Personal Data Acquisition and Purpose
Develop and implement approaches to obtaining data subjects' consent, giving fair notice, acquiring personal data, and processing personal data fairly.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Personal Data Acquisition and Purpose at each level of maturity.
- 1Initial
- Practice
- Control personal data processing so that it is only processed for the specific purposes for which it was acquired.
- Outcome
- Privacy Impact assessments (if any) take place in an ad hoc manner.
- Practice
- Develop, document and utilize processes to manage consent, fair notice, and methods of acquisition.
- Outcome
- Basic checklist privacy Impact assessments are conducted on a default basis.
- Metric
- % personal data fields for which a privacy impact assessment has been completed.
- 2Basic
- Practice
- Control personal data processing so that it is only processed for the specific purposes for which it was acquired.
- Outcome
- Comprehensive privacy impact assessments are conducted on all new or change projects that touch personal data.
- Metric
- % personal data fields for which a privacy impact assessment has been completed.
- Practice
- Develop, document and utilize processes to manage consent, fair notice, and methods of acquisition.
- Outcomes
- All business as usual processes are evaluated through privacy impact assessments.
- Privacy impact assessment process is regularly reviewed and improved.
- Metric
- % personal data fields for which a privacy impact assessment has been completed.
- 3Intermediate
- Practice
- Control personal data processing so that it is only processed for the specific purposes for which it was acquired.
- Outcomes
- All privacy impact assessments are continuously monitored and kept up to date with existing legislation.
- Automated notifications are issued in the event that a new data protection risk is identified with a current business as usual process.
- Metric
- % Privacy impact assessments that are continuously and where possible automatically monitored.
- Practice
- Develop, document and utilize processes to manage consent, fair notice, and methods of acquisition.
- Outcome
- Data classification guidelines are defined for personal and sensitive personal data but is typically ad hoc (if at all).
- 4Advanced
- Practice
- Control personal data processing so that it is only processed for the specific purposes for which it was acquired.
- Outcome
- Control measure guidance is appropriate to the sensitivity of the data.
- Metrics
- # data classifications in use.
- % data classifications with defined access controls.
- Practice
- Develop, document and utilize processes to manage consent, fair notice, and methods of acquisition.
- Outcome
- IT and business units work on jointly developing data, classification guidelines for all personal and sensitive personal data assets.
- Metrics
- # data classifications in use.
- % data classifications with defined access controls.
- 5Optimized
- Practice
- Control personal data processing so that it is only processed for the specific purposes for which it was acquired.
- Outcome
- Data protection and security classification guidelines are implemented and regularly improved enterprise-wide.
- Metrics
- # data classifications in use.
- % data classifications with defined access controls.
- Practice
- Develop, document and utilize processes to manage consent, fair notice, and methods of acquisition.
- Outcome
- Data protection and security classification guidelines are optimized for various data lifecycles.
- Metric
- # updates on best practice and regulatory guidelines on data classifications.