Culture
Establish a personal data protection-aware culture. Inform stakeholders of key developments to build a shared understanding of how they can contribute to the realization of personal data protection objectives.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Culture at each level of maturity.
- 2Basic
- Practice
- Begin to raise awareness of how personal data protection activities contribute to the organization's objectives, and begin to offer incentives/rewards for achievement of those objectives.
- Outcome
- There is emerging visibility of how personal data protection activities contribute to the organization's objectives.
- Metrics
- % of employees with awareness of how personal data protection contributes to strategic objectives.
- % of employees receiving incentives/rewards.
- Practice
- Establish a basic approach for communicating the most significant personal data protection topics to stakeholders.
- Outcome
- Employees begin to understand key issues pertaining to personal data protection and can discuss their potential impacts.
- Metrics
- Frequency of personal data protection communications.
- % of employees receiving communications.
- 3Intermediate
- Practice
- Promote a common understanding of how personal data protection activities contribute to the achievement of the organization's objectives, and incentivize appropriate behaviours.
- Outcomes
- Awareness of the importance of personal data protection and acceptable behaviours grow among individual employees.
- Most employees understand how their behaviours and day-to-day activities can enhance or invalidate personal data protection efforts.
- Many employees are better motivated to support the realization of objectives.
- Metrics
- % of employees with awareness of how personal data protection contributes to strategic objectives.
- % of employees receiving incentives/rewards.
- Practice
- Standardize the approach that is used for regularly and consistently communicating key personal data protection topics to most stakeholders, and tailor the communications to their needs and interests.
- Outcome
- Visibility and awareness of personal data protection issues and their impacts are improved.
- Metrics
- Frequency of personal data protection communications.
- % of employees receiving communications.
- 4Advanced
- Practice
- Incentivize all relevant employees across the organization to robustly maintain personal data protection levels.
- Outcomes
- Employee behaviours reflect a strong personal data protection aware culture.
- Employees across the organization are fully aware of the importance of personal data protection and are strongly committed to working together to ensure data protection measures are effective.
- Metrics
- % of employees with awareness of how personal data protection contributes to strategic objectives.
- % of employees receiving incentives/rewards.
- Practice
- Proactively communicate personal data protection topics in a tailored manner to all relevant stakeholders across the organization.
- Outcomes
- Communication is in the context and language of the stakeholder.
- Broader visibility, awareness, and credibility of personal data protection issues are fostered, generating higher levels of interest for engaging in future activities.
- Metrics
- Frequency of personal data protection communications.
- % of employees receiving communications.
- 5Optimized
- Practice
- Incentivize all relevant employees to continually keep abreast of evolving personal data protection threats and other relevant trends.
- Outcomes
- Personal data protection activities are regarded as being part of everyone's job.
- Employees are enabled to continually detect security anomalies, and to quickly and safely raise alarms or invoke appropriate responses to personal data protection threats.
- Metrics
- % of employees with awareness of how personal data protection contributes to strategic objectives.
- % of employees receiving incentives/rewards.
- Practice
- Extend communication of personal data protection topics to the wider business ecosystem where relevant, and review the communication approach for improvement opportunities.
- Outcome
- The communications can be framed with discrete audiences in mind, down to the level of key individuals where appropriate.
- Metrics
- Frequency of personal data protection communications.
- % of employees receiving communications.
- % of business ecosystem partners receiving communications.