Beta - OCEG.integrated Data Privacy Capability Model

INTEGRATED DATA
PRIVACY
CAPABILITY MODEL
beta release
10/2022
About OCEG
OCEG is a global, non-profit think tank and community founded in 2002. We invented
GRC. We inform, empower, and help advance more than 120,000 members on
governance, risk management, and compliance (GRC).
Independent of specific professions, we provide content, best practices, education, and

certifications to drive leadership and business strategy through the application of the
OCEG GRC Capability Model and Principled Performance. An OCEG differentiator,
Principled Performance enables the reliable achievement of objectives while addressing
uncertainty and acting with integrity. Our members include c-suite, executive,
management, and other professionals from small and mid-size businesses, international
corporations, non-profits, and government agencies. Learn more at oceg.org
OCEG, Principled Performance, GRC Capability Model, and Integrated Data

Privacy Capability Model are all trademarks of OCEG
© 2022 OCEG Page i

Usage and Licensing
The OCEG Integrated Data Privacy Capability Model is the COPYRIGHTED property of
OCEG and is licensed for use under a Creative Commons Attribution — Non-
Commercial Share Alike 4.0 International License (CC BY-NC-SA 4.0). For permissions
beyond the scope of this license, including commercial use, contact support@oceg.org
This license allows you to use the Model under the following terms:
● Share — Copy and redistribute the material in any medium or format
● Adapt — Remix, transform, and build upon the material
● Attribution — You must give appropriate credit, provide a link to the license,
and indicate if changes were made. You may do so in any reasonable manner, but
not in any way that suggests the licensor endorses you or your use.
● Non-Commercial — You may not use the material for commercial purposes.
● Share Alike — If you remix, transform, or build upon the material, you must
distribute your contributions under the same license as the original.
● No additional restrictions — You may not apply legal terms or technological
measures that legally restrict others from doing anything the license permits.
When attributing work to OCEG:
● Include in the site-wide or document-wide notice the text "Includes material

copied from or derived from OCEG at http://www.oceg.org" (include a hyperlink
where possible); and
● For each specific use, include the text "Includes material copied from or derived
from [title and URL and hyperlink (where possible) of the OCEG page or
document]."
Other License Options:
We understand that some organizations are not able to use open-source content and
code in their products and/or projects. As such, we also offer other licenses, including
commercial use licenses. Contact us at support@oceg.org.
© 2022 OCEG Page ii

Development of the Integrated Data Privacy Capability Model TM
OCEG developed this Integrated Data Privacy Capability Model (IDP-CM) with the
assistance of experts from the Data Protection Excellence Network and Straits
Interactive, an OCEG training partner that teaches courses based on the GRC Capability
Model. Having expertise in both GRC and data privacy, they took the role of principal
authors.
We also invited a group of experts in data privacy from a range of roles (academia,
business, former regulators), and from different countries, to participate on our review
committee. Their valuable comments have been addressed in this final version of the
Model.
Development of the IDP-CM was led by: Carole Switzer, OCEG Co-Founder &
President, and edited by Scott Mitchell, Founder and Chair, OCEG, and Kelly Ray,
GRC Solutions Strategist (retired).
Principal Authors:
● Kevin Shepherdson, GRCP, FIP, CIPP/E, CIPP/A, CIPT, CIPM, Certified DPO (Exin)
● Lyn Boxall, GRCP, GRCA, FIP, CIPP/E, CIPP/A, CIPM, Certified DPO (Exin), LLM
● William Hioe, GRCP, FIP, CIPP/E, CIPP/A, CIPT, CIPM, Certified DPO (Exin)
● Celine Chew, GRCP, FIP, CIPP/E, CIPP/A, CIPT, CIPM, Certified DPO (Exin)
Data Protection Excellence Network www.dpexnetwork.org
© 2022 OCEG Page iii

The Review Board
We would like to thank the following individuals for contributing to the development of
this IDP-CM. Their expertise and experience in the governance, management, and
assurance of data privacy efforts in many countries were invaluable to the development
of a model that we hope will be useful to organizations of all types.
● Dr. Prapanpong Khumon, Advisor to Secretary-General of the Personal Data

Protection Committee of Thailand and Associate Dean at School of Law, University of
the Thai Chamber of Commerce
● Mr. Raymund Liboro, Privacy Commissioner and Chairman, National Privacy Commission
of the Philippines (Retired)
● Mr. Luis Montezuma, Deputy Assistant to the Chair, Colombia Data Protection Authority
● Mr. Yudhistira Nugraha, ECPC-B DPO, D. Phil (Oxon), Director of Jakarta Smart City, and
Privacy and Cybersecurity Lecturer - Telkom University, Indonesia
● Mr. Stephen Wong, Practicing Barrister-at-Law and Former Commissioner, Privacy
Commission for Personal Data, Hong Kong
● Dr. Sonny Zulhuda, Assoc. Professor and Cyber Law Coordinator, International Islamic
University, Malaysia
● Ms. Angela Xu, Privacy and Data Governance Counsel
● Mr. Kevin Fumai, GRCP, CIPP/US, CIPP/E, CIPM, CIPT, FIP, PLS, CDPSE
● Mr. Nigel Hedges, Group Head of Cybersecurity, Kmart Australia Limited
● Dr. Rebecca Wynn, Global CISO and Chief Privacy Officer, Click Solutions Group
● Mr. Keith Carrington, Chief Compliance and Privacy Officer, North American Dental Group
● Mr. Ron Daniels, Information Governance Manager, Jones Day
● Ms. Sanghamitra Saha, Former Assoc. Director, IT Risk Management, EY
● Mr. Scott Tashlik, Global Head of Internal Audit, USI Insurance Services
● Mr. Stewart Dresner, Chief Executive, Privacy Laws & Business
● Ms. Teresa Troester-Falk, CEO and Founder, BlueSky Privacy
● Mr. Jean-Louis Reyneart, Managing Director, ORSA Risk Solutions
● Ms. Karen Schuler, GRC Practice Leader and Privacy Co-Leader, BDO
● Adj A/Prof. Lanx Goh, Head of International Privacy and Global Data Protection Officer,
Ant Group
© 2022 OCEG Page iv

Contents
INTRODUCTION ................................................................................................................ 1
A Note About Terminology .............................................................................................. 1
The Need to Mature a Data Privacy Capability ............................................................... 3
Applying a Process Model ................................................................................................ 4
Why Ensuring Data Privacy Matters ............................................................................... 5
Focus on Principled Performance ................................................................................... 9
The Meaning of GRC ...................................................................................................... 10
Principled Performance and Data Privacy ..................................................................... 11
The Integrated Data Privacy Lifecycle ........................................................................... 16
Data Privacy and the GRC Capability Model..................................................................17
Learn ........................................................................................................................... 18
Align ............................................................................................................................ 20
Perform ....................................................................................................................... 22
Review ......................................................................................................................... 25
Principles of Integrated Data Privacy ............................................................................ 28
ANATOMY OF THE INTEGRATED DATA PRIVACY CAPABILITY MODEL ................ 31
MODEL STRUCTURE ................................................................................................... 31
Components ................................................................................................................ 31
Elements ..................................................................................................................... 34
Practices ...................................................................................................................... 35
A Note About Actions and Controls............................................................................... 36
INTEGRATED DATA PRIVACY CAPABILITY MODEL .................................................. 38
DP-L: Learn.................................................................................................................... 39
DP-L1 External Context .............................................................................................. 40
© 2022 OCEG Page v

DP-L2 Internal Context .............................................................................................. 42
DP-L3 Culture............................................................................................................. 44
DP-L4 Stakeholders .................................................................................................... 46
DP-A: Align .................................................................................................................... 47
DP- A1 Direction ......................................................................................................... 48
DP-A2 Objectives ........................................................................................................ 49
DP-A3 Identification .................................................................................................. 50
DP-A4 Assessment ..................................................................................................... 51
DP-A5 Design ............................................................................................................. 53
DP-P: Perform ................................................................................................................ 54
DP-P1. Controls .......................................................................................................... 56
DP-P2. Policies ........................................................................................................... 57
DP-P3 Communication............................................................................................... 58
DP-P4 Education ........................................................................................................ 59
DP-P5 Incentives ........................................................................................................ 60
DP-P6 Notification ..................................................................................................... 61
DP-P7 Inquiry ............................................................................................................. 62
DP-P8 Response ......................................................................................................... 63
DP-R: Review ................................................................................................................. 65
DP-R1 Monitoring ...................................................................................................... 66
DP-R2 Assurance ........................................................................................................ 67
DP-R3 Improvement .................................................................................................. 68
DETAILED PRACTICES ................................................................................................... 69
© 2022 OCEG Page vi

INTRODUCTION
A Note About Terminology
The terminology used in data privacy laws and regulations varies greatly from
jurisdiction to jurisdiction. The chart below indicates the terms that we use, and
equivalent terms applied in various jurisdictions.
Terminology Used Elaboration and Equivalent Terminologies

(not exhaustive)
Privacy Data protection*
Personal information / PII Personal data / Personally identifiable information
Sensitive personal information / Special categories of data (including employment,

sensitive personal data financial, and healthcare) / Prescribed personal
data
Organization - where it determines Controller / data user / data fiduciary / personal

the purpose and means of information handler
processing
Third-party service provider Data processor / data intermediary / entrusted

person
Data Management / Management Collecting, using, disclosing, transferring, storing,

of data / Processing personal disposing of / destroying, etc. personal information /
information / PII PII
Handling personal information
Individual Data subject / data principal
© 2022 OCEG Page 1

Although data privacy and data protection are sometimes used interchangeably,
data protection is a broader umbrella that includes data privacy as just one aspect. In
this Model we are addressing just the subset of Data Privacy, which is about defining the
rights of access and use of data. Privacy essentially is a legal construct centered on rights
of control and ownership. By contrast, data protection may be the nomenclature used in
broader regulatory schema, and frequently used as a technical classification, is about
securing data against unauthorized access whether that access is limited for privacy or
for other reasons.
© 2022 OCEG Page 2

