Monitoring, Reporting, and Enforcement
Establish appropriate measures for enforcing compliance and monitoring and reporting non-compliance with personal data protection policies, and for taking remedial action where necessary. Drive improvements based on lessons learned from incidents (e.g. data breaches and inappropriate or unauthorized data access) and near-incidents.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Monitoring, Reporting, and Enforcement at each level of maturity.
- 2Basic
- Practice
- Monitor a small set of personal data protection controls around sensitive personal data.
- Outcome
- Some key non-compliance issues can be identified.
- Metrics
- # of personal data protection anomalies detected.
- # of data subject requests opened/closed.
- Practice
- Establish basic procedures for reporting, managing, and evaluating the impact of personal data protection incidents.
- Outcomes
- Basic procedures for personal data protection incident detection and handling are in use.
- Basic counts of incidents can be reported, and key data protection vulnerabilities can be eliminated or mitigated.
- Metrics
- # of personal data protection incidents detected.
- % of personal data protection incidents addressed following procedures.
- Time to resolution of personal data protection incidents.
- % of personal data protection incidents with impact reports.
- 3Intermediate
- Practice
- Monitor and report on an agreed set of personal data protection controls/indicators across most areas of the business.
- Outcome
- Most non-compliance issues can be identified and addressed.
- Metrics
- % of agreed indicators reported.
- # of personal data protection anomalies detected.
- % of personal data protection anomalies remedied.
- # of data subject requests opened/closed.
- Practice
- Establish a standardized approach across most areas of the business for reporting, managing, and evaluating the impact of personal data protection incidents.
- Outcomes
- Incident detection, handling, and reporting become more consistent and effective across most areas of the business.
- Personal data protection aspects of incidents can be prioritized based on perceived risk and importance, and root causes are often identified.
- Metrics
- # of personal data protection incidents detected.
- % of personal data protection incidents addressed following procedures.
- Time to resolution of personal data protection incidents.
- % of personal data protection incidents with impact reports.
- 4Advanced
- Practice
- Monitor and report on a comprehensive set of personal data protection controls/indicators across the entire organization.
- Outcome
- All non-compliance issues can be identified and proactively addressed.
- Metrics
- % of agreed indicators reported.
- # of personal data protection anomalies detected.
- % of personal data protection anomalies remedied.
- # of data subject requests opened/closed.
- Practice
- Use a comprehensive and systematic approach across the entire organization for reporting, managing, and evaluating the impact of personal data protection incidents.
- Outcomes
- Incident detection, handling, and reporting are rapid, consistent, and effective across the entire organization.
- Root causes are typically identified and rectified.
- Metrics
- # of personal data protection incidents detected.
- % of personal data protection incidents addressed following procedures.
- Time to resolution of personal data protection incidents.
- % of personal data protection incidents with impact reports.
- 5Optimized
- Practices
- Continually review how data protection controls are monitored and reported to identify improvement opportunities.
- Build advanced understanding of the report findings through leveraging the latest tools and technologies.
- Outcomes
- Monitoring and reporting on personal data protection controls reflect the latest best practices.
- Comprehensive user configurable analysis tools aid insight and understanding from personal data protection reports.
- Metric
- Frequency of review and update on monitoring and reporting processes.
- Practice
- Continually review the procedures for incident management relating to personal data protection and improve them based on the latest research, emerging industry best practice, and insights from key business ecosystem partners.
- Outcome
- Procedures for incident management relating to personal data protection are regularly optimized based on new insights and lessons learned.
- Metric
- Frequency of review and update to incident management procedures.