IVI Framework Viewer

Personal Data Acquisition and Purpose

C2

Establish approaches to obtain data subject consent, provide fair notice, and manage the acquisition and lawful, fair, and transparent processing of personal data for explicit and legitimate purposes.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Personal Data Acquisition and Purpose at each level of maturity.

2Basic
  • Practice
    Draft a personal data acquisition policy and basic guidelines for obtaining consent and providing fair notice.
    Outcome
    Guidance on acquiring personal data is emerging.
    Metrics
    • Existence of a personal data acquisition policy.
    • % of personal data acquisition methods using the concept of fair notice.
    • % of data records with consent recorded.
  • Practice
    Define specific and legitimate purposes for personal data processing, and advise data subjects of these in new acquisition methods.
    Outcome
    Data subjects are made aware of the specific and legitimate purposes for which their data can be used in new data acquisitions.
    Metric
    % of data subjects made aware of the specified purpose for data processing.
3Intermediate
  • Practice
    Develop a standardized personal data acquisition policy, outlining the obtaining of data subject consent, the provision of fair notice, and personal data acquisition processes.
    Outcome
    Personal data acquisition follows appropriate policies and processes in most instances.
    Metrics
    • % of personal data acquisition methods using the concept of fair notice.
    • % of data records with consent recorded.
  • Practices
    • Define and communicate specific and legitimate purposes for personal data processing and seek data subject permissions, as appropriate, in all acquisition methods.
    • Conduct audit trails.
    Outcomes
    • Data subjects are made aware of the specific and legitimate purposes for which their data can be used in all data acquisitions.
    • Audit trails assist audit and enforcement actions with direct traceability between processing and specified purposes possible in most instances.
    Metrics
    • % of data subjects made aware of the specified purpose for data processing.
    • # of views exposing personal data fields at each specified purpose life cycle stage.
    • % of views exposing personal data in uses other than the specified purpose uses.
4Advanced
  • Practice
    Implement policy compliant personal data acquisition processes across the entire organization and periodically review them for improvement opportunities.
    Outcome
    Personal data acquisition follows appropriate policies and processes in all instances.
    Metrics
    • % of personal data acquisition methods utilizing the concept of fair notice.
    • % of data records with consent recorded.
    • Frequency of review and update of personal data acquisition processes.
  • Practices
    • Execute and periodically improve sophisticated and transparent personal data fair processing procedures across the organization.
    • Communicate secondary uses for the data, with appropriate consent management.
    Outcomes
    • Fair processing policies and procedures are effective across the entire organization.
    • Direct traceability between processing and specified purposes is possible in all instances.
    • Communication of secondary uses for the data, with appropriate consent management, allows data subjects to opt in or out of such uses.
    Metrics
    • % of data subjects made aware of the specified purpose for data processing.
    • % of data subjects made aware of secondary uses of the data.
    • # of views exposing personal data fields at each specified purpose life cycle stage.
    • % of views exposing personal data in uses other than the specified purpose uses.
5Optimized
  • Practice
    Extend policy compliant personal data acquisition processes to relevant business ecosystem partners, and continually review them to ensure compliance with changing regulatory requirements and to identify improvement opportunities.
    Outcome
    Personal data acquisition processes are industry exemplars and are always in compliance with changing regulatory requirements.
    Metrics
    • % of personal data acquisition methods using the concept of fair notice.
    • % of data records with consent recorded.
    • Frequency of review and update of personal data acquisition processes.
  • Practices
    • Extend personal data fair processing procedures to relevant business ecosystem partners.
    • Continually review them to ensure compliance with changing regulatory requirements and to identify improvement opportunities.
    Outcomes
    • Fair processing policies and procedures are optimized and executed across the business ecosystem.
    • Direct traceability between processing and specific purposes is possible across the business ecosystem.
    Metrics
    • Frequency of review and update to personal data fair processing procedures.
    • # of audits on specified purpose usage throughout the business ecosystem.