The Need to Mature a Data Privacy Capability
OCEG’s mission is to help organizations achieve Principled Performance – defined as

the reliable achievement of objectives while addressing uncertainty and acting with
integrity. The OCEG GRC Capability Model, sets the framework for overall governance,
management, and assurance of performance, risk, and compliance to achieve this goal.
The GRC Capability Model helps organizations produce value and protect value with
integrity – and Data Privacy is an important part of this mission.
Increasingly, countries around the world are establishing laws and regulations
governing how organizations collect, use, disclose, transfer, store, and dispose of or
destroy personal information (hereinafter “data management” or “management of
data”). These laws and regulations set boundaries so that organizations can protect
value (protect their customers, workforce, partners, and organization as a whole) while
producing value.
Different parts of an organization may manage data differently. Ensuring consistent and
compliant data management has become a significant challenge that presents a real risk
to the achievement of organizational objectives. Data management has also become ever
more costly as the volume of information increases and the requirements continue to
evolve with different standards that may not always be easily reconciled.
Some organizations fail to consider the lifecycle needed to fully govern, manage, and
provide assurance for data privacy requirements. They fail to appreciate the need to
fully integrate such efforts throughout the organization at all levels of operation. They
do not take a mature approach to monitoring the external and internal environments of
the organization to determine data privacy needs, nor do they establish reliable and
measurable control efforts. They have weak or non-existent metrics for measuring
outcomes of their data privacy capability and often fail to apply the necessary
technologies to support a fully realized capability.
© 2022 OCEG Page 3

Applying a Process Model
The OCEG GRC Capability Model can be applied to a variety of topics and risk areas,
including data privacy. This publication provides an Integrated Data Privacy Capability
Model (hereinafter “the Model” or “IDP-CM”) that addresses the specific concerns of
data privacy.
The Model establishes standards from which an organization may customize its
approach to data privacy governance, management, and assurance.
The reader should note that the Model does not describe all data privacy requirements
imposed by law everywhere in the world; nor does it detail the data privacy
requirements of a particular legal system. Instead, it is jurisdiction neutral.
The Model sets out a framework for identifying and monitoring changes in potentially
relevant requirements, assessing their application to the activities of the organization,
and establishing an effective capability to address such requirements while taking into
consideration the impact on organizational objectives and outcomes.
© 2022 OCEG Page 4

Why Ensuring Data Privacy Matters
The volume of data collected and maintained by businesses, governments, and other
organizations is growing exponentially. Losses due to cyberattacks and accidental data
releases continue to escalate. Personal information, such as customer financial or
identifying information, can be used to commit identity theft and financial crimes. Theft
of passwords and other access information also puts corporate and governmental data at
risk, and this can lead to ransomware attacks and security threats. Such losses greatly
reduce stakeholder and societal confidence in businesses and other organizations.
Several factors contribute to this challenge: including, ubiquitous connectivity and

technology; expanding global risk awareness; ethical concerns; threats to the
achievement of objectives; and the failure of a reactive approach. We elaborate on these
factors below.
Ubiquitous Connectivity and Technology
Overall, the protection of data is critical and has been made more challenging as the use
of advanced, connected technologies and “smart” products for everyday tasks has
expanded. It is no longer as simple as locking a filing cabinet or using a safe that holds
paper copies of private or sensitive information. Data is now compiled and analyzed in
privacy-intrusive technologies such as those using automated decision-making, artificial
intelligence (AI), algorithms, predictive analytics, and surveillance. The challenge today
is to establish both technology controls and strong policies and procedures for handling
data within these complex systems.
Expanding Global Risk Awareness
Globally, this ubiquity and increasing volumes of notifications and media coverage of
cyberattacks and theft of data has resulted in an increased awareness among the general
population of how data experts have obliquely used their personal information. There
has been a rise in social consciousness that peoples’ interactions with technology,
© 2022 OCEG Page 5

commerce, and discourse are being shaped by the ‘scripted’ use of personal information
and transaction history (whether well-intentioned or ill). People have started
connecting the dots between seeing advertisements in their social media feeds, online
shopping venues, or programmable billboards based on the proximity of and searches
they may have performed using their phone. Wariness flourishes as to whether voice-
managed assistants like Alexa and Google or cell phones are listening wherever you are
(including at home, in cars, and public venues) when not asked to do so. Questions
abound as to why there is exponential growth in government and commercial “listening
farms” and data analysis centers. Perspectives on who ‘owns’ and ‘controls’ personal
information have been shifting. There is an ever-increasing sense that a data subject
ought to be able to choose if others get to know what they are tracking politically,
socially, or commercially.
Sensitivity to the reality that an individual’s personal information is being collected,

tracked, mined, shared, and used in ways they didn’t intend and growing weariness of
the spam ‘everything’ – calls, texts, social media feeds, etc. has prompted people to seek
assistance from their government leaders. Regulators have been asked to require data
handlers to assist individuals in exerting some control over ownership and, where
relevant, consent regarding personal information.
In response, legislators and regulators in many countries have increasingly regulated

ownership, lawful bases of processing (including, where relevant, consent), and the
management of risks presented by organizations maintaining databases containing the
personal information of their employees, customers, and business partners. Various
countries are introducing requirements for the cross-border transfer of personal
information. Such requirements are vital since global trade and an increasingly remote
and geographically distributed workforce rely on flows of personal information, which
must be able to be done in a way that safeguards data privacy. In short, the entire world
“has a foot on the gas” regarding data privacy laws.
© 2022 OCEG Page 6

Ethical Concerns
Data ethics are also under discussion. There is widespread debate about the use of facial
recognition in commercial settings and law enforcement, the use of predictive
technologies particularly in the context of law enforcement, the use of personal
information to target individuals with spam and propaganda, and the use of personal
information collected through the ‘Internet of Things’ (IoT). These discussions stem
from a realization that just because personal information can be collected and used does
not mean that it should be collected or used without consent. Ethical guidelines on data
use are evolving and regulations may soon follow.
Threats to the Achievement of Objectives

If an organization suffers a data privacy breach, inevitably the regulatory consequences
and their aftermath will impact its business performance and its achievement of
objectives - at the organizational, departmental, and/or functional level. The privacy
laws in many countries require organizations to inform the regulator and affected
individuals about data privacy breaches. Failure to do so leads to administrative fines or
other sanctions and may even result in criminal sanctions in some circumstances. This
alone presents a reason to establish controls to protect data.
The resulting regulatory fines may be large; but, in many cases, they are not as
significant as the losses to reputation, stock price, productivity, and customer revenues
(including resulting loss of customer trust and, therefore, future business) - all of which
force organizations to re-look at their business objectives and priorities on an ‘after the
fact’ basis.
Beyond the protection of personal information of employees, customers, and business

partners, the organization’s data is also at risk when passwords and other access
barriers are breached. Failure to protect such data can lead to economic loss,
competitive disadvantage, and potential “kill the company” events.
© 2022 OCEG Page 7

Failure of a Reactive-Only Approach
Redundant storage of personal information creates tremendous uncertainty and

enhanced threats of data breaches. Even so, many organizations fail to control the
threats adequately or implement measures to manage the effects of realized risks on
their objectives. Some, especially those in non-regulated sectors, have taken merely a
reactive stance - they will comply with the relevant laws only if they are forced by
regulators to do so and/or when they are responding to a security incident or a data
breach.
They realize subsequently that there are regulatory risks that threaten operations. This
realization prompts management to put in place the necessary governance frameworks
and measures to minimize business disruption and ensure continued optimal
performance. There is no active governance of data privacy, only reactive mitigation,
and risk management, which is less effective and most often costs more. In other words,
governance becomes an afterthought instead of the main strategic driver spearheading
the holistic and integrated approach to privacy risk management and compliance.
More successful and forward-thinking organizations will design an integrated data

privacy capability that not only meets the varied regulatory requirements that apply to
them, but also takes into consideration how best to ensure the organization maintains
what OCEG defines as Principled Performance -- the reliable achievement of
objectives while addressing uncertainty and acting with integrity.
While the challenges of data privacy have come into view more clearly in recent years,
the problem of ineffective compliance and risk management has been around longer.
The lessons learned from prior challenges and failed approaches can be well applied in
this current context.
© 2022 OCEG Page 8

Focus on Principled Performance
During the early 2000s, scandals rocked the global economy evaporating millions of
jobs and trillions of dollars of wealth. At the root of these scandals were siloed and
ineffective systems intended to address governance, risk, compliance, and ethics.
Strategic systems were separate from performance management systems, which were
separate from risk management systems, which were separate from compliance systems,
and so on. In addition, each type of risk was managed separately with inconsistent
methods and technologies, and often different geographic units and departments within
the business were also segregated. This siloed nature of business led to a lack of risk
visibility, failure to establish adequate controls, and absence of resiliency.
Unfortunately, this siloed approach was all too common, and the seeds of future
problems continued to grow in this deficient state. OCEG and its members sought to
create a future state that was more effective, more efficient, more agile, more resilient,
and better able to address modern challenges. This led to OCEG’s innovation of the
ideas behind Principled Performance and GRC.
Principled Performance is a point of view and approach to business that helps

organizations reliably achieve objectives while addressing uncertainty and acting with
integrity. Focusing on Principled Performance at every level of the organization, when
planning and executing every project or task, establishes a common goal and culture
that supports success.
© 2022 OCEG Page 9

The Meaning of GRC
The acronym GRC is a shorthand reference to the collection of critical capabilities that
must work together to achieve Principled Performance. GRC denotes governance, risk
management, and compliance, but it connotes much more than those three terms
simply put together into an acronym.
It is important to remember that organizations have been governed, and risk and
compliance have been managed, for a long time — G, R, and C individually are nothing
new. However, many have not approached these activities in a mature and integrated
way, nor have these capabilities supported each other to enhance the likelihood of
achieving objectives. That makes GRC, as we understand it today, totally revolutionary.
In a forward-thinking organization, GRC represents a well-coordinated and integrated

collection of the capabilities necessary to support Principled Performance at every level
of the organization. GRC doesn’t burden the business; it enables and improves it.
Integrating GRC capabilities does not mean creating a mega-department of GRC and
doing away with decentralized or programmatic approaches to risk and compliance
management. Nor does it necessarily call for the use of only one GRC technology system.
Rather, it is about establishing an approach that ensures the right people get the
appropriate and correct information at the right times, that the right objectives are
established, and that the right actions and controls necessary to address uncertainty and
act with integrity are put in place. When business activities are siloed with separate
information, it is likely that wrong or counter-productive objectives will be established,
sub-optimal strategies will be selected, and performance will not be optimized.
Having a unified vocabulary and taxonomy for information; establishing a common

repository for data, documents, and information; creating standardized policies,
procedures, and templates; ensuring regular and consistent communication of policies
and expectations between and amongst all relevant roles from the front office to
strategic decision-makers — these are all aspects of effective integrated GRC capabilities,
whether established for enterprise-wide objectives, or those of particular departments
or projects.
© 2022 OCEG Page 10

