Monitoring, Reporting, and Enforcement
Establish appropriate measures for monitoring and reporting of non-compliance with personal data protection policies and of the remedial actions taken. Drive improvements based on lessons learned from incidents and near-incidents.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Monitoring, Reporting, and Enforcement at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of staff for incident handling.
- Outcome
- Data protection incident management processes (if any) are considered ad hoc.
- Practice
- Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
- Outcome
- Data protection monitoring and reporting (if any) are ad hoc.
- Practice
- Evaluate the nature and impact of data protection incidents.
- Outcome
- Data protection incident management processes (if any) are considered ad hoc.
- Practice
- Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
- Outcome
- Data protection incident management processes (if any) are considered ad hoc.
- 2Basic
- Practice
- Draft procedures for handling incidents and near incidents.
- Outcome
- Basic procedures for data protection incident detection and handling are in use.
- Metric
- % data protection incidents addressed following processes and procedures.
- Practice
- Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
- Outcome
- Basic counts of typical events and data subject requests are reported.
- Metrics
- # Data protection anomalies.
- # Data subject requests opened/closed.
- Practice
- Evaluate the nature and impact of data protection incidents.
- Outcome
- Basic procedures for data protection incident detection and handling are in use.
- Metric
- % data protection incidents with impact reports.
- Practice
- Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
- Outcome
- Data protection vulnerabilities identified from analysis of the feedback are eliminated or are mitigated using protection methods and processes.
- Metrics
- # Vulnerabilities identified in incident feedback reports.
- % of incident identified vulnerabilities addressed.
- 3Intermediate
- Practice
- Establish and implement procedures for handling incidents and near incidents.
- Outcome
- Incident handling is consistent and professional.
- Metrics
- % data protection incidents addressed following processes and procedures.
- # time to resolution of data protection incidents.
- Practice
- Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
- Outcome
- An agreed set of indicators are monitored and reported for IT and some other business units.
- Metrics
- # agreed indicators reported.
- # anomalies detected.
- # data subject requests opened/closed.
- Practice
- Evaluate the nature and impact of data protection incidents.
- Outcomes
- Data protection incidents are prioritized based on perceived risk and importance.
- Root cause analysis is completed.
- Metric
- % data protection incidents with impact reports.
- Practice
- Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
- Outcomes
- Data protection aspects of incidents are prioritized based on perceived risk and importance.
- Root cause analysis is completed.
- Metrics
- # Vulnerabilities identified in incident feedback reports.
- % of incident identified vulnerabilities addressed.
- 4Advanced
- Practice
- Manage and improve procedures for handling incidents and near incidents.
- Outcomes
- Incident handling is rapid, consistent, professional and improved based on lessons learned.
- Root causes are usually identified and retified.
- Metrics
- % data protection incidents addressed following processes and procedures.
- # Time to resolution of data protection incidents.
- Practice
- Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
- Outcome
- A comprehensive set of monitoring capabilities exist facilitating data protection reports with a complete metrics set organization wide.
- Metrics
- # agreed indicators reported.
- # anomalies detected.
- # data subject requests opened/closed.
- Practice
- Evaluate the nature and impact of data protection incidents.
- Outcome
- A systematic approach to addressing data protection incidents is used and regularly improved organization-wide.
- Metric
- % data protection incidents with impact reports.
- Practice
- Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
- Outcome
- A systematic approach to addressing data protection aspects of incidents is used and regularly improved organization-wide.
- Metrics
- # Vulnerabilities identified in incident feedback reports.
- % of incident identified vulnerabilities addressed.
- 5Optimized
- Practice
- Optimize using latest research and emerging best practice procedures for handling incidents and near incidents.
- Outcome
- Procedures for data protection incident management are regularly optimized across business ecosystem.
- Metrics
- % Incidents identified corrected.
- # Near incidents identified.
- Practice
- Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
- Outcome
- Comprehensive self service analysis tools aid insight and understanding from data protection reports.
- Metric
- # Non-compliance issues actioned identified with automated checks.
- Practice
- Evaluate the nature and impact of data protection incidents.
- Outcome
- Procedures for data protection incident management are regularly optimized across business ecosystem.
- Metric
- # of incidents evaluated and actioned to prevent future occurrence
- Practice
- Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
- Outcome
- Procedures for data protection aspects of incident management are regularly optimized across business ecosystem.
- Metrics
- # Procedures regularly updated.
- % Procedures optimised.