IVI Framework Viewer

Strategy, Policies, and Controls

A1

Establish a strategy for protecting personal data. Design, develop, and maintain personal data protection policies and controls that comply with relevant data protection standards, regulations, and laws, and that align with the organization's business model and objectives. Promote and drive personal data protection compliance.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Strategy, Policies, and Controls at each level of maturity.

2Basic
  • Practice
    Begin to undertake some strategic planning activities in relation to protecting personal data.
    Outcome
    Planning and oversight for personal data protection is basic, but the planning activities provide a foundation and initial direction for protecting personal data.
    Metric
    % of managers engaged in strategic planning for personal data protection.
  • Practice
    Identify national data protection requirements.
    Outcome
    National data protection requirements can be considered in the organization's data protection activities.
    Metrics
    • % of identified regulatory and legislative instruments reflected in the personal data protection policies and procedures.
    • % of identified standards reflected in the personal data protection policies and procedures.
  • Practices
    • Establish and maintain some basic personal data protection policies and controls.
    • Embrace the concepts of data protection by design and by default in the design, development, and use of some key processes, products, services, and applications.
    Outcomes
    • Some personal data protection policies and controls incorporate relevant national data protection legislative criteria to help safeguard personal data in the organization's custody.
    • Data protection is starting to be considered in the design, development, and use of some key processes, products, services, and applications.
    Metrics
    • Existence of personal data protection policies and controls.
    • % of identified regulatory or legislative instruments addressed in the personal data protection policies and controls.
    • % of processes, products, services, and applications for which data protection by design and by default is embraced.
  • Practice
    Ensure local leaders and champions promote the importance of information management and personal data protection.
    Outcome
    There is growing transparency of any non-compliance with personal data protection policies and controls.
    Metrics
    • % of managers actively supporting personal data protection activities.
    • # of non-compliance occurrences with personal data protection policies and controls.
3Intermediate
  • Practice
    Agree on and implement a personal data protection strategy across most areas of the business.
    Outcome
    A clear and consistent direction in relation to protecting personal data is understood and supported across most areas of the business.
    Metric
    % of employees and business units adhering to the personal data protection strategy.
  • Practice
    Identify all relevant national and international standards, and regulatory and legislative data protection requirements.
    Outcomes
    • All relevant national and international standards and regulatory and legislative data protection requirements can be taken into account in the organization's data protection activities.
    • The legal implications of data transfers across national boundaries are understood.
    Metrics
    • % of identified regulatory and legislative instruments reflected in the personal data protection policies and procedures.
    • % of identified standards reflected in the personal data protection policies and procedures.
  • Practices
    • Agree on and enforce a universal set of personal data protection policies and controls across most areas of the business, that are informed by relevant data protection standards, regulations, and laws, and the business's data protection objectives.
    • Embrace the concepts of data protection by design and by default in the design, development, and use of most processes, products, services, and applications.
    Outcomes
    • Personal data protection policies and controls are enforced across most areas of the business, thereby reducing the likelihood of personal data protection breaches or violations.
    • Data protection is considered in the design, development, and use of most processes, products, services, and applications.
    Metrics
    • % of identified regulatory or legislative instruments addressed in the personal data protection policies and controls.
    • % of processes, products, services, and applications for which data protection by design and by default is embraced.
  • Practice
    Ensure IT and business leadership promote the importance of information management and personal data protection, and document most instances of non-compliance with personal data protection policies and controls.
    Outcomes
    • The leadership team supports the development of the organization's information management and personal data protection capabilities.
    • Instances of non-compliance with personal data protection policies and controls are transparent and increasingly give rise to retrospective remedial actions.
    Metrics
    • % of managers actively supporting personal data protection activities.
    • # of non-compliance occurrences with personal data protection policies and controls.
4Advanced
  • Practice
    Implement the personal data protection strategy across the entire organization, and ensure senior executive oversight of the process.
    Outcome
    A clear and consistent direction in relation to protecting personal data is understood and supported across the entire organization.
    Metric
    % of employees and business units adhering to the personal data protection strategy.
  • Practice
    Build awareness of legal precedents and interpretations of all relevant standards, regulatory, and legislative instruments.
    Outcome
    Legal precedents and interpretations of all relevant standards, regulatory, and legislative instruments are understood, and can be considered in the organization's data protection activities.
    Metrics
    • % of identified regulatory and legislative instruments reflected in the personal data protection policies and procedures.
    • % of identified standards reflected in the personal data protection policies and procedures.
    • # of policy or procedure changes initiated by precedent cases.
  • Practices
    • Periodically update the personal data protection policies and controls in line with evolving risk, technical factors, and business objectives, and enforce their use across the organization.
    • Fully embrace the concepts of data protection by design and by default in the design, development, and use of all processes, products, services, and applications.
    Outcomes
    • Personal data protection policies and controls are periodically improved and their enforcement across the entire organization minimizes the likelihood of personal data protection breaches or violations.
    • Data protection is considered in the design, development, and use of all processes, products, services, and applications.
    Metrics
    • Frequency of review and update of the personal data protection policies and controls.
    • % of processes, products, services, and applications for which data protection by design and by default is embraced.
  • Practice
    Ensure senior leadership promotes and drives personal data protection compliant ways of doing business across the entire organization, and document all instances of non-compliance with personal data protection policies and controls.
    Outcomes
    • Senior leadership is fully committed to the development of the organization's information management and personal data protection capabilities.
    • Instances of non-compliance with personal data protection policies and controls are transparent and increasingly give rise to proactive remedial actions.
    Metrics
    • % of managers actively supporting personal data protection activities.
    • # of non-compliance occurrences with personal data protection policies and controls.
5Optimized
  • Practice
    Continually align the personal data protection strategy with the business strategy through frequent review and focused improvement.
    Outcome
    The personal data protection strategy is kept up to date, relevant, and aligned with the business strategy.
    Metric
    Frequency of review of the personal data protection strategy.
  • Practice
    Continually remain abreast of changes in standards and regulatory and legislative data protection requirements, and contribute to these in public consultation phases and in key special interest groups.
    Outcome
    The organization is aware of pending standards and regulatory and legislative changes, and can readily interpret their implications and reflect their requirements in the organization's data protection activities.
    Metrics
    • # of contributions to emerging standards, and regulatory and legislative instruments.
    • # of emerging standards, and regulatory and legislative instruments being monitored.
  • Practice
    Continually update the personal data protection policies and controls in line with the latest data protection standards, regulations, and laws, and with evolving business needs.
    Outcomes
    • Personal data protection policies and controls are flexible and agile.
    • Personal data protection breaches or violations are rare.
    Metric
    Frequency of review and update of the personal data protection policies and controls.
  • Practice
    Ensure senior leadership actively and visibly promotes and drives personal data protection compliant ways of doing business, both internally and with external business partners.
    Outcomes
    • Non-compliance is rare.
    • The organization may be regarded as an industry leader in driving data protection compliance.
    Metrics
    • % of managers actively supporting personal data protection activities.
    • # of non-compliance occurrences with personal data protection policies and controls.
    • # of publications and/or speakers at events which promote personal data protection practices.