IVI Framework Viewer

Monitoring, Reporting, and Enforcement

A3

Establish appropriate measures for enforcing compliance and monitoring and reporting non-compliance with personal data protection policies, and for taking remedial action where necessary. Drive improvements based on lessons learned from incidents (e.g. data breaches and inappropriate or unauthorized data access) and near-incidents.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Monitoring, Reporting, and Enforcement at each level of maturity.

2Basic
  • Practice
    Monitor a small set of personal data protection controls around sensitive personal data.
    Outcome
    Some key non-compliance issues can be identified.
    Metrics
    • # of personal data protection anomalies detected.
    • # of data subject requests opened/closed.
  • Practice
    Establish basic procedures for reporting, managing, and evaluating the impact of personal data protection incidents.
    Outcomes
    • Basic procedures for personal data protection incident detection and handling are in use.
    • Basic counts of incidents can be reported, and key data protection vulnerabilities can be eliminated or mitigated.
    Metrics
    • # of personal data protection incidents detected.
    • % of personal data protection incidents addressed following procedures.
    • Time to resolution of personal data protection incidents.
    • % of personal data protection incidents with impact reports.
3Intermediate
  • Practice
    Monitor and report on an agreed set of personal data protection controls/indicators across most areas of the business.
    Outcome
    Most non-compliance issues can be identified and addressed.
    Metrics
    • % of agreed indicators reported.
    • # of personal data protection anomalies detected.
    • % of personal data protection anomalies remedied.
    • # of data subject requests opened/closed.
  • Practice
    Establish a standardized approach across most areas of the business for reporting, managing, and evaluating the impact of personal data protection incidents.
    Outcomes
    • Incident detection, handling, and reporting become more consistent and effective across most areas of the business.
    • Personal data protection aspects of incidents can be prioritized based on perceived risk and importance, and root causes are often identified.
    Metrics
    • # of personal data protection incidents detected.
    • % of personal data protection incidents addressed following procedures.
    • Time to resolution of personal data protection incidents.
    • % of personal data protection incidents with impact reports.
4Advanced
  • Practice
    Monitor and report on a comprehensive set of personal data protection controls/indicators across the entire organization.
    Outcome
    All non-compliance issues can be identified and proactively addressed.
    Metrics
    • % of agreed indicators reported.
    • # of personal data protection anomalies detected.
    • % of personal data protection anomalies remedied.
    • # of data subject requests opened/closed.
  • Practice
    Use a comprehensive and systematic approach across the entire organization for reporting, managing, and evaluating the impact of personal data protection incidents.
    Outcomes
    • Incident detection, handling, and reporting are rapid, consistent, and effective across the entire organization.
    • Root causes are typically identified and rectified.
    Metrics
    • # of personal data protection incidents detected.
    • % of personal data protection incidents addressed following procedures.
    • Time to resolution of personal data protection incidents.
    • % of personal data protection incidents with impact reports.
5Optimized
  • Practices
    • Continually review how data protection controls are monitored and reported to identify improvement opportunities.
    • Build advanced understanding of the report findings through leveraging the latest tools and technologies.
    Outcomes
    • Monitoring and reporting on personal data protection controls reflect the latest best practices.
    • Comprehensive user configurable analysis tools aid insight and understanding from personal data protection reports.
    Metric
    Frequency of review and update on monitoring and reporting processes.
  • Practice
    Continually review the procedures for incident management relating to personal data protection and improve them based on the latest research, emerging industry best practice, and insights from key business ecosystem partners.
    Outcome
    Procedures for incident management relating to personal data protection are regularly optimized based on new insights and lessons learned.
    Metric
    Frequency of review and update to incident management procedures.