Principled Performance and Data Privacy
The relationship between Principled Performance and the management of data privacy
runs in both directions, with each supporting the other. Strong data management is an
essential aspect of Principled Performance for the organization, as it strives to reliably
achieve its objectives while addressing uncertainty and acting with integrity. At the same
time, the structures and processes put in place to drive Principled Performance overall
also support a principled and mature approach to the management of data privacy.
Ever-Changing and Expanding Requirements
The quest for Principled Performance benefits from strong, integrated GRC capabilities
as organizations face a plethora of ever-changing compliance requirements across a
range of topics, compounded by growing related risks. Data privacy is one compliance
and risk domain that presents such challenges, perhaps even more than many others.
Countries are introducing and enforcing privacy laws at a rapid rate, typically reflecting
needs arising from the rapid development of information technology in today’s highly
digitalized world. Increasingly, smart but privacy-intrusive technologies drive unique
and differentiated employee, customer, and business partner “experiences” leveraging
data and contextually-sensitive meta-data. Organizations find they are grappling with a
plethora of different laws and requirements.
The General Data Protection Regulation (GDPR) came into force in the European Union
(EU) in May 2018. This was followed in 2020 by the enactment of the California
Consumer Privacy Act (CCPA); several other U.S. states have implemented either
general or sector-specific and/or technology-specific privacy laws or are in the process
of doing so, leading to increasing discussion about a US privacy law at the Federal level.
The Brazilian General Data Protection Law (LGPD) came into force in September 2020
(some aspects of enforcement were delayed until August 2021), a Personal Information
Protection Law came into effect in China on 1 November 2021, and a Data Protection
Act is scheduled to be finalized in India in mid-2022. The countries that are members of

the Association of South-East Asian Nations (ASEAN), with a combined population of
more than 650 million people, and countries in the Middle East and Africa, have
introduced, or are introducing, data privacy laws.
In a typical privacy law, personal information is defined as any information that can
identify the individual to whom it relates, either directly or indirectly. Because loss of
personal information may affect the well-being and privacy of individuals, there are
regulatory rules governing when information may be processed and, if so, how it may be
processed.
The US and many other jurisdictions treat sensitive personal information differently
from non-sensitive personal information. This is because the potential harm to the well-
being and privacy of individuals is greater when sensitive personal information is being
processed. For example, there may be a higher risk of identity theft or of the personal
information being used to discriminate against individuals. So, there are rules that
either require a higher level of security, restrict the processing of sensitive personal
information to specific circumstances, or put other safeguards into place.
The laws and regulations governing how personal information is processed establish
when organizations may legally process it. These rules are often explicitly, but otherwise
implicitly, referred to as lawful bases for processing personal information. These rules
also spell out the principles that organizations must follow when they process personal
information to protect the interests, including the privacy interests, of individuals.
Organizations are not legally permitted to process personal information whenever it
happens to be convenient for them to do so, for whatever purpose and in whatever way
suits their commercial ends. They must consider the potential impact of processing such
information on the well-being of individuals, including the impact on their privacy.
For example, personal information relating to health, financial matters, or children may
be processed by organizations in the U.S. only by strict rules set out in Federal and
sometimes State legislation designed to protect the rights of individuals, including their
constitutional rights. Implicitly, there must be a lawful basis for processing such
personal information that is within the scope of specific laws.

Outside the U.S., many privacy laws (for example, the GDPR in the EU) explicitly
require organizations to identify their purposes for processing personal information and
justify them under one or more of the following lawful bases of processing, and
remembering ‘3Cs and 3Is’ is helpful for recalling these lawful bases:
● Consent from the individual concerned

● Compliance with a legal obligation
● Contract fulfillment or performance
● Vital Interest of data subjects
● Public Interest or task performed by a public authority
● Legitimate Interest of the organization or a relevant third party
In such countries, organizations cannot arbitrarily choose a lawful basis of processing to

justify their business objectives – the chosen lawful basis of processing must be
supportable by the relevant facts relating to the processing. This is because the basis
chosen has implications when responding to individuals exercising their privacy rights.
Organizations must be fair and data processing must be proportionate to specific

legitimate purposes – personal information processing cannot cover “just in case”
scenarios that only benefit their business interests. For example, organizations cannot
conveniently process personal information for vaguely described purposes such as “all
business purposes” even if individuals have given their consent to them doing so. If the
organization chooses to rely on its “legitimate interests” as a lawful basis for processing
personal information, it must apply a balancing test to ensure that its business interests
do not override the rights and freedoms of the individual (such as their right to privacy).
In short, organizations must choose the appropriate lawful basis for processing (from
the 3Cs and 3Is or other specific lawful bases set out in the relevant jurisdiction).
In addition, organizations must be transparent when processing personal information.

They must generally tell individuals why they are processing their personal information
– that is, their specific purposes for doing so. They must also tell individuals about their
legal rights about that processing and describe the third parties that will or may have
access to their personal information and for what purposes. These notifications enable

individuals to understand why the organization is processing their personal information
and allow them to exercise their rights about that processing.
In summary, organizations must process personal information only as permitted by law

and must satisfy transparency requirements. To do this, they need to ensure that all
their business activities that include processing personal information comply with the
applicable privacy requirements. Failure to do so may result in regulatory sanctions
(including fines and orders to cease processing), as well as loss of reputation and a
perception that the organization lacks integrity generally or, at the very least, does not
respect its stakeholders sufficiently well to ensure that their privacy is protected.
Need for Proactive Measures
Many organizations respond to the increasing legal requirements for data privacy by
seeing them simply as regulatory requirements and assigning responsibility for them to
specialized teams that are part of their legal or compliance functions. They treat the
requirements as something to be addressed solely by legal contracts that are
documented and audited as part of their internal audit function. In other words, the
approach to complying with the law is through ticking off a compliance checklist
passively, rather than taking a proactive Principled Performance approach towards
dealing with legal requirements for privacy compliance.
Highly publicized data breaches and, in many countries, an increasing spate of

enforcement cases in recent years, suggest very strongly that:
● privacy operations relate to the entire business,

● privacy breaches negatively affect business objectives, and
● privacy breaches often arise due to the organization’s failure to adopt a proactive
and holistic GRC approach to processing personal information.
Despite the obvious need for a fully integrated approach to proactive data management,
many organizations, especially those in non-regulated sectors, continue to take a
reactive stance – they will comply with the relevant laws only if they are forced by

regulators to do so, or when they are responding to a security incident or a data breach.
They subsequently may realize that there are regulatory risks that threaten their
operations, prompting management to establish governance frameworks and measures
to minimize business disruption and ensure continued optimal performance. In effect,
governance is an afterthought instead of the main strategic driver spearheading a
holistic and integrated approach to privacy risk management and compliance.
Data Processing Throughout the Business
In today’s digital age, the achievement and management of the performance of

established objectives require supporting business activities or processes. This
inevitably involves data processing – whether the information is in the organization’s IT
system or hardcopy files. And data processing, whether automated or manual, always
has the potential to affect the privacy of individuals.
Satisfying privacy law requirements may involve a significant investment of effort … as

does all Principled Performance. The reality today is that many business activities
include complex personal information processing. They are likely siloed within their
business units, each with unclear, inconsistent, or counter-productive objectives and
perhaps with legal and compliance functions having limited visibility into the details of
their operations. Meanwhile, business units take the position that compliance with
privacy laws is the responsibility of the legal and compliance functions.
The more that employees responsible for business operations do not take responsibility
for compliance with privacy laws and the more siloed the risk and compliance activities
are from business operations, the less likely it is that the organization will be able to
comply effectively with privacy requirements. This, in turn, impacts business
performance and creates disruptions: decision-makers need to deal with complaints,
incidents, data breaches, and investigations from regulators while, often, dealing
simultaneously with inquiries from the mainstream media and the results of speculative
or critical comments in social media.

The Integrated Data Privacy Lifecycle
A key concept associated with data privacy is the Integrated Data Privacy Lifecycle
which includes the stages of Collect & Gather, Use & Process, Disclose &
Transfer, and Store & Dispose. Each of these continuously operates, with new data
regularly coming in and leaving at each stage. References to the Integrated Data Privacy
Lifecycle (“the IDP Lifecycle” or sometimes the “C-U-D-S Lifecycle”, which is a useful
mnemonic based on the initial letters in the names of each stage) are made throughout
the Model.

Data Privacy and the GRC Capability Model
Effective data privacy management is an essential aspect of a GRC capability that drives
the attainment of Principled Performance. The OCEG GRC Capability Model (also called
the “Red Book”) describes core governance, risk management, and compliance
capabilities and processes that must be developed and implemented to ensure the
Principled Performance outcome.
The Red Book defines Elements and Practices for successful GRC capability in four
overarching Components. The Integrated Data Privacy Capability Model tailors each of
these for data privacy and the development of a Data Privacy Management Program.
An overview of how each Component generally applies to data privacy management

follows.

Learn
This Red Book Component highlights the importance of examining and analyzing the
external and internal context, company culture, and stakeholder needs as they change
over time. It requires organizations to monitor and align their mission, vision, values,
philosophy, and strategies with all stakeholders’ needs and changing conditions.
From an external context perspective, beyond the obvious need for tracking new
and proposed privacy laws and regulations, organizations must take three main drivers
of privacy into consideration:
● Social concerns arising from technological innovation (especially privacy-

intrusive technologies)
● Growth of international trade and e-commerce (leading to cross-border data
flows)
● Privacy as a human right or consumer right
These three drivers particularly shape the regulatory, market, societal, and political
forces that define the external context perspective for organizations seeking Principled
Performance in Data Privacy Management.
There also are three distinct factors in play in the external context:
● As of early 2021, the United Nations Conference on Trade and Development

(UNCTAD) noted that more than 80% of countries around the world have privacy
legislation in place or are now developing it for implementation.
● The business models of organizations ranging from technology giants to start-ups

are monetizing personal information, leveraging the use of “big data”, intelligent
algorithms, and AI solutions that potentially intrude into the private lives of
individuals or infringe their rights as consumers.

