IVI Framework Viewer

Information Life Cycles

C4

Provide input to information life cycle planning to identify, acquire, process, store, and/or destroy personal data in line with business, regulatory, and legal requirements and risks. Conduct privacy impact assessments at the planning stage of new or large change projects, and consider the potential damage or harm to both the data subject and the organization in whose custody the information has been placed.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Information Life Cycles at each level of maturity.

2Basic
  • Practice
    Draft basic data protection and security classification guidelines.
    Outcome
    Sensitivity of the data is beginning to be reflected in data protection and security classification guidance.
    Metrics
    • # of data classifications in use.
    • % of data classifications with defined access controls.
  • Practice
    Define basic business information life cycles to manage some personal data.
    Outcome
    Some basic business information life cycles can be used at process and/or function level to support management of personal data.
    Metric
    % of personal data addressed using life cycle management approaches.
  • Practice
    Conduct basic checklist privacy impact assessments on a default basis.
    Outcome
    Privacy impact analysis begins to inform the different information life cycles that should be used to manage personal data.
    Metric
    % of personal data fields for which a privacy impact assessment has been completed.
3Intermediate
  • Practice
    Ensure most areas of the business jointly develop detailed data protection and security classification guidelines for all personal data.
    Outcome
    Appropriate data protection and security classifications exist for all personal data.
    Metrics
    • # of data classifications in use.
    • % of data classifications with defined access controls.
  • Practice
    Define life cycles for all personal data.
    Outcome
    All personal data is managed using standardized information life cycles.
    Metric
    % of personal data addressed using life cycle management approaches.
  • Practice
    Conduct privacy impact assessments on an increasing number of initiatives that involve the use of personal data (e.g. all new or change projects).
    Outcome
    A comprehensive privacy impact analysis is available for new or change projects that use personal data, enabling more informed decisions to be made on their viability and personal data protection risks.
    Metric
    % of personal data fields for which a privacy impact assessment has been completed.
4Advanced
  • Practice
    Consistently implement the data protection and security classification guidelines across the entire organization.
    Outcome
    Appropriate data protection and security classifications are consistently implemented for all personal data.
    Metrics
    • # of data classifications in use.
    • % of data classifications with defined access controls.
  • Practice
    Manage all personal data using parallel life cycles — for example, business transaction processing, consumer profiling, and anonymized marketing analysis life cycles.
    Outcomes
    • A multi-life cycle management capability is supported.
    • All personal data is managed using parallel life cycles.
    Metric
    % of personal data addressed using life cycle management approaches.
  • Practice
    Conduct privacy impact assessments on almost all initiatives that involve the use of personal data (e.g. all business-as-usual processes).
    Outcome
    A comprehensive privacy impact analysis is available for all business-as-usual processes that use personal data, enabling more informed decisions to be made on their viability and personal data protection risks.
    Metric
    % of personal data fields for which a privacy impact assessment has been completed.
5Optimized
  • Practice
    Continually review data protection and security classification guidelines for improvement opportunities.
    Outcome
    Data protection and security classification guidelines are optimized for various data life cycles.
    Metric
    Frequency of review and update to data protection and security classification guidelines.
  • Practice
    Ensure life cycle management approaches are self-auditing, tamper-proof, and adaptive.
    Outcomes
    • The life cycles are adaptive and self-auditing.
    • Self-auditing systems can trigger an appropriate response to an audit violation; adaptive processes can, for example, modify themselves based on the quality of the data by adding more quality checks at the point of entry or initial integrity checks.
    Metric
    Frequency of review and update of personal data life cycle management approaches.
  • Practices
    • Continually review all privacy impact assessments and keep them up to date with existing legislation and regulations.
    • Issue automated notifications in the event that a new personal data protection risk is identified for a current business-as-usual process.
    Outcome
    All privacy impact assessments are continually monitored and kept up to date and relevant with existing legislation and regulations.
    Metric
    % of privacy impact assessments that are continually reviewed and kept up to date.