IVI Framework Viewer

The Personal Data Protection (PDP) capability aims to protect personal data from unintended disclosure or use when it is acquired, used, retained, or disposed of.

• Comply with relevant data protection regulations.
• Develop and deploy data protection policies, systems, and controls for appropriate acquisition, use, retention and deletion/erasure of personal data.
• Manage timely communication and registration with statutory officers regarding data protection breaches and near incidents.
• Verify the effectiveness of data protection policies and controls.
• Develop, test, and deploy incident management processes and procedures.

The People Asset Management (PAM) capability helps ensure that the employees with the right skills and competences are available to support the achievement of organizational objectives.

Organizations are increasingly using personal information to create new products and services. However, this increases the potential for inappropriate or illegal use or disclosure of such information, which can result in legal difficulties and reputational damage.

In most jurisdictions, data protection is treated seriously, and breaches can result in directors and companies being fined. Legal instruments being used to enforce data protection extend beyond data privacy laws to include legal concepts such as breach of trust, breach of contract, duty of care, and negligence.

Individuals are increasingly aware of their rights under data protection legislation, and of the risks associated with sharing their personal information. They expect organizations with which they share their information to have appropriate data protection policies and practices. Those who seek legal redress for inappropriate disclosure of their personal information are successful in approximately fifty percent of cases¹².

Shareholders are also holding directors accountable for reputational damage and loss of share value arising from poor data protection practices.

Many organizations are unable to detect when or where their data systems have been breached. The FBI, banks, and credit card companies notify thousands of businesses each year that their data systems have been compromised³.

By developing an effective Personal Data Protection (PDP) capability, the organization can reduce its exposure to the risks associated with handling personal data, while ensuring its compliance with relevant legislation and enhancing its reputation.

Personal data differs from other business data in that its ownership lies with the person to whom it refers and not the custodian company. This confers rights on the data subject, including the right to the privacy of the data. The custodian can vindicate the data subjects' right to privacy partly by protecting data from unauthorised access through access controls and other protection approaches, such as firewalls and physical isolation. Such measures (discussed in chapter 22, Information Security Management (ISM)), are designed to safeguard all data and information, while ‘data protection’ as discussed in this chapter refers primarily to the additional measures needed to protect personal or sensitive personal data, and to satisfy the legal obligations imposed on the custodian.

The Personal Data Protection (PDP) capability is the ability to develop, deploy, and implement policies, systems, and controls for processing personal and sensitive personal data relating to living persons in all digital, automated, and manual forms. It ensures that the organization safeguards the right to privacy of individuals whose information it holds, and that the organization uses personal data strictly for legitimate business purposes.

Policies, systems, and controls encompass and give effect to relevant standards and regulations, which may differ from country to country. The organization must consider the jurisdictions in which the data is acquired, processed, stored, and in some cases through which it is transmitted to identify what regulations are relevant.

The Personal Data Protection (PDP) capability covers:

• Processing personal data throughout its life-cycle.
• Maintaining the quality and integrity of personal data.
• Identifying and communicating data protection regulations and standards.
• Raising awareness and establishing a privacy culture.
• Managing data protection relationships and agreements with third parties.
• Communicating information (on database registrations, data breaches, audit data and so on) with statutory data protection officers.
• Managing data privacy risks and conducting privacy impact analysis assessments.
• Managing data subject rights.
• Identifying and applying applicable data protection standards and regulations.
• Verifying the effectiveness of data protection policies.

Representative POMs are described for PDP at each level of maturity.

2Basic

• Practice

  Raise awareness and provide job-specific personal data protection training.

  Outcome

  Staff understanding of the need to safeguard personal data grows, which reduces the risk of careless disclosure.

  Metric

  Percentage of staff with data protection training.

• Practice

  Allocate roles and responsibilities for personal data protection (for example, data protection officer) across key functions.

  Outcome

  Responsibilities and accountabilities are increasingly transparent, facilitating the effective management of data protection activities.

  Metric

  Percentage of data protection roles filled in key functions.

• Practice

  Document approaches to ensuring that personal data is used only for the purposes for which it was collected.