● From a market perspective, privacy and consumer rights concerns are resulting
in product and service boycotts with increasing frequency. These reflect societal
forces in play, particularly increasing awareness amongst the public about
privacy-intrusive surveillance and other technologies, together with changing
attitudes about privacy; and increasing concerns about personal information
being indiscriminately shared and disclosed.
These factors give rise to a need for organizations to examine current and future
developments in data privacy laws, regulations, and standards – as well as community
expectations. Organizations also need to consider the interplay between these forces.
For example, in the two-year “sunrise” period after the GDPR was passed and before it
came into force in May 2018, organizations based in the US that marketed their goods
and services to individuals in the EU had to consider how they would align their internal
data privacy policies and operations to comply with the GDPR. In some cases, this
resulted in organizational restructuring with EU operations transferred to newly
established entities in the EU; in others, it resulted in changes in operating models that
took the applicable GDPR requirements into account. Meanwhile, organizations in the
EU that had been complying with privacy laws made by the 1995 EU Data Protection
Directive (which were repealed when the GDPR came into force), were required to align
their internal data privacy policies to the GDPR’s stricter and more prescriptive
processing requirements.
From an internal context perspective, privacy concerns and enforcement actions

against organizations, again ranging from technology giants to start-ups including major
online businesses, demonstrate that organizations cannot ignore data privacy in their
strategic growth plans, third-party operating models, or as requirements in their key
business activities. They must be cognizant of the data privacy and information security
posture within their organizations, the priorities of their organizations, and the
resources committed to responding to data privacy considerations.

A Chief Privacy Officer (CPO) / Data Protection Officer (DPO) or other similar senior
management individual plays a strong role in privacy compliance, including assisting
business units to develop and implement written policies, processes, and standard
operating procedures. This role can also ensure contractual protection when the
organization discloses or transfers personal information to third parties.
Mere legal compliance – as evidenced only by “paper policies” and contracts – is not
enough, however, for Principled Performance. In addition, privacy requirements must
shape an organization’s governance culture and, through standard operating
procedures, ensure that the organization operates its business consistently with those
privacy requirements.
Organizations must recognize the rights, and meet the expectations, of all
stakeholders, but particularly customers and employees whose data they manage. In
an increasingly competitive world, where stakeholders have many options open to them,
gaining and retaining stakeholder trust is essential, not optional, for success.
Stakeholders are tired of “oops, sorry we made a mistake, but it wasn’t our fault”- when
it comes to the treatment of their personal information.
To summarize, the data privacy management capability will fail if it is not able to quickly
learn and appropriately respond to changes in the external and the internal context to
ensure compliance, satisfy cultural imperatives, and meet stakeholder expectations.
Align
This Red Book Component addresses the need for alignment between performance
goals, legal requirements, contractual requirements, risks, and controls that may affect
the outcome of the objectives of the organization.
Data privacy management must consider the strategic direction and objectives of the
organization overall in determining data management needs and policies. The design of

a data privacy management capability must be integrated with the organization’s risk
and compliance management plans and align with its strategic and tactical objectives.
Where compliance, legal, and risk management functions are siloed, efforts to comply
with legal requirements of data privacy laws are often seen by senior management and
business unit leaders as roadblocks or distractions from focusing on business objectives.
Compliance and legal functions, acting within their silos, often frame the failure to
comply with mandatory legal requirements solely in terms of regulatory consequences,
such as financial penalties and other regulatory sanctions.
Some would argue, inappropriately, that it is not within their remit to highlight the
undesirable effects of compliance failures on objectives and business performance. This
misalignment also applies to the enterprise risk management function, as it may fail to
identify data privacy risks that may lead to an unauthorized processing of personal
information or leakage of personal information in their risk management plans.
The Red Book defines Risk Management as the act of managing processes and
resources to address risk (based on its impact and likelihood) while pursuing reward.
It is important to note that privacy laws, such as the GDPR, and the expectations and
approaches of regulators have evolved to embrace a risk-based approach to privacy
management. Organizations are obliged to identify and assess the privacy risks resulting
from processing personal information and to do so throughout every stage of the
information lifecycle of all relevant business activities. Based on the likelihood and
severity of these identified risks, they are obliged to implement appropriate technical
and organizational measures to manage them.
An integrated GRC plan focused on Principled Performance must be designed to address

both the uncertainties associated with processing personal information, including any
inherent threats; and the certainties of complying with data privacy regulatory
requirements in the business landscape. All these create obstacles and undesirable
effects to achieving established objectives.

Assessments must be conducted to identify any privacy risks and the organization must
design and implement controls to manage those risks with a view to the organization
complying with relevant privacy laws. Doing so is a fundamental requirement for, and a
component of, an organization’s data privacy management capability.
Perform
This Red Book Component outlines the core actions and controls that are needed to
proactively encourage conduct that supports objectives; prevent conduct that challenges
the desired outcomes; and to detect and appropriately respond to undesired conduct
when it happens.
The performance aspects of data privacy management – which may, alternatively, be

described as the operational aspects of data privacy management – are outlined within
this Component. They include developing policies to implement actions and controls
identified at the Align stage, communicating them to stakeholders, educating staff about
them, and monitoring conformance with them. They also include steps for managing
consents and responding to inquiries made about personal information practices,
including requests from individuals about their own data, and methods for responding
to data breaches, including obligations for informing affected individuals.
In the context of privacy laws, actions and controls consist of appropriate technical,
administrative, and physical measures:
● To apply proactively, instead of merely reactively. Appropriate measures include

conducting privacy impact assessments, implementing privacy by design, and
implementing standard operating procedures to assist staff in affecting standard
policies in their day-to-day tasks.
● To detect any data privacy breaches or incidents that result in unauthorized
disclosure or leakage of personal information.
● To correct, resolve, and respond to any issues, non-compliance, or breaches.

An organization must take the specific requirements of relevant privacy laws and
regulations into account as they design their actions and controls. Notably, the need to
proactively detect “undesirable actions and events” through the notification and inquiry
elements in the Perform component is often not addressed, but this is an essential
element of a strong management program.
Notification in the context of data privacy management means allowing stakeholders

to raise privacy issues directly with the organization (for example, through
whistleblowing mechanisms), rather than reporting directly to any external privacy
regulator.
Management and supervisory personnel should be trained to handle and record such
notifications, which may be in the form of a complaint or dispute involving personal
information. For example, a human resources manager must be trained to know that
they should not escalate issues brought up by employees without first knowing whether
the complainant wants to reveal their identity in the ensuing investigation. They must
also be trained to know about any requirements under applicable whistleblowing laws.
There are strong restrictions in certain countries on how whistleblowing may be done:
rules about the anonymity of the whistleblower (where permitted or required); and rules
about the impacts on those who may be the subject(s) of the whistleblowing. These must
be considered as part of achieving Principled Performance.
Inquiry is where the organization periodically analyzes data and seeks input about
progress towards objectives. In this element, the organization should also take note of
stakeholder sentiments towards how the organization respects and treats personal
information. In the context of privacy management, organizations need to ensure that
stakeholders (including both customers and employees) feel that they can trust how the
organization handles personal information. An unhappy stakeholder is the weakest link
when it comes to privacy management.
Good customer service is essential to data management and ensuring the well-being of
customers. Good employee relationship management is also essential to good customer

service and requires employees to trust the way the organization respects and treats
employee personal information. Employee satisfaction surveys are one way to assess
employee sentiments about the organization’s data privacy management.
Incentives should also be put in place to recognize and encourage efforts that respect
the privacy of individuals, both customers and employees, as well as the proper
treatment of their personal information.
Performance aspects of data privacy management capability also include actions to

respond to:
● individuals exercising their rights under the relevant privacy laws,

● any complaints about data privacy management,
● data breaches, and
● identified weaknesses in a data privacy management program
Such responses also lead to experience within the organization that feeds into the
Review component of the Integrated Data Privacy Capability Model.
As in other areas of risk management, the range of actions and controls performed in
data privacy management are proactive, detective, and corrective. Failure to
develop and implement such measures inevitably will lead to failures to comply with
privacy laws and consequent regulatory action being taken against the organization.
Typically, when they investigate an organization, privacy regulators expect and require
the organization to demonstrate accountability – that is, to provide evidence that the
organization has identified the relevant mandatory requirements and taken action to
comply with them from both a legal and an operational perspective. Regulators require
evidence of actions and controls being implemented and documented. This includes
providing to the regulator privacy-related policies and standard operating procedures
approved by management, training records, other documents such as records of

processing activities, and an active and documented privacy management program
complete with an updated data breach response plan.
Review
This Red Book Component describes methods for establishing and layering various
types of monitoring actions and controls to ensure the performance of the established
GRC capability, making changes to improve them when needed, and providing
assurance of both design and operating effectiveness to management, governing
authorities, and stakeholders.
In data privacy management, frequent and significant changes in circumstances, both

internal and external, demand review and revision of data privacy policies and their
supporting standard operating procedures regularly. Changes to the management
capability may also be indicated from time to time. For example, amendments to data
privacy laws, the outcomes of enforcement actions against other organizations that
indicate relevant views and expectations of regulators, internal incidents, or data
breaches to which the organization must react, implementation of new functions,
channels, technologies, or processes by the organization that may have an impact on
data privacy, and on-boarding of new staff, all require constant monitoring.
Organizations should also conduct regular audits to uncover any gaps or exposures in
the way they process personal information, especially following a data privacy breach or
any other incident, such as a customer complaint, that may indicate a failure to comply
with relevant data privacy laws and regulations.
One myth is that the CPO/DPO or another senior officer (such as a compliance officer)
will be held responsible for data privacy failures. More typically, the regulator will
investigate and expect the relevant business unit head to be accountable on behalf of the
overall organization. The regulator might consider the advice and guidance of the
CPO/DPO or another senior officer to the relevant business unit and liaise closely with
them and their team during the investigation. However, it is not the role of the

CPO/DPO or another senior officer to be accountable on behalf of the overall
organization – their role is to provide subject matter expert guidance and support.
For example, if there is a data breach in IT systems, the regulator will hold the IT head
accountable on behalf of the organization. If the consent/lawful basis principle has been
breached in a marketing process, the regulator will hold the head of marketing
responsible on behalf of the organization. From the regulator's perspective, it is the lack
of - or failure to implement - proper policies and standard operating procedures and
inadequate staff training that caused the data breach or consent failure.
The relevant business unit being held accountable on behalf of the organization by the
regulator is consistent with the three lines of defense set out in the OCEG Red Book -
that is, the three lines of defense apply to data privacy management in the same way as
they apply for other subject matter areas:
● 1st Line: the business unit is supported by,

