IVI Framework Viewer

Personal Data Acquisition and Purpose

C2

Develop and implement approaches to obtaining data subjects' consent, giving fair notice, acquiring personal data, and processing personal data fairly.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Personal Data Acquisition and Purpose at each level of maturity.

1Initial
  • Practice
    Control personal data processing so that it is only processed for the specific purposes for which it was acquired.
    Outcome
    Privacy Impact assessments (if any) take place in an ad hoc manner.
  • Practice
    Develop, document and utilize processes to manage consent, fair notice, and methods of acquisition.
    Outcome
    Basic checklist privacy Impact assessments are conducted on a default basis.
    Metric
    % personal data fields for which a privacy impact assessment has been completed.
2Basic
  • Practice
    Control personal data processing so that it is only processed for the specific purposes for which it was acquired.
    Outcome
    Comprehensive privacy impact assessments are conducted on all new or change projects that touch personal data.
    Metric
    % personal data fields for which a privacy impact assessment has been completed.
  • Practice
    Develop, document and utilize processes to manage consent, fair notice, and methods of acquisition.
    Outcomes
    • All business as usual processes are evaluated through privacy impact assessments.
    • Privacy impact assessment process is regularly reviewed and improved.
    Metric
    % personal data fields for which a privacy impact assessment has been completed.
3Intermediate
  • Practice
    Control personal data processing so that it is only processed for the specific purposes for which it was acquired.
    Outcomes
    • All privacy impact assessments are continuously monitored and kept up to date with existing legislation.
    • Automated notifications are issued in the event that a new data protection risk is identified with a current business as usual process.
    Metric
    % Privacy impact assessments that are continuously and where possible automatically monitored.
  • Practice
    Develop, document and utilize processes to manage consent, fair notice, and methods of acquisition.
    Outcome
    Data classification guidelines are defined for personal and sensitive personal data but is typically ad hoc (if at all).
4Advanced
  • Practice
    Control personal data processing so that it is only processed for the specific purposes for which it was acquired.
    Outcome
    Control measure guidance is appropriate to the sensitivity of the data.
    Metrics
    • # data classifications in use.
    • % data classifications with defined access controls.
  • Practice
    Develop, document and utilize processes to manage consent, fair notice, and methods of acquisition.
    Outcome
    IT and business units work on jointly developing data, classification guidelines for all personal and sensitive personal data assets.
    Metrics
    • # data classifications in use.
    • % data classifications with defined access controls.
5Optimized
  • Practice
    Control personal data processing so that it is only processed for the specific purposes for which it was acquired.
    Outcome
    Data protection and security classification guidelines are implemented and regularly improved enterprise-wide.
    Metrics
    • # data classifications in use.
    • % data classifications with defined access controls.
  • Practice
    Develop, document and utilize processes to manage consent, fair notice, and methods of acquisition.
    Outcome
    Data protection and security classification guidelines are optimized for various data lifecycles.
    Metric
    # updates on best practice and regulatory guidelines on data classifications.