Personal Data Protection
The Personal Data Protection (PDP) capability is the ability to develop and deploy policies, systems, and controls for processing personal and sensitive personal data relating to living persons in all digital, automated, and manual forms. It ensures that the organization safeguards the right to privacy of individuals whose information it holds, and that the organization uses personal data strictly for specified purposes agreed with the data subjects.
Structure
PDP is made up of the following Categories and CBBs. Maturity and Planning are described at both the CC and the CBB level.
- AGovernance, Management, and Oversight
- A1Strategy, Policies, and Controls
Establish a strategy for protecting personal data. Design, develop, and maintain personal data protection policies and controls that comply with relevant data protection standards, regulations, and laws, and that align with the organization's business model and objectives. Promote and drive personal data protection compliance.
- A2Supplier Management
Define personal data protection qualification criteria for identifying and validating suppliers, and select suppliers who are committed to observing the organization's personal data protection obligations. Draft and agree the data processor contract, and manage contract compliance with the suppliers.
- A3Monitoring, Reporting, and Enforcement
Establish appropriate measures for enforcing compliance and monitoring and reporting non-compliance with personal data protection policies, and for taking remedial action where necessary. Drive improvements based on lessons learned from incidents (e.g. data breaches and inappropriate or unauthorized data access) and near-incidents.
- BPeople
- B1Data Subject Rights Management
Manage requests by data subjects to access their personal data held by the organization (including the purposes for which it is held and to whom it may be disclosed), and to rectify or erase inaccurate data. Check that the communication channels and agents are authorized by the data subject.
- B2Roles, Responsibilities, and Accountabilities
Complete job and business process designs to identify the required roles for personal data protection tasks, and assign employees with the requisite knowledge and experience to the identified roles. Define and allocate the associated personal data protection responsibilities and accountabilities.
- B3Skills and Competence Development
Establish and make available a personal data protection training curriculum and other employee developmental mechanisms to ensure employees have the required skills and competences.
- B4Culture
Establish a personal data protection-aware culture. Inform stakeholders of key developments to build a shared understanding of how they can contribute to the realization of personal data protection objectives.
- CProcessing
- C1Risk, Security, and Access Rights Management
Establish and communicate personal data risk criteria, security criteria, and access rights controls (based on the life cycle state).
- C2Personal Data Acquisition and Purpose
Establish approaches to obtain data subject consent, provide fair notice, and manage the acquisition and lawful, fair, and transparent processing of personal data for explicit and legitimate purposes.
- C3Personal Data Adequacy and Accuracy
Ensure that personal data is only used and disclosed in line with the purposes for which it was acquired, and that the data held is adequate, relevant, and limited to what is necessary to meet those purposes. Monitor the quality of personal data held and remedy any data quality issues.
- C4Information Life Cycles
Provide input to information life cycle planning to identify, acquire, process, store, and/or destroy personal data in line with business, regulatory, and legal requirements and risks. Conduct privacy impact assessments at the planning stage of new or large change projects, and consider the potential damage or harm to both the data subject and the organization in whose custody the information has been placed.
- C5Personal Data Retention and Destruction
Develop and implement controls to verify that personal data is not retained beyond the time specified in data retention policies. Destroy data media (all forms — paper, digital, DNA encoded etc.) at the end of the data's life cycle and ensure that obsolete (or deleted) personal data is not inappropriately restored.
Overview
Goal & Objectives
An effective Personal Data Protection (PDP) capability aims to:
- Comply with relevant data protection regulations.
- Manage the growing complexities of protecting personal data in the digital business context.
- Develop and deploy data protection policies, systems, and controls for appropriate acquisition, use, retention, and deletion/destruction of personal data.
- Verify the effectiveness of data protection policies, systems, and controls.
- Proactively identify and address any data protection issues.
- Manage timely communication and registration with statutory officers regarding data protection breaches and near incidents.
- Develop, test, and deploy incident management processes and procedures.
- Leverage valuable insights from personal data to enhance the organization's operations without compromising data protection regulatory compliance.
- Increase stakeholder confidence that the organization can be regarded as a trustworthy custodian of personal data.
Scope
Definition
The Personal Data Protection (PDP) capability is the ability to develop and deploy policies, systems, and controls for processing personal and sensitive personal data relating to living persons in all digital, automated, and manual forms. It ensures that the organization safeguards the right to privacy of individuals whose information it holds, and that the organization uses personal data strictly for specified purposes agreed with the data subjects.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for PDP at each level of maturity.
- 2Basic
- Practice
- Provide job-specific personal data protection training.
- Outcome
- Employee understanding of the need to safeguard personal data grows, which reduces the risk of careless disclosure.
- Metric
- % of employees with data protection training.
- Practice
- Allocate roles and responsibilities for personal data protection.
- Outcome
- Responsibilities are transparent, enabling effective data protection activities.
- Metric
- % of data protection roles filled in key functions.
- Practice
- Document approaches to ensure that personal data is used only for the purposes for which it was collected.
- Outcome
- Personal data is used only for appropriate and compliant purposes.
- Metric
- # of violations in the use of personal data (per time period).
- 3Intermediate
- Practice
- Identify relevant data protection standards, regulations, and legislative requirements.
- Outcome
- Relevant standards, regulations, and legislative requirements can inform the approaches to personal data protection.
- Metric
- % of identified personal data protection standards, regulations, and legislative requirements reflected in policies and procedures.
- Practice
- Encourage consistent adoption of personal data protection policies, procedures, controls, and tools across employees and external partners.
- Outcome
- Consistent procedures and controls enable easier detection of anomalies.
- Metric
- # of employee-related data protection incidents and compliance issues.
- Practice
- Audit the effectiveness of the personal data protection approaches.
- Outcome
- Issues identified in audits help to improve processes, and identify areas where automation or training might be of value.
- Metric
- # of issues detected in audits and time to closure for those issues.
- 4Advanced
- Practice
- Mandate privacy impact analysis in all system reviews, and programme, project, and change management processes throughout the organization.
- Outcome
- A privacy impact analysis identifies ways of preventing personal data protection issues from arising.
- Metric
- # of and trends for potential issues identified and averted or mitigated using privacy impact analyses.
- Practice
- Consistently adhere to personal data retention and destruction policies.
- Outcome
- Retention and destruction of personal data is policy and process compliant across the organization.
- Metric
- # of personal data retention non-compliance issues identified (per time period).
- 5Optimized
- Practice
- Keep up to date with the latest research on the protection of personal data, and implement best known practice.
- Outcomes
- The organization is effective in preventing data breaches.
- Claims for breach of trust, or duty of care are less likely to succeed.
- Metric
- # of data protection research initiatives and industry collaborations being pursued or investigated.
- Practice
- Continually encourage relevant business ecosystem partners to adopt good personal data protection practices.
- Outcome
- There is reduced risk of legal action or reputational damage arising from work with business ecosystem partners.
- Metric
- # of and trends of incidents in relevant business ecosystem partners.
Reference
History
This capability was introduced in Revision 18.07 as an update to Personal Data Protection (16).