● 2nd Line: the legal / risk management / compliance functions that provide
ongoing controls monitoring, and
● 3rd Line: audit provides assurance over governance, risk management, and
compliance or controls.
The three lines of defense model and the expectations of regulators are in alignment –
the business unit managers are expected to take responsibility for ensuring compliance
and meeting performance objectives. All business unit leaders should be accountable to
comply with data privacy principles, actions and controls in all their business activities
and processes. Even where they delegate a data processing task to a third party outside
of the organization, the data privacy laws and the regulators continue to hold the
organization accountable – the task can be delegated, but not the responsibility.
In the absence of a satisfactory defense (including adequate due diligence and clear
contractual allocation of responsibilities), regulators will always hold the organization

responsible if a data privacy breach arises through the actions or inactions of a third
party (such as a vendor) to which an organization has delegated a data processing task.
Depending on the privacy maturity of the organization, it is important to ensure that all
policies and procedures are formally documented and implemented before any
monitoring or assurance can be carried out. Recommendations for any improvement
need to be considered against the key risks that have been identified so that measures
are taken promptly by the respective business unit leaders who “own” the business
activities. Otherwise, reviews are just an academic exercise where organizations have
identified non-compliant areas and planned for changes but have failed to implement
them. As a result, the data breach or other compliance failure recurs, exposing the
organization to an investigation by the regulators, including the risk of higher penalties
where the organization is a ‘repeat offender’.

Principles of Integrated Data Privacy
Principles of Integrated Data Privacy are derived from the many directives, resolutions,
laws, and regulations regarding data privacy that have developed over time. From an
international perspective, in 1980 the OECD established what may well be the first
principle of data privacy, limiting the collection of personal information to lawful and
fair means and, where appropriate, with the knowledge or consent of the relevant
individual. In 1995, the European Data Protection Directive introduced criteria for
lawful or legitimate processing and in 2009, the Madrid Resolution created universal
data privacy principles. Other discussions of data privacy principles have followed with
the establishment of the GDPR and the ISO 29100 framework for the protection of
personal information within information and communication technology (ICT) systems.
Taken together, these and other established data privacy principles, sit at the core of the
Integrated Data Privacy Capability Model. While data privacy principles are defined,
named, and described differently in the many official and unofficial publications that
establish them, overall they can be consolidated into eight overarching categories that
should be applied to the Integrated Data Privacy lifecycle.
Principle 1: Accountability
Demonstrate compliance with the data privacy laws of the countries where the business
operates by documenting actions to:
o appoint a governing body such as a data privacy steering committee and a top
management executive such as a data protection officer;
o develop, enforce, monitor, audit, and update data privacy policies and
procedures; and
o establish processes for notification of data breaches to privacy regulators as
required, and for response to data subjects’ requests regarding personal
information.

Principle 2: Consent/Lawful Basis of Processing
Where consent is the relevant lawful basis of processing, ensure that the data subject
provides informed, specific consent to everything throughout the lifecycle of collection,
use, disclosure, and storage and may withdraw consent at any time. Otherwise, ensure
that there is another lawful basis of processing the personal information.
Principle 3: Transparency
Ensure that each data subject understands exactly why and what is being collected,
used, disclosed, and stored (e.g through privacy notices, consent clauses, terms and
conditions, etc.) at the time of collection (whether directly or indirectly) as well as what
his or her rights over the data are
Principle 4: Limitation
Ensure that appropriate limits are set for collection, use, disclosure, and storage, with
processing only as necessary for, and proportionate to the needs of, a specific, lawful
purpose and provision for disposal/destruction once the business or legal purposes for
processing the personal information have been fulfilled.
Principle 5: Minimization
Ensure that only the minimum amount of personal information that is strictly necessary
for the specified purposes, is collected, used, disclosed, and stored and that it is only
accessed by the minimally necessary number of roles/individuals.
Principle 6: Quality Ensure that reasonable steps are taken to validate that personal
information is accurate, complete and kept up-to-date to the extent necessary for the
purposes for which they are processed, especially if the data is used to make decisions
that will likely impact the individuals concerned.
Principle 7: Security
Ensure that data is collected, used, disclosed, and stored in a manner that is secure both
at rest and in transit with reasonable security safeguards against such risks as loss or
unauthorized access, destruction, use, modification, or disclosure.

Principle 8: Safe Disclosure/Transfer
Disclose and transfer information only when authorized, appropriate, and necessary,
complying with all applicable cross-border data transfer requirements while
safeguarding against loss and authorized use by ensuring that any receiving parties
apply the principles of integrated data privacy, have a strong integrated data privacy
capability, and operate in countries with equivalent data privacy laws or under strong
contractual provisions or corporate rules.
Data privacy laws will generally contain these principles to govern the life-cycle of
personal information. The Principles can be used to guide the organization when
processing personal information throughout the C-U-D-S Lifecycle.
Each of the principles should first be implemented at the start of the data life-cycle. - As
an example, at the collect/gather stage, particular emphasis should be placed on the
consent/lawful basis principle and the transparency principle because a failure in
relation to either or both of these principles will ‘poison’ subsequent processing of the
personal information.
The limitation principle requires limits to be placed when collecting, using, disclosing
and storing data based on the intended purposes of processing (whatever you intend to
do to the data). Similarly, data should be minimised at each of these stages while
ensuring data quality.
Next, the security principle is not only applicable to the store/dispose stage, but the
entire life-cycle where data needs to be protected and secured.
Finally, the safe disclosure / transfer principles should be applied where personal
information is disclosed to a third party (which includes disclosure to any entities within
the same corporate group)) or when personal information is transferred to a third party
in another jurisdiction (which includes transfer to any entities within the same
corporate group).

ANATOMY OF THE INTEGRATED DATA PRIVACY
CAPABILITY MODEL
The Integrated Data Privacy Capability Model includes standards for management
actions and controls upon which an organization may build an integrated approach to
data privacy that addresses compliance and risk concerns in a mature structure.
The Model does not include details of all data privacy and protection requirements
imposed by law; nor does it detail the data privacy requirements of any particular legal
system. Instead, it is jurisdiction neutral and presents a framework for thinking through
and establishing needed policies, procedures, and controls, onto which the specific
requirements of law and the relevant legal system are readily grafted.
MODEL STRUCTURE
The Integrated Data Privacy Capability Model is structured in three layers:

Components, Elements, and Practices. These layers outline an iterative,
continuous improvement process to achieve Principled Performance taking into
consideration the management of personal information. The Components in the Model
incorporate all the key concepts in the Red Book and tailor them to ensure a full CUDS
Lifecycle view for Integrated Data Privacy. The Elements and Practices guide
implementing the Components in the Model and assist organizations in achieving
Principled Performance in data privacy.
Components
Components provide an iterative continuous improvement structure for
data privacy. While there is an implied sequence, Components operate concurrently,
interactively, and symbiotically. Each Component has a description, a brief discussion of
key points, and defined Elements.

The Model uses the familiar Learn, Align, Perform and Review components of the
GRC Capability Model. Taken together, the components of the Integrated Data Privacy
Capability Model constitute an effective Data Privacy Management Program (DPMP).
DP-L: LEARN
An organization must understand and analyze the external context, the internal context,
culture, and stakeholders to determine the way data privacy must be addressed in
aspects of the organization that involve processing personal information – that is, the
“what” of data privacy.

DP-A: ALIGN
An organization must establish an overarching governance structure to guide and
oversee the organization’s data privacy management structure and processing
operations, and to demonstrate accountability and compliance with data privacy
requirements. Data privacy objectives must align to the overall organizational objectives
and strategies and the context, culture, and demands of stakeholders for data privacy.
Identify, through a personal information inventory and process-data flow maps, all
categories of privacy threats and risks arising from the organization’s processing of
personal information in its business activities, products/services, and operations.
Continuously design or adapt risk management strategies when assessed residual risk,
including compliance risk, are deemed beyond risk tolerance as there are changes to the
external and internal contexts.
DP-P: PERFORM
An organization must manage identified risks and compliance requirements through a
sound and effective data privacy management program that covers data privacy-related
policies and procedures as well as relevant actions and controls, including
administrative, technical, and physical measures, at all levels within the organization.
Compliance with data privacy requirements must be enforced throughout the
organization when established policies and controls have been communicated to and
implemented by relevant internal stakeholders. Then, the organization must respond
according to applicable data privacy laws and regulations, both to individuals’ requests
to exercise their rights over their data and in the event of a data or privacy breach.
DP-R: REVIEW
An organization must periodically monitor and provide assurance that the data privacy
management program is effectively designed and implemented and continuously
improve the DPMP through timely, prioritized, and well-managed change initiatives.

Elements
Elements provide a high-level view and guidance on the overall structure
for the integrated data privacy capability.
Each Element includes a discussion of key actions and controls, which are further
detailed in the Practices. Each Element (identified by the starting letter of the
Component it sits within followed by a number) expands on that Component to describe
the key aspects of high-performing integrated data privacy management programs.
Elements define the core requirements of personal information management, including

the design, development, and implementation of the Model. Elements are applied at
many levels in the organization:
● to frame the discussion with governing bodies and executive leadership about
how data privacy supports the achievement of objectives,

● to serve as the starting point for assessing the current state of data privacy by
each business unit that processes personal information, and,
● to enable assessment of the organization’s compliance with applicable data
privacy laws.
Practices
Practices describe key actions within each Element that, taken together, are
hallmarks of effective data privacy capabilities.
High-Level Practices are identified in the Elements. Related sub-practices are in the
Detailed Practices section at the end of this document.
Practices may be customized and scaled for use by any organization on an entity-wide,
unit, or project level.
The Practices describe the sound operating procedures and policies that should be
considered for adoption by each business unit in the organization that processes
personal information, and thus by the organization overall, to comply with applicable
data privacy law.
Applicable data privacy laws and/or other external mandates set out the outcomes that
organizations are expected or required to achieve as regards data privacy. They are not
specific regarding how each organization must achieve them.
Accordingly, an organization must choose the Practices that apply in the context of the
organization’s business operations, adopting and adapting the Practices to the extent
considered necessary or desirable by that organization. As a result, not all organizations
will adopt all of the Practices or adopt any particular Practice in the same way as does
another organization.
The goal for all organizations is to operationalize the organization’s compliance– that is,
to build the policies and standard operating procedures that help the organization
address the applicable data privacy laws and/or other external mandates as well as
organizational mandates in a defined, repeatable, and documented fashion.

