IVI Framework Viewer

Personal Data Protection

PDP

Personal data differs from other business data in that its ownership lies with the person to whom it refers and not the custodian company. This confers rights on the data subject, including the right to the privacy of the data. The custodian can vindicate the data subjects' right to privacy partly by protecting data from unauthorised access through access controls and other protection approaches, such as firewalls and physical isolation. Such measures (discussed in chapter 22, Information Security Management (ISM)), are designed to safeguard all data and information, while ‘data protection’ as discussed in this chapter refers primarily to the additional measures needed to protect personal or sensitive personal data, and to satisfy the legal obligations imposed on the custodian.

The Personal Data Protection (PDP) capability is the ability to develop, deploy, and implement policies, systems, and controls for processing personal and sensitive personal data relating to living persons in all digital, automated, and manual forms. It ensures that the organization safeguards the right to privacy of individuals whose information it holds, and that the organization uses personal data strictly for legitimate business purposes.

Policies, systems, and controls encompass and give effect to relevant standards and regulations, which may differ from country to country. The organization must consider the jurisdictions in which the data is acquired, processed, stored, and in some cases through which it is transmitted to identify what regulations are relevant.

The Personal Data Protection (PDP) capability covers:

  • Processing personal data throughout its life-cycle.
  • Maintaining the quality and integrity of personal data.
  • Identifying and communicating data protection regulations and standards.
  • Raising awareness and establishing a privacy culture.
  • Managing data protection relationships and agreements with third parties.
  • Communicating information (on database registrations, data breaches, audit data and so on) with statutory data protection officers.
  • Managing data privacy risks and conducting privacy impact analysis assessments.
  • Managing data subject rights.
  • Identifying and applying applicable data protection standards and regulations.
  • Verifying the effectiveness of data protection policies.

Structure

PDP is made up of the following Categories and CBBs. Maturity and Planning are described at both the CC and the CBB level.

AManagement and Oversight

Governance and oversight for personal data handling.

A1Strategy and Governance

Design, develop, and maintain policies and controls for protecting personal data that comply with relevant regulations and laws, and that align with the organization's business model and objectives.

A2Supplier Management

Select suppliers that are committed to observing the organization's personal data protection obligations, and manage supplier compliance with them.

A3Monitoring, Reporting, and Enforcement

Establish appropriate measures for monitoring and reporting of non-compliance with personal data protection policies and of the remedial actions taken. Drive improvements based on lessons learned from incidents and near-incidents.

BPeople

Establishes a data protection compliant culture, reinforced by advocacy, roles, and training.

B1Staff Awareness

Raise awareness of the need to protect personal data. Provide data protection training for employees.

B2Data Subject Rights Management

Manage requests by data subjects to access the personal information held by the organization about them. Check that the communications channels and agents are authorized by the data subject.

B3Enforcement of Roles, Responsibilities, and Accountabilities

Allocate responsibility and accountability for personal data protection to named individuals, and manage their performance.

CProcessing

Handling personal data appropriately throughout its life-cycle.

C1Security, Access Rights, and Risk Management

Establish, identify, and communicate security criteria, access rights controls (based on life-cycle state) and risk criteria for personal data.

C2Personal Data Acquisition and Purpose

Develop and implement approaches to obtaining data subjects' consent, giving fair notice, acquiring personal data, and processing personal data fairly.

C3Compatibility, Adequacy, and Accuracy

Ensure that personal data is used and disclosed only for the purposes for which it was acquired. Monitor the quality of personal data held, and remedy any quality issues. (The quality standard for personal data is essentially set by the data subject — that is, the data owner. The custodian sets standards and guidelines to help meet the data subject's standards.)

C4Information Life-Cycles

Provide input to information life-cycle planning to identify, acquire, process, preserve, and/or destroy personal data to meet business, regulatory, and legal requirements, including those identified in privacy impact assessments.

C5Retention and Destruction

Develop and implement controls to verify that personal data is not retained beyond the time specified in retention policies. Destroy data media (all forms — paper, digital, etc.) at the end of the data's life-cycle and ensure that obsolete (or deleted) personal data is not inappropriately restored.

Overview

Goal

The Personal Data Protection (PDP) capability aims to protect personal data from unintended disclosure or use when it is acquired, used, retained, or disposed of.

Objectives

  • Comply with relevant data protection regulations.
  • Develop and deploy data protection policies, systems, and controls for appropriate acquisition, use, retention and deletion/erasure of personal data.
  • Manage timely communication and registration with statutory officers regarding data protection breaches and near incidents.
  • Verify the effectiveness of data protection policies and controls.
  • Develop, test, and deploy incident management processes and procedures.

Value

The People Asset Management (PAM) capability helps ensure that the employees with the right skills and competences are available to support the achievement of organizational objectives.

Relevance

Organizations are increasingly using personal information to create new products and services. However, this increases the potential for inappropriate or illegal use or disclosure of such information, which can result in legal difficulties and reputational damage.

In most jurisdictions, data protection is treated seriously, and breaches can result in directors and companies being fined. Legal instruments being used to enforce data protection extend beyond data privacy laws to include legal concepts such as breach of trust, breach of contract, duty of care, and negligence.

Individuals are increasingly aware of their rights under data protection legislation, and of the risks associated with sharing their personal information. They expect organizations with which they share their information to have appropriate data protection policies and practices. Those who seek legal redress for inappropriate disclosure of their personal information are successful in approximately fifty percent of cases12.

Shareholders are also holding directors accountable for reputational damage and loss of share value arising from poor data protection practices.

Many organizations are unable to detect when or where their data systems have been breached. The FBI, banks, and credit card companies notify thousands of businesses each year that their data systems have been compromised3.