  Outcome

  There is increased confidence that personal data is used only for appropriate and compliant purposes.

  Metric

  Number of violations in the use of personal data (per time period).

• Practice

  Establish criteria for determining whether privacy impact assessments and/or other privacy risk analyses are required on technology-related projects.

  Outcome

  Appropriate risk analysis tools and techniques are applied and are more likely to produce good data privacy management outcomes.

  Metric

  Number and percentage of technology-related projects where privacy impact analysis has been completed.

3Intermediate

• Practice

  Communicate consistently to staff and external partners to raise awareness of personal data protection policies, procedures, and controls.

  Outcomes

  • Staff are aware of and adhere to the policies and procedures for data protection.
  • Detection of anomalies is easier where practices, processes and procedures are consistent.

  Metric

  Number of staff-related data protection incidents and compliance issues.

• Practice

  Implement feedback loops (such as a metrics dashboard, or traffic signal summation) to alert management of personal data protection violations or non-compliance issues.

  Outcomes

  • Feedback loops are effective in accelerating process, tool and practice improvements.
  • Organization effectiveness improves at an accelerated pace.

  Metric

  Elapsed time from the detection of an issue to the implementation of a remedy preventing its re-occurrence.

• Practice

  Audit the effectiveness of the approaches taken to personal data protection.

  Outcome

  Issues identified in audits help to improve processes and procedures, and to identify areas where automation or additional training might be beneficial.

  Metric

  Number of issues detected in audit and time to closure for those issues.

4Advanced

• Practices

  • Promote consistent data management processes, procedures, tools and techniques organization-wide.
  • Use feedback metrics, audit reports, stakeholder feedback, and lean and agile techniques to streamline processes.

  Outcome

  The use of more consistent processes, procedures, tools, and techniques reduces risk and cost.

  Metric

  Level of organization-wide consistency in data management processes, procedures, tools and techniques.

• Practice

  Mandate privacy impact analysis (and related privacy risk analysis) in all system reviews, and project, programme, and change management processes throughout the organization.

  Outcomes

  • Privacy impact analyses conducted prior to or during systems design or development can identify ways of preventing data protection issues from arising.
  • These can be incorporated into the planned services before going live.

  Metric

  The number of and trends for potential issues identified and averted or mitigated using privacy impact analyses.

5Optimized

• Practice

  Keep up to date with the latest research on the protection of personal data, and implement best known practice.

  Outcomes

  • The organization is highly confident that it is doing its best to prevent breaches and protect stakeholders' interests.
  • When the organization can demonstrate that it is a champion and an advocate of personal data protection, claims for breach of trust, duty of care or similar legal measures are less likely to succeed.

  Metric

  The number of data protection research initiatives and industry collaborations being pursued or investigated.

• Practice

  Continually encourage relevant business ecosystem partners to adopt good data protection practices.

  Outcomes

  • Increased confidence that business ecosystem partners with which you share information adhere to high standards.
  • Reduced risk of legal action or reputational damage arising from work with business partners.

  Metric

  The number and trends of incidents in relevant business ecosystem partners.

This capability was introduced in Revision 16 as a new critical capability.

It was deprecated in Revision 18.07, being updated by Personal Data Protection (18.07).

The following CCs cover topics that are related to PDP in some way:

EAMEnterprise Architecture Management

Security, data and information, and storage architecture models

EIMEnterprise Information Management

Information models and access controls

EIMEnterprise Information Management

Processing and analysis of non-personal data

ISMInformation Security Management

Information security plans and personal data protection features, such as access controls.

ISMInformation Security Management

Securing the physical and logical protection of infrastructure and systems

ITGIT Leadership and Governance

Establishing governance criteria and structures for general decision-making

KAMKnowledge Asset Management

Leveraging the collective knowledge across the organization

RMRisk Management

Managing general IT-related risk

RMRisk Management

Organization-wide risk register, often inclusive of data protection risks

SRPService Provisioning

Service catalogue indicating those services that process personal data

SUMSupplier Management

Qualified vendor lists, data contracts, and supplier agreements