A Note About Actions and Controls
Throughout the Model, there are numerous references to “actions and controls”. As in
the GRC Capability Model, an organization should consider three types and three
perspectives when setting policies and standard operating procedures to achieve
compliance with applicable data privacy law.
There are three types of actions and controls, and organizations must utilize a mix of
these actions and controls that are appropriate for them:
● Proactive Actions & Controls that promote desirable and prevent

undesirable conditions or events.
● Detective Actions & Controls that detect actual or potential occurrences of
desirable and undesirable conditions or events.
● Responsive Actions & Controls provide recognition for desirable conduct
and correct undesirable conduct.
There are also three perspectives for actions and controls, and organizations should
consider which are appropriate for any given situation:
● Management Actions & Controls address opportunities, threats, and

requirements and provide information to management that the business is
effectively designed and operating. Sometimes, this management perspective is
all that is necessary for an effective program.
● Assurance Actions & Controls are additional actions and controls that
provide specific information to assurance professionals that the business is
effectively designed and operating when management actions and controls are
not adequate for this purpose.
● Governance Actions & Controls are additional actions and controls that
specifically constrain and conscribe the business when management actions and
controls are not adequate for this purpose.

The key idea is that Management Actions & Controls are the things management would
do for their own purposes to address opportunities, threats, and requirements.
Governance and Assurance Actions & Controls may be necessary if Management Actions
& Controls don’t provide all of the proactive, detective, or responsive structures that
serve the Governance or Assurance objectives.
As the Model is applied, the practices and their specific actions and controls will operate
within and between each of the CUDS stages of the IDP Lifecycle, as represented in this
operational view:

INTEGRATED DATA PRIVACY CAPABILITY MODEL

DP-L: Learn
Examine and analyze the external and internal business contexts, culture,
and stakeholders that affect the Data Privacy Capability in relation to each
of the organization’s business operations that process personal data.
When examining the external context, identify and monitor all relevant data privacy
requirements in the jurisdictions that apply to the organization. In addition to generally
applicable privacy law, an organization may also be required to comply with sectoral
laws, industry guidelines, codes of conduct, and other standards. These apply to an
organization in specific circumstances or a specific industry sector or in relation to
specific types of personal information (for example, the Children’s Online Privacy
Protection Act (COPPA) and/or the Health Insurance Portability and Accountability Act
(HIPAA). A state or provincial privacy law also may apply.
When examining the internal context, consider that each organization has its own
mission, vision and values that guide voluntary choices which are also important
boundaries to consider when establishing a data privacy capability. Determine what
personal information (including sensitive personal information) is being processed by
the organization and the extent of processing in the internal context considering the
business model, culture, and stakeholders of the organization. Also identify how, if at
all, data privacy currently is being managed in the organization and how organizational
culture and stakeholder requirements affect data privacy practices.
Exact aspects of what must be learned and monitored on an ongoing basis will differ
depending on scope (entity-wide, departmental, project, etc.), scale, and style of
organization. In every case, however, it is important to consider that context changes
may give rise to a need for reconsideration of objectives, strategies, risk assessments, or
defined actions and controls. Take all necessary steps to:
● Understand the external context and opportunities for change.

● Understand the internal context and opportunities for change.
● Define the organization’s governance, risk, workforce, and ethical cultures.
● Interact with stakeholders to understand expectations, requirements, and
perspectives that impact the organization with regards to data privacy.

DP-L1 External Context
Analyze and monitor the external business context in which the

organization operates, focusing on data privacy requirements and the
forces that drive them.
.1 Analyze the External Context

● Understand the external drivers of data privacy laws, regulations, and practices
and the extent to which they may affect the Data Privacy Management Program
(DPMP) including:
o Growth of international trade and e-commerce

o Social concerns about data proliferation and intrusive technologies
o Data privacy as a human or consumer right
● Determine which data privacy legislation and regulations apply to the

organization and what each requires for the DPMP and IDP Lifecycle.
● Identify and analyze the potential impact of proposals for new privacy laws,
regulations, standards, or other guidance.
● Identify external forces which drive applicable privacy requirements, including:
o Regulations: Determine the substance of applicable data privacy

requirements in the regulatory environment (including international,
national, and local / state laws and regulations, cross-border data transfer
rules, codes of conduct, enforcement trends, and standards).
o Industry: Consider industry-specific practices and the extent of

automation / processing personal information, including sensitive
personal information under applicable regulatory requirements (including
banking and financial services, business process outsourcing, biotech,
healthcare, government, hi-tech, startups).
o Market: Identify vulnerable and sensitive customer segments impacted by

the organization’s current and planned personal information processing
(including children, elderly and disabled, patients, customer credit card
transactions).
o Societal: Determine the impact of the organization’s data processing

activities and its actual and potential impact on individual privacy and
third-party relationships (including the use of digitalization, surveillance,
disintermediation, e-commerce/online shopping, social media).

o Technological: Consider technological shifts and breakthroughs and their
degree of privacy intrusiveness that may drive changes to the IDP
Lifecycle, including in respect of ethical expectations.
o Geopolitical: Identify governmental concerns about national security,

including surveillance and other factors that may have an impact on the
IDP Lifecycle; any national policies on data privacy and rights of
individuals, and barriers to international access to information processing
technologies, including cross-border transfers of personal information that
may raise concerns about privacy versus national security.
.2 Identify External Stakeholder and Influencer Needs

● Identify key external stakeholders and influencers on the organization’s
compliance with applicable data privacy laws, including shareholders, customers,
suppliers/partners, governments, and regulators.
● Identify opportunities to influence stakeholders, in particular those that influence
legislative or regulatory developments regarding data privacy, and assign
ownership for stakeholder relationships.
.3 Watch the External Context for Change

● Monitor for changes in any of the identified aspects of the external environment
that may affect requirements or practices for the DPMP.
o Notify individuals responsible for relevant data privacy risk optimization

activities about context changes, including those that require immediate
consideration and those that are emerging as potential “over the horizon”
developments.
o Notify individuals responsible for data privacy risk analysis and

optimization activities to augment or revise the prioritized risk matrix and
risk optimization plan as needed.
● Monitor the enforcement activities of data privacy regulatory agencies and

consider how these enforcement actions may impact the organization.
● Identify triggers for consideration of changes to the data privacy capabilities of
the organization, in response to changes in the external context.

DP-L2 Internal Context
Analyze and monitor the internal business context in which the

organization operates, especially where it relates to data privacy
throughout the IDP Lifecycle.
.1 Analyze the Internal Context

● Evaluate the potential impact of data privacy requirements on the organization
within the context of existing business objectives/strategies, organizational
structures, and business processes/arrangements. Review:
o Strategic / Growth plans: Consider the potential impact on data privacy

requirements of the organization’s existing and future business model and
strategic directions (based on factors including monetization / large scale
processing of personal information, mergers, and acquisitions, new
customer-centric markets / product lines, divestitures and exits).
o Organizational charts / structures: Consider company size, complex

organizational structures, partnerships, joint ventures, and overseas
entities.
o Key processes and resources: Identify all business activities that involve
the organization processing personal information from an information
lifecycle perspective.
o Contractual arrangements: Identify contracts with employees, third

parties / outsourced services, etc., and the organization’s obligations
under them that may relate to, or have an impact on, the organization
processing personal information.
o Technology: Identify high-risk and privacy-intrusive data processing

carried out or planned by the organization using technology (including
automated decision-making, artificial intelligence, big data, behavioral
advertising, cloud computing, data analytics, facial recognition, mobile
app technology, social media, surveillance).
● Identify the interrelationships between and among elements of the structure, people,
processes, technology, information, and physical assets to understand how they are
used together to accomplish objectives through the IDP Lifecycle.

● Determine whether the organization seeks to comply with applicable data privacy
requirements with jurisdiction-specific policies and procedures, or by applying the
strictest requirements from any jurisdiction throughout the organization, or by
another approach.
● Identify triggers for consideration of changes to the organization’s data privacy
capabilities in response to changes in the internal context that may have an impact
on the IDP Lifecycle.
.2 Watch the Internal Context for Change

● Monitor significant changes in business strategy where changes could affect or
require changes to the DPMP.
● Monitor for changes in any of the identified aspects of the internal environment
(organizational structures, processes and resources, contracts, technologies in use)
that may affect requirements or practices for IDP Lifecycle.
o Notify individuals responsible for relevant data privacy risk optimization

activities about context changes, including those that require immediate
consideration and those that are emerging as potential “over the horizon”
developments such as a planned merger or acquisition.
o Notify individuals responsible for data privacy risk analysis and optimization
activities to augment or revise any prioritized risk matrix and risk
optimization plan as needed.

DP-L3 Culture
Understand the existing culture, including how leadership models culture,

the organizational climate, and individual mindsets about governance,
management, and assurance of data privacy.
.1 Analyze Data Governance Culture and “Tone at the Top”

● Determine the Board’s views on data privacy and how related requirements may
affect organizational objectives.
● Identify and assess any communications, formal and informal, from the Board to
management, employees, and stakeholder groups.
● Determine management and workforce views of what the Board believes and wants
to be done with regard to data privacy.
.2 Analyze Management Culture

● Consider management style (authoritarian, democratic, laissez-faire, transactional)
and how it should be considered in connection with data privacy requirements.
● Determine board and workforce views of what management in general believes and
wants to be done with regard to ethical decisions related to data privacy.
● Identify the ways in which management applies data privacy principles, policies, and
processes with regard to the organization’s employees and third parties.
● Identify if and how compliance with data privacy policies and processes factors into
decisions about employee evaluations and promotions.
.3 Analyze Risk Culture

● Evaluate whether senior management communicates risk appetite and tolerances,
including to the data privacy steering committee, so that the committee can make
decisions and develop and implement policies and standard operating procedures
accordingly.
● Determine the extent to which the organization applies its general determinations
about the level to which the organization is risk averse and its risk appetite to data
privacy risk.
● Evaluate the current data privacy risk culture (e.g., risk-averse, risk-taking) for each
aspect of the IDP Lifecycle.
.4 Analyze Ethical Culture

● Identify the ethical standards, principles, values, and norms that leadership wants
the organization to adhere to, in connection with processing of personal information.
● Assess the existing ethical climate including observable, formal elements in the
organization and individual mindsets, to determine the degree to which the

workforce believes the organization expects and supports responsible behavior and
integrity with regards to data privacy.
.5 Analyze Workforce Engagement

● Assess workforce views on the alignment of personal values with organizational
mission and values with regards to data privacy.
● Periodically evaluate workforce level of commitment and perception of management
commitment to executing the data privacy policies and procedures.
.6 Watch the Decision-Making Culture

● Monitor changes in culture metrics regarding the DPMP.
● Monitor for any impact on decision-making by management and workforce from
competing objectives.

