Monitoring, Reporting, and Enforcement

Establish appropriate measures for monitoring and reporting of non-compliance with personal data protection policies and of the remedial actions taken. Drive improvements based on lessons learned from incidents and near-incidents.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Monitoring, Reporting, and Enforcement at each level of maturity.

1Initial

Practice
Rely on the best endeavours of staff for incident handling.
Outcome
Data protection incident management processes (if any) are considered ad hoc.
Practice
Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
Outcome
Data protection monitoring and reporting (if any) are ad hoc.
Practice
Evaluate the nature and impact of data protection incidents.
Outcome
Data protection incident management processes (if any) are considered ad hoc.
Practice
Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
Outcome
Data protection incident management processes (if any) are considered ad hoc.

2Basic

Practice
Draft procedures for handling incidents and near incidents.
Outcome
Basic procedures for data protection incident detection and handling are in use.
Metric
% data protection incidents addressed following processes and procedures.
Practice
Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
Outcome
Basic counts of typical events and data subject requests are reported.
Metrics
- # Data protection anomalies.
- # Data subject requests opened/closed.
Practice
Evaluate the nature and impact of data protection incidents.
Outcome
Basic procedures for data protection incident detection and handling are in use.
Metric
% data protection incidents with impact reports.
Practice
Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
Outcome
Data protection vulnerabilities identified from analysis of the feedback are eliminated or are mitigated using protection methods and processes.
Metrics
- # Vulnerabilities identified in incident feedback reports.
- % of incident identified vulnerabilities addressed.

3Intermediate

Practice
Establish and implement procedures for handling incidents and near incidents.
Outcome
Incident handling is consistent and professional.
Metrics
- % data protection incidents addressed following processes and procedures.
- # time to resolution of data protection incidents.
Practice
Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
Outcome
An agreed set of indicators are monitored and reported for IT and some other business units.
Metrics
- # agreed indicators reported.
- # anomalies detected.
- # data subject requests opened/closed.
Practice
Evaluate the nature and impact of data protection incidents.
Outcomes
- Data protection incidents are prioritized based on perceived risk and importance.
- Root cause analysis is completed.
Metric
% data protection incidents with impact reports.
Practice
Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
Outcomes
- Data protection aspects of incidents are prioritized based on perceived risk and importance.
- Root cause analysis is completed.
Metrics
- # Vulnerabilities identified in incident feedback reports.
- % of incident identified vulnerabilities addressed.

4Advanced

Practice
Manage and improve procedures for handling incidents and near incidents.
Outcomes
- Incident handling is rapid, consistent, professional and improved based on lessons learned.
- Root causes are usually identified and retified.
Metrics
- % data protection incidents addressed following processes and procedures.
- # Time to resolution of data protection incidents.
Practice
Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
Outcome
A comprehensive set of monitoring capabilities exist facilitating data protection reports with a complete metrics set organization wide.
Metrics
- # agreed indicators reported.
- # anomalies detected.
- # data subject requests opened/closed.
Practice
Evaluate the nature and impact of data protection incidents.
Outcome
A systematic approach to addressing data protection incidents is used and regularly improved organization-wide.
Metric
% data protection incidents with impact reports.
Practice
Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
Outcome
A systematic approach to addressing data protection aspects of incidents is used and regularly improved organization-wide.
Metrics
- # Vulnerabilities identified in incident feedback reports.
- % of incident identified vulnerabilities addressed.

5Optimized

Practice
Optimize using latest research and emerging best practice procedures for handling incidents and near incidents.
Outcome
Procedures for data protection incident management are regularly optimized across business ecosystem.
Metrics
- % Incidents identified corrected.
- # Near incidents identified.
Practice
Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
Outcome
Comprehensive self service analysis tools aid insight and understanding from data protection reports.
Metric
# Non-compliance issues actioned identified with automated checks.
Practice
Evaluate the nature and impact of data protection incidents.
Outcome
Procedures for data protection incident management are regularly optimized across business ecosystem.
Metric
# of incidents evaluated and actioned to prevent future occurrence
Practice
Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
Outcome
Procedures for data protection aspects of incident management are regularly optimized across business ecosystem.
Metrics
- # Procedures regularly updated.
- % Procedures optimised.