By developing an effective Personal Data Protection (PDP) capability, the organization can reduce its exposure to the risks associated with handling personal data, while ensuring its compliance with relevant legislation and enhancing its reputation.

Scope

Definition

Personal data differs from other business data in that its ownership lies with the person to whom it refers and not the custodian company. This confers rights on the data subject, including the right to the privacy of the data. The custodian can vindicate the data subjects' right to privacy partly by protecting data from unauthorised access through access controls and other protection approaches, such as firewalls and physical isolation. Such measures (discussed in chapter 22, Information Security Management (ISM)), are designed to safeguard all data and information, while ‘data protection’ as discussed in this chapter refers primarily to the additional measures needed to protect personal or sensitive personal data, and to satisfy the legal obligations imposed on the custodian.

The Personal Data Protection (PDP) capability is the ability to develop, deploy, and implement policies, systems, and controls for processing personal and sensitive personal data relating to living persons in all digital, automated, and manual forms. It ensures that the organization safeguards the right to privacy of individuals whose information it holds, and that the organization uses personal data strictly for legitimate business purposes.

Policies, systems, and controls encompass and give effect to relevant standards and regulations, which may differ from country to country. The organization must consider the jurisdictions in which the data is acquired, processed, stored, and in some cases through which it is transmitted to identify what regulations are relevant.

The Personal Data Protection (PDP) capability covers:

  • Processing personal data throughout its life-cycle.
  • Maintaining the quality and integrity of personal data.
  • Identifying and communicating data protection regulations and standards.
  • Raising awareness and establishing a privacy culture.
  • Managing data protection relationships and agreements with third parties.
  • Communicating information (on database registrations, data breaches, audit data and so on) with statutory data protection officers.
  • Managing data privacy risks and conducting privacy impact analysis assessments.
  • Managing data subject rights.
  • Identifying and applying applicable data protection standards and regulations.
  • Verifying the effectiveness of data protection policies.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for PDP at each level of maturity.

2Basic
  • Practice
    Raise awareness and provide job-specific personal data protection training.
    Outcome
    Staff understanding of the need to safeguard personal data grows, which reduces the risk of careless disclosure.
    Metric
    Percentage of staff with data protection training.
  • Practice
    Allocate roles and responsibilities for personal data protection (for example, data protection officer) across key functions.
    Outcome
    Responsibilities and accountabilities are increasingly transparent, facilitating the effective management of data protection activities.
    Metric
    Percentage of data protection roles filled in key functions.
  • Practice
    Document approaches to ensuring that personal data is used only for the purposes for which it was collected.
    Outcome
    There is increased confidence that personal data is used only for appropriate and compliant purposes.
    Metric
    Number of violations in the use of personal data (per time period).
  • Practice
    Establish criteria for determining whether privacy impact assessments and/or other privacy risk analyses are required on technology-related projects.
    Outcome
    Appropriate risk analysis tools and techniques are applied and are more likely to produce good data privacy management outcomes.
    Metric
    Number and percentage of technology-related projects where privacy impact analysis has been completed.
3Intermediate
  • Practice
    Communicate consistently to staff and external partners to raise awareness of personal data protection policies, procedures, and controls.
    Outcomes
    • Staff are aware of and adhere to the policies and procedures for data protection.
    • Detection of anomalies is easier where practices, processes and procedures are consistent.
    Metric
    Number of staff-related data protection incidents and compliance issues.
  • Practice
    Implement feedback loops (such as a metrics dashboard, or traffic signal summation) to alert management of personal data protection violations or non-compliance issues.
    Outcomes
    • Feedback loops are effective in accelerating process, tool and practice improvements.
    • Organization effectiveness improves at an accelerated pace.
    Metric
    Elapsed time from the detection of an issue to the implementation of a remedy preventing its re-occurrence.
  • Practice
    Audit the effectiveness of the approaches taken to personal data protection.
    Outcome
    Issues identified in audits help to improve processes and procedures, and to identify areas where automation or additional training might be beneficial.
    Metric
    Number of issues detected in audit and time to closure for those issues.
4Advanced
  • Practices
    • Promote consistent data management processes, procedures, tools and techniques organization-wide.
    • Use feedback metrics, audit reports, stakeholder feedback, and lean and agile techniques to streamline processes.
    Outcome
    The use of more consistent processes, procedures, tools, and techniques reduces risk and cost.
    Metric
    Level of organization-wide consistency in data management processes, procedures, tools and techniques.
  • Practice
    Mandate privacy impact analysis (and related privacy risk analysis) in all system reviews, and project, programme, and change management processes throughout the organization.
    Outcomes
    • Privacy impact analyses conducted prior to or during systems design or development can identify ways of preventing data protection issues from arising.
    • These can be incorporated into the planned services before going live.
    Metric
    The number of and trends for potential issues identified and averted or mitigated using privacy impact analyses.
5Optimized
  • Practice
    Keep up to date with the latest research on the protection of personal data, and implement best known practice.
    Outcomes
    • The organization is highly confident that it is doing its best to prevent breaches and protect stakeholders' interests.
    • When the organization can demonstrate that it is a champion and an advocate of personal data protection, claims for breach of trust, duty of care or similar legal measures are less likely to succeed.
    Metric
    The number of data protection research initiatives and industry collaborations being pursued or investigated.
  • Practice
    Continually encourage relevant business ecosystem partners to adopt good data protection practices.
    Outcomes
    • Increased confidence that business ecosystem partners with which you share information adhere to high standards.
    • Reduced risk of legal action or reputational damage arising from work with business partners.
    Metric
    The number and trends of incidents in relevant business ecosystem partners.

Reference

History

This capability was introduced in Revision 16 as a new critical capability.

It was deprecated in Revision 18.07, being updated by Personal Data Protection (18.07).