DP-L4 Stakeholders
Interact with stakeholders to understand data privacy expectations,

requirements, and perspectives.
.1 Identify Internal and External Stakeholders

● Identify internal stakeholders and business unit leaders with defined business
performance objectives impacted by data privacy capability.
● Assemble and review available information about each key stakeholder organization
(internal and external) including key individuals important to the relationship and
the DPMP.
.2 Analyze Stakeholder and Influencer Expectations

● Track the attitudes and expectations about privacy held by the organization’s key
stakeholders (directors, employees, customers, clients, data privacy regulator,
outsourced vendors / processors, external privacy organizations, unions, etc.).
● Ensure that there is an “owner” of each stakeholder relationship to identify and
discuss stakeholder views and keep information about each stakeholder group
current.
● Consider potentially conflicting views amongst stakeholder groups and establish a
methodology for making decisions and communicating with each group.

DP-A: Align
Align data privacy objectives, strategies, decision-making criteria, actions,
and controls with the organizational objectives and strategies, and with the
context, culture, and stakeholder requirements for data privacy.
Data privacy objectives must align to the overall organizational objectives and strategies
and the context, culture, and demands of stakeholders for data privacy. The data privacy
steering committee should set data privacy objectives, develop clear decision-making
criteria, and provide continuing oversight.
Proactively identify and assess impacts of all privacy-related threats throughout the
business environment including processing of personal information from customers and
vendors, recruitment and human resource management activities, face-to-face
interactions with individuals, biometric, geospatial, telephonic, and online activities,
social media presence, operations, and analytics. Design actions and controls to manage
the identified privacy risks. Rank threats in terms of risk severity, impact, and
likelihood.
Establish a personal information inventory and process data flow maps, each addressing
the categories of privacy threats and levels of risks arising from the organization’s
processing of personal information. Map these to the organizational objectives they may
affect, the controls to address them, and the roles responsible for overseeing them.
Take all necessary steps to:

● Ensure that the governance and objectives established for the DPMP align with the
governance and objectives of the organization.
● Identify forces related to data privacy that may constrain how the organization can
operate (requirements) or cause undesirable effects on objectives (threats).
● Analyze current and planned approaches to address data privacy opportunities,
threats, and requirements arising from the organization’s processing of personal
information in its business activities and operations.
● Develop strategic and tactical initiatives to address risks and comply with
requirements regarding data privacy.

DP- A1 Direction
Provide oversight and structure for managing data privacy by establishing a

data privacy steering committee, authorizing a Data Privacy Management
Program (DPMP), and appointing a chief data privacy executive.
.1 Create a Data Privacy Steering Committee

● Empower the committee to support and guide the data privacy management
program (DPMP), ensure alignment of objectives, define acceptable levels of residual
risk related to personal information processing, and provide decision criteria
including views of risk tolerance, avoidance, and mitigation options.
● Form a steering committee at the ‘headquarters’ level, in the case of a group of
companies, and establish a reporting hierarchy for the steering committee of each
group entity to the ‘headquarters’ committee.
● Include heads of external customer-facing business functions processing personal
information; legal, compliance, risk management, human resources, learning,
marketing, and communications representatives.
.2 Authorize the DPMP, Define Its Mission/Vision/Values, and Provide

Management Commitment and Resources
● Align goals with the organization’s overall mission, vision, and values.
● Create formal statements of purpose and value of the DPMP.
● Obtain management-level commitment and approval of needed resources.
● Periodically update goals in light of changes in the business context.
.3 Appoint a Chief Privacy Officer or Data Protection Officer

● Empower the designated credentialled CPO/DPO (or other designated similar
officer) to lead the organization’s DPMP and to support the steering committee by
providing subject matter expertise and project support.
● Where required by law, ensure the requisite degree of independence from
management.

DP-A2 Objectives
Define a balanced set of measurable objectives for the DPMP that support
organizational objectives and ensure compliance with requirements
regarding the IDP Lifecycle.
.1 Perform High-Level Analysis of Data Privacy Threats and Requirements

● Identify:
o what categories of information are collected (e.g., identifying, relational,
financial, health-related) or generated (e.g., records of transactions);
o which categories of personal information are considered sensitive; and
o when, how, and where personal information flows.
● Evaluate:
o the purposes for which the organization uses or discloses both non-
sensitive and sensitive personal information;
o why the organization discloses personal information to third parties; and
o why the organization transfers personal information to other countries.
.2 Determine Relevant Legal and Other Requirements

● Consider applicable privacy legislation, industry or sector requirements, and
stakeholder group demands relating to data privacy that need to be part of decision-
making criteria and that are appropriate as a frame of regulatory reference for
privacy requirements.
● Consider the objectives, mission, vision, and values of the organization.
.3 Establish DPMP Objectives to Meet Requirements

● Formally document specific, measurable, achievable, relevant, and time-bound
objectives that are consistent with and mapped to organizational objectives.
● Define maturity targets for the DPMP and specific roles within it.
● As part of statements of objectives, justify the information processing purposes in
business activities for each applicable data privacy law – for example, under the
GDPR, in terms of one or more of the following lawful bases (3Cs and 3Is):
o Consent from the individual concerned;
o Compliance with a legal obligation;
o Contract fulfillment or performance;
o vital Interest of the individual;
o public Interest or task performed by a public authority; or
o legitimate Interest of the organization or a relevant third party.
● Cascade data privacy objectives down to the individual team level.
● Assign accountability for achieving DPMP objectives at every level of the
organization.

DP-A3 Identification
Identify all personal information processing activities, their purposes, and

their data flows to enable assessment and monitoring of forces that may
affect achievement of objectives or compel a change in the DPMP.
.1 Prepare a personal information inventory

● Identify the categories of personal information (including those that are considered
sensitive) that the organization collects, the purposes for collecting it, and the third
parties to which the organization discloses the personal information.
● Map an inventory of items of personal information against the categories, purposes,
and disclosures, and assets collecting or processing such information.
● Identify external and internal forces (events, conditions, requirements) linked to
data privacy for each category throughout the IDP Lifecycle, that may affect the
achievement of the DPMP and the organization’s objectives.
● Update the personal information inventory regularly as external context changes
suggest.
.2 Prepare data flow maps

● Define where, when, and how each category of personal information moves
throughout the organization and its processes, and to any third parties during IDP
Lifecycle.
● Reconcile any conflicting business purposes or justifications for processing personal
information across the inventory and the data maps.
● Update regularly as changes are made in business operations and data usage.
.3 Identify privacy-related threats and requirements in business operations

● Examine the personal information inventory and data flows.
● Examine the business operations and overall information management needs,
paying particular attention to sensitive information and retention requirements.
● Identify how new or changing products and services (including changing channels of
delivery, format of customer interaction like biometrics and geolocation, and
intended and unintended customers—geriatric, disabled, and children) alter IDP
Lifecycle processes and data privacy risks.

DP-A4 Assessment
Analyze current and planned approaches to address threats and

requirements that are relevant to, or have an impact on, data privacy
.1 Prepare for Assessment

● Identify internal stakeholders (including those from human resources, enterprise
risk, learning and development, customer-facing departments, IT, business process
and channel owners, and data stewards) with which to collaborate during the
assessment.
● Establish an enterprise-wide risk management framework to assess threats and the
related inherent and residual privacy-related risks or, ensure that data privacy risk
management is integrated into the enterprise framework to assess inherent and
residual privacy-related risks.
● Reconcile variances across the rating schema to permit comparison for heat mapping
and prioritization purposes across the data privacy capability, aligning the initiative
portfolio management approach to any enterprise-wide change management
framework.
● Prioritize assessment schedules focusing on high risk and non-compliance, adapting
the schedule based on the current portfolio of planned or in-process change
initiatives.
● Secure buy-in for the schedule considering time conflicts for the internal
stakeholders (e.g., peaks/valleys in business operations, examiner/regulator reviews,
or audit plans).
.2 Analyze Threats/Risk
● Use the history of the organization and peers (based on industry, geography, business
activities, and workforce scale and footprint) to analyze vulnerabilities affecting data
privacy.
● Assess the acceptability of residual personal information risks (including risks
related to sensitive personal information) having regard to the organization’s
personal information inventory and its data flow maps.
● Consider the suitability of existing controls for personal information requiring
special protection.
● Assess residual privacy risks related to business process risks (including multiple
engagement channels/tools, disclosures/transfers to outsourced processors and
other third parties), paying particular attention to the potential for cascading risk.
● Assess project or product risks by conducting detailed data privacy impact
assessments and examining the results to determine that the projects or products
should remain in the portfolio when considering the cost/benefit of controls needed
to manage privacy risks.

.3 Analyze Requirements/Compliance
● Use the history of the organization and peers (based on industry, geography,
business activities, and workforce scale and footprint) to analyze the likelihood and
impact of data privacy-related compliance violations of any requirements.
● Determine areas where data privacy requirements are not addressed or fail to meet
required levels of compliance.
● Evaluate accountability for managing data privacy compliance.
.4 Prioritize Management of Threats and Requirements

● Determine the approach and resources to address the impact of threats and related
risks based on likelihood of occurrence and severity, in line with decision-making,
risk analysis, and change management criteria established by the organization
generally and specifically for the DPMP.
● Determine the approach and resources to address compliance with specific
requirements based on the criticality and materiality of the business operations they
apply to and potential impacts of non-compliance including penalties, reputational
damage, and ability to operate.

