IVI Framework Viewer

Personal Data Protection

PDP

The Personal Data Protection (PDP) capability is the ability to develop and deploy policies, systems, and controls for processing personal and sensitive personal data relating to living persons in all digital, automated, and manual forms. It ensures that the organization safeguards the right to privacy of individuals whose information it holds, and that the organization uses personal data strictly for specified purposes agreed with the data subjects.

Structure

PDP is made up of the following Categories and CBBs. Maturity and Planning are described at both the CC and the CBB level.

AGovernance, Management, and Oversight

A1Strategy, Policies, and Controls

Establish a strategy for protecting personal data. Design, develop, and maintain personal data protection policies and controls that comply with relevant data protection standards, regulations, and laws, and that align with the organization's business model and objectives. Promote and drive personal data protection compliance.

A2Supplier Management

Define personal data protection qualification criteria for identifying and validating suppliers, and select suppliers who are committed to observing the organization's personal data protection obligations. Draft and agree the data processor contract, and manage contract compliance with the suppliers.

A3Monitoring, Reporting, and Enforcement

Establish appropriate measures for enforcing compliance and monitoring and reporting non-compliance with personal data protection policies, and for taking remedial action where necessary. Drive improvements based on lessons learned from incidents (e.g. data breaches and inappropriate or unauthorized data access) and near-incidents.

BPeople

B1Data Subject Rights Management

Manage requests by data subjects to access their personal data held by the organization (including the purposes for which it is held and to whom it may be disclosed), and to rectify or erase inaccurate data. Check that the communication channels and agents are authorized by the data subject.

B2Roles, Responsibilities, and Accountabilities

Complete job and business process designs to identify the required roles for personal data protection tasks, and assign employees with the requisite knowledge and experience to the identified roles. Define and allocate the associated personal data protection responsibilities and accountabilities.

B3Skills and Competence Development

Establish and make available a personal data protection training curriculum and other employee developmental mechanisms to ensure employees have the required skills and competences.

B4Culture

Establish a personal data protection-aware culture. Inform stakeholders of key developments to build a shared understanding of how they can contribute to the realization of personal data protection objectives.

CProcessing

C1Risk, Security, and Access Rights Management

Establish and communicate personal data risk criteria, security criteria, and access rights controls (based on the life cycle state).

C2Personal Data Acquisition and Purpose

Establish approaches to obtain data subject consent, provide fair notice, and manage the acquisition and lawful, fair, and transparent processing of personal data for explicit and legitimate purposes.

C3Personal Data Adequacy and Accuracy

Ensure that personal data is only used and disclosed in line with the purposes for which it was acquired, and that the data held is adequate, relevant, and limited to what is necessary to meet those purposes. Monitor the quality of personal data held and remedy any data quality issues.

C4Information Life Cycles

Provide input to information life cycle planning to identify, acquire, process, store, and/or destroy personal data in line with business, regulatory, and legal requirements and risks. Conduct privacy impact assessments at the planning stage of new or large change projects, and consider the potential damage or harm to both the data subject and the organization in whose custody the information has been placed.

C5Personal Data Retention and Destruction

Develop and implement controls to verify that personal data is not retained beyond the time specified in data retention policies. Destroy data media (all forms — paper, digital, DNA encoded etc.) at the end of the data's life cycle and ensure that obsolete (or deleted) personal data is not inappropriately restored.

Overview

Goal & Objectives

An effective Personal Data Protection (PDP) capability aims to:

  • Comply with relevant data protection regulations.
  • Manage the growing complexities of protecting personal data in the digital business context.
  • Develop and deploy data protection policies, systems, and controls for appropriate acquisition, use, retention, and deletion/destruction of personal data.
  • Verify the effectiveness of data protection policies, systems, and controls.
  • Proactively identify and address any data protection issues.
  • Manage timely communication and registration with statutory officers regarding data protection breaches and near incidents.
  • Develop, test, and deploy incident management processes and procedures.
  • Leverage valuable insights from personal data to enhance the organization's operations without compromising data protection regulatory compliance.
  • Increase stakeholder confidence that the organization can be regarded as a trustworthy custodian of personal data.

Scope

Definition

The Personal Data Protection (PDP) capability is the ability to develop and deploy policies, systems, and controls for processing personal and sensitive personal data relating to living persons in all digital, automated, and manual forms. It ensures that the organization safeguards the right to privacy of individuals whose information it holds, and that the organization uses personal data strictly for specified purposes agreed with the data subjects.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for PDP at each level of maturity.

2Basic
  • Practice
    Provide job-specific personal data protection training.
    Outcome
    Employee understanding of the need to safeguard personal data grows, which reduces the risk of careless disclosure.
    Metric
    % of employees with data protection training.
  • Practice
    Allocate roles and responsibilities for personal data protection.
    Outcome
    Responsibilities are transparent, enabling effective data protection activities.
    Metric
    % of data protection roles filled in key functions.
  • Practice
    Document approaches to ensure that personal data is used only for the purposes for which it was collected.
    Outcome
    Personal data is used only for appropriate and compliant purposes.
    Metric
    # of violations in the use of personal data (per time period).
3Intermediate
  • Practice
    Identify relevant data protection standards, regulations, and legislative requirements.
    Outcome
    Relevant standards, regulations, and legislative requirements can inform the approaches to personal data protection.
    Metric
    % of identified personal data protection standards, regulations, and legislative requirements reflected in policies and procedures.
  • Practice
    Encourage consistent adoption of personal data protection policies, procedures, controls, and tools across employees and external partners.
    Outcome
    Consistent procedures and controls enable easier detection of anomalies.
    Metric
    # of employee-related data protection incidents and compliance issues.
  • Practice
    Audit the effectiveness of the personal data protection approaches.
    Outcome
    Issues identified in audits help to improve processes, and identify areas where automation or training might be of value.
    Metric
    # of issues detected in audits and time to closure for those issues.
4Advanced
  • Practice
    Mandate privacy impact analysis in all system reviews, and programme, project, and change management processes throughout the organization.
    Outcome
    A privacy impact analysis identifies ways of preventing personal data protection issues from arising.
    Metric
    # of and trends for potential issues identified and averted or mitigated using privacy impact analyses.
  • Practice
    Consistently adhere to personal data retention and destruction policies.
    Outcome
    Retention and destruction of personal data is policy and process compliant across the organization.
    Metric
    # of personal data retention non-compliance issues identified (per time period).
5Optimized
  • Practice
    Keep up to date with the latest research on the protection of personal data, and implement best known practice.
    Outcomes
    • The organization is effective in preventing data breaches.
    • Claims for breach of trust, or duty of care are less likely to succeed.
    Metric
    # of data protection research initiatives and industry collaborations being pursued or investigated.
  • Practice
    Continually encourage relevant business ecosystem partners to adopt good personal data protection practices.
    Outcome
    There is reduced risk of legal action or reputational damage arising from work with business ecosystem partners.
    Metric
    # of and trends of incidents in relevant business ecosystem partners.

Reference

History

This capability was introduced in Revision 18.07 as an update to Personal Data Protection (16).