool or platform integrate with existing monitoring systems which are already being used in the organisation?

Is your data used to train AI systems? Select 3 if none of your data has been used for AI training

This covers treating the personal data of individuals fairly, being transparent about processing activities, and having a lawful basis (e.g. informed and specific consent or legal requirement) for data processing.

Ensuring that data is used for specific, pre-defined and clearly limited purposes.

Collects and processes the minimum amount of data necessary to fulfill its intended purpose.

Evaluates whether there are measures in place to ensure the accuracy and correctness of the processed data.

Implementing storage limitations helps organizations to avoid retaining personal data longer than necessary. This reduces the potential for misuse or unauthorized access.

Is the envisaged data use adhering to ethical standards (e.g. non-discrimination, fairness, etc.)

Significance of certain information in achieving organizational objectives, emphasizing the need for robust security measures.

Crucial for privacy considerations and ensuring responsible data handling.

Transparency and user consent are essential to comply with privacy regulations.

Clarifying the scope of cookie tracking helps manage user expectations and privacy concerns.

How long will it take to migrate to another comparable platform or service?

Does the migration require specialized knowledge?

Can you accommodate data migration? Do you have specific infrastructure requirements?

Do you have storage options for data migration?

The presence of a documented exit policy outlines procedures and requirements for transitioning away from a service or system.

Adhering to open standards facilitates integration and reduces dependence on proprietary solutions.

A contributor licence agreement (CLA) defines the terms under which intellectual property has been contributed to a company/project, typically software under an open source licence. This establishes transparency.

Is it possible to influence the direction of development? If yes, this allows to align technology with specific organisational needs, promoting data autonomy principles.

Evaluates the financial implications if data management fails, from significant losses to negligible impact.

The Consumer Price Index is a measure that examines the average change in prices of goods and services over time, depending on inflation.

Potential for reputational damage associated with the system.

0-Individual, 1-Team, 2-Domain, 3-Faculty, 4-Organization.

This covers administrative and compliance responsibilities associated with managing and overseeing the application.

How high are the costs that would have to be faced as a result of migration to another comparable service or platform?