IVI Framework Viewer

Monitoring, Reporting, and Enforcement

A3

Establish appropriate measures for monitoring and reporting of non-compliance with personal data protection policies and of the remedial actions taken. Drive improvements based on lessons learned from incidents and near-incidents.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Monitoring, Reporting, and Enforcement at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of staff for incident handling.
    Outcome
    Data protection incident management processes (if any) are considered ad hoc.
  • Practice
    Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
    Outcome
    Data protection monitoring and reporting (if any) are ad hoc.
  • Practice
    Evaluate the nature and impact of data protection incidents.
    Outcome
    Data protection incident management processes (if any) are considered ad hoc.
  • Practice
    Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
    Outcome
    Data protection incident management processes (if any) are considered ad hoc.
2Basic
  • Practice
    Draft procedures for handling incidents and near incidents.
    Outcome
    Basic procedures for data protection incident detection and handling are in use.
    Metric
    % data protection incidents addressed following processes and procedures.
  • Practice
    Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
    Outcome
    Basic counts of typical events and data subject requests are reported.
    Metrics
    • # Data protection anomalies.
    • # Data subject requests opened/closed.
  • Practice
    Evaluate the nature and impact of data protection incidents.
    Outcome
    Basic procedures for data protection incident detection and handling are in use.
    Metric
    % data protection incidents with impact reports.
  • Practice
    Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
    Outcome
    Data protection vulnerabilities identified from analysis of the feedback are eliminated or are mitigated using protection methods and processes.
    Metrics
    • # Vulnerabilities identified in incident feedback reports.
    • % of incident identified vulnerabilities addressed.
3Intermediate
  • Practice
    Establish and implement procedures for handling incidents and near incidents.
    Outcome
    Incident handling is consistent and professional.
    Metrics
    • % data protection incidents addressed following processes and procedures.
    • # time to resolution of data protection incidents.
  • Practice
    Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
    Outcome
    An agreed set of indicators are monitored and reported for IT and some other business units.
    Metrics
    • # agreed indicators reported.
    • # anomalies detected.
    • # data subject requests opened/closed.
  • Practice
    Evaluate the nature and impact of data protection incidents.
    Outcomes
    • Data protection incidents are prioritized based on perceived risk and importance.
    • Root cause analysis is completed.
    Metric
    % data protection incidents with impact reports.
  • Practice
    Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
    Outcomes
    • Data protection aspects of incidents are prioritized based on perceived risk and importance.
    • Root cause analysis is completed.
    Metrics
    • # Vulnerabilities identified in incident feedback reports.
    • % of incident identified vulnerabilities addressed.
4Advanced
  • Practice
    Manage and improve procedures for handling incidents and near incidents.
    Outcomes
    • Incident handling is rapid, consistent, professional and improved based on lessons learned.
    • Root causes are usually identified and retified.
    Metrics
    • % data protection incidents addressed following processes and procedures.
    • # Time to resolution of data protection incidents.
  • Practice
    Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
    Outcome
    A comprehensive set of monitoring capabilities exist facilitating data protection reports with a complete metrics set organization wide.
    Metrics
    • # agreed indicators reported.
    • # anomalies detected.
    • # data subject requests opened/closed.
  • Practice
    Evaluate the nature and impact of data protection incidents.
    Outcome
    A systematic approach to addressing data protection incidents is used and regularly improved organization-wide.
    Metric
    % data protection incidents with impact reports.
  • Practice
    Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
    Outcome
    A systematic approach to addressing data protection aspects of incidents is used and regularly improved organization-wide.
    Metrics
    • # Vulnerabilities identified in incident feedback reports.
    • % of incident identified vulnerabilities addressed.
5Optimized
  • Practice
    Optimize using latest research and emerging best practice procedures for handling incidents and near incidents.
    Outcome
    Procedures for data protection incident management are regularly optimized across business ecosystem.
    Metrics
    • % Incidents identified corrected.
    • # Near incidents identified.
  • Practice
    Establish appropriate monitoring of data protection policy compliance and act on non-compliance issues.
    Outcome
    Comprehensive self service analysis tools aid insight and understanding from data protection reports.
    Metric
    # Non-compliance issues actioned identified with automated checks.
  • Practice
    Evaluate the nature and impact of data protection incidents.
    Outcome
    Procedures for data protection incident management are regularly optimized across business ecosystem.
    Metric
    # of incidents evaluated and actioned to prevent future occurrence
  • Practice
    Support protection of the organization by providing feedback and reports on data protection aspects of incidents.
    Outcome
    Procedures for data protection aspects of incident management are regularly optimized across business ecosystem.
    Metrics
    • # Procedures regularly updated.
    • % Procedures optimised.