DP-A5 Design
Develop strategic and tactical initiatives to address data privacy threats and
related risks, and to ensure compliance with requirements.
.1 Explore Options to Address Compliance with Requirements

When existing compliance actions and controls are not optimal, design and document
alternative or additional actions and controls using established decision-making criteria.
.2 Explore Options to Address Threats and Associated Risk

When the current residual data privacy risk is unacceptable, design and document
alternative or additional actions and controls using established decision-making criteria,
with particular attention to the layering of single-purpose and dual-purpose controls.
.3 Design Transfer and Risk Financing Strategies

Apply risk financing (e.g., cyber risk insurance) and other risk-sharing approaches after
determining any requirements or policies that require or preclude their use.
.4 Determine Planned Residual Risk

Confirm the anticipated residual risk related to data privacy when the proposed actions
and controls are implemented within risk tolerance.
.5 Address Inherently High Risk

Identify actions and controls, including additional monitoring activities, that are in
place or planned for inherently high risks.
.6 Develop Key Indicators

Develop key performance (KPI), key compliance (KCI) and key risk (KRI) indicators
.7 Define Information Management Structure

Determine the definitions, classifications, and procedures necessary to identify and
manage data privacy in the organization and extended enterprise, and define an ongoing
process for maintaining personal information inventories and classifications, following
the IDP Lifecycle.
.8 Develop Technology Architecture

Identify key data privacy-related processes and controls that are less error-prone and
more efficient if enabled by technology and determine what solutions to use within the
overall technology architecture of the organization.
.9 Develop Integrated Plan

Define specific and integrated initiatives, timelines, budgets, and assignments.

DP-P: Perform
Operationalize the Data Privacy Management Program (DPMP) by

developing and implementing the controls and actions required to manage
data privacy risks, and document them in appropriate policies.
Manage all of the organization’s identified risks and compliance requirements through a
sound and effective Data Privacy Management Program that has data privacy-related
policies, procedures, actions, and controls at all levels within the organization. Establish
policies, processes, and controls to manage each phase of the IDP Lifecycle for all
business activities across the organization that involve processing personal information,
according to the various applicable privacy principles.
 Collection (Lawfulness of Processing, Transparency, Notice, and Choice).
 Use / General Processing (Use Limitation, Purpose Limitation, Data

Minimization, Accuracy).
 Disclosure / Transfer (Disclosure Limitation, Transfer Limitation).
 Storage / Disposal (Security / Protection, Retention / Storage Limitation).
 Rights of individuals (Right to access and control information/

notification/transparency of processing, data portability, correct it, object to
processing, restrict processing, deletion/ ‘right to be forgotten’)
Communicate data privacy requirements throughout the organization. Ensure that

actions and controls documented in policies and standard operating procedures are
implemented operationally and supported by employee training and monitoring of
compliance. Take enforcement action and respond to instances of non-compliance in
accordance with established policies and procedures.
Take all necessary steps to:

● Establish technical, administrative, and physical controls to manage each phase of
the IDP Lifecycle for all business activities across the organization that involve
processing personal information, according to the various applicable privacy
principles, as needed to reduce the likelihood, impact, or velocity of undesirable
conditions or events.
● Define a hierarchy for policies and determine what data privacy policies are
required by the organization in light of its business activities.

● Establish communications to deliver and receive relevant, reliable, and timely
information to and from defined audiences as required by mandates, or as needed
to perform responsibilities and effectively shape attitudes related to data privacy.
● Educate the governing authority, management, the workforce, and the extended
enterprise about expected conduct, and increase the skills and motivation needed
to help the organization address opportunities, threats, and requirements
pertaining to data privacy.
● Implement incentives that motivate desired conduct and recognize those who
contribute to positive outcomes to reinforce desired conduct pertaining to data
privacy.
● Provide multiple pathways to report progress toward objectives, and the actual or
potential occurrence of undesirable and desirable conduct, conditions, and events
pertaining to data privacy (e.g. whistleblowing scheme).
● Periodically analyze data and seek input about progress toward objectives related
to data privacy; and the existence of undesirable conduct, conditions, and events
● Design and promulgate through the extended enterprise data request and data
breach response plans.
● When necessary, execute within mandated timeframes, and document responses
to:
o Requests regarding how an individual’s personal information is being
processed, including revocation of authority and exceptions to those
requests.
o Identified or suspected undesirable conduct regarding maintenance of data
privacy, and manage events or identified weaknesses in the DPMP that result
in improper handling or release of personal information.

DP-P1. Controls
Establish technical, administrative, and physical controls to manage each

phase of the IDP Lifecycle for all business activities across the organization
that involve processing personal information, according to the various
applicable privacy principles, as needed to reduce the likelihood, impact,
or velocity of undesirable conditions or events.
.1 Establish Controls to Achieve Privacy by Design and by Default

● Consider privacy issues at the design phase of any system, service, product, or
process that involves processing personal information and integrating necessary
safeguards to fulfill privacy requirements and to protect data subject rights.
● Apply the central privacy principles of personal information minimization and
purpose limitation.
● Make business decisions to avoid, tolerate, reduce, or transfer each identified risk.
.2 Determine Controls
● Define proactive actions and controls for data privacy risks, including those in the
following categories, depending on applicable data privacy laws:
o Regulatory requirements regarding approvals, authorizations, pre-submission
reviews, quality reviews
o Process controls
o Administrative controls
o Technological controls
o Physical controls
o Data subject’s consent or other lawful basis requirements
o Privacy notice requirements
o Contractual arrangements
o Out of Country/Jurisdiction Transfer Controls
● For each control define:
o Who will “own” and perform the control
o When and how often it will be performed
o Who will have override or modification authority
o Requirements for modification or override

DP-P2. Policies
Develop and implement appropriate policies and standard operating

procedures (SOPs) to establish the rationale and rules for governing and
protecting personal information in the organization, taking into
consideration the risks and controls.
.1 Determine Policies
● Develop and implement policies and related standard operating procedures

(SOPs) for general processes, such as handling access and correction requests,
determining the lawful basis of processing, (for example carrying out a legitimate
interests assessment or obtaining consent), withdrawing consent or objecting to /
restricting processing, and ensuring the accuracy of personal information, and for
processes that are specific to a department’s operations.
● Develop and implement policies to govern the circumstances and timing under
which the organization must perform data privacy related impact assessments and
related SOPs for conducting such assessments.
● Establish assurance by having experts and the steering committee review and
approve the policies and SOPs before implementation.
● Review and update policies and SOPs regularly or as needed when there are
changes to privacy laws and internal organizational practices or to internal
business practices and processes.
.2 Implement and Manage Policies and SOPs

● Determine how to make each policy and SOP available to its relevant audience,
which should be established throughout the extended enterprise, and to what
extent education is required.
● Define methods for assessing understanding and ability to perform processes.
● Establish methods for monitoring and periodic assessment of effectiveness.
.3 Champion Policies
● Ensure management shows support for policies and SOPs in word and action.

DP-P3 Communication
Establish communications to deliver and receive relevant, reliable,

and timely information to and from defined audiences as required
by mandates, or as needed to perform responsibilities and
effectively shape attitudes related to data privacy.
.1 Develop a Reporting Plan

● Identify required reports to data privacy regulators and other stakeholders.
● Define internal reports needed to allow the entity to certify there are no violations
or infringements of mandates, policies or SOPs relating to data privacy, and those
needed to manage the data privacy capability.
● Define any additionally desired voluntary reports to stakeholders.
● For each type of report, develop a matrix of pertinent information including:
o schedules or triggering events;
o content required;
o location or source of the content required;
o person or office responsible for preparing and filing each report;
o location or classification of each report copy as it will be retained;
o record retention and protection rules; and
o method for confirmation of delivery and receipt.
.2 Develop process architecture

● Identify information and communications about similar processes.
● Ensure each individual receives the necessary communications to perform their
duties with regard to data privacy.
.3 Develop communication plan and strategy

● Define current and desired levels of knowledge for each audience and the
likelihood of change resistance.
● Identify:
o who is responsible for developing the communication messages;
o all key program messages with identified senders and target audiences;
o the various communication pieces that will deliver each message;
o methods of communication for each category of message;
o the high-level delivery schedule and triggering events;
o methods and requirements for maintaining communications records; and
o schedules and methods for review and update of communication materials.
● Periodically update communications to keep them relevant.

DP-P4 Education
Educate the governing authority, management, the workforce, and the

extended enterprise about expected conduct, and increase the skills and
motivation needed to help the organization address opportunities, threats,
and requirements pertaining to data privacy.
.1 Develop an Awareness and Education plan

● Inform each target population of the data privacy capability along with their
specific responsibilities and expected conduct.
● Ensure that people only get education relevant to their function/position
especially when it requires handling sensitive data
● Include materials to reinforce awareness (e.g., posters, signages, email reminders).
● Maintain records of campaigns and participants
.2 Develop a Curriculum Plan

● Identify and outline courses, considering any legal and operational requirements
for training.
● For each course, the plan should define the content, target audiences, frequency,
time required, and methods of delivery.
● Identify course developers and trainers who should have the relevant professional
privacy and security certifications.
● Establish a method for tracking courses delivered and participants.
● Establish periodic review of courses for effectiveness and relevance.
.3 Develop or Acquire Content

● Inventory all campaigns, course content, training vendors, and instructors.
● Evaluate what to keep or change and develop a content plan to replace or fill gaps.
.4 Implement Education
● Integrate data privacy training into existing job training when possible.
● Use appropriate technology to deliver and to measure understanding.
● Maintain records of delivery and understanding.
.5 Provide Helpline and Integrated Support

● Prepare helpline personnel to receive reports of issues and respond to questions.
● Ensure that supervisors and data privacy capability personnel embedded in the
business can answer questions about authority, responsibilities, and issues related
to data privacy-related policies, procedures, and issues.
● Provide self-service resources that target audiences can use to answer questions
themselves.

DP-P5 Incentives
Implement incentives that motivate desired conduct and recognize those

who contribute to positive outcomes to reinforce desired conduct
.1 Define the desired conduct

● Consider the guidance and decision-making criteria established regarding data
privacy (keeping in mind how front-line data processors would apply it).
● Establish a clear “tone from the top” about desired conduct.
.2 Hire and promote based on conduct expectations

● Include data privacy conduct expectations in job descriptions, reviews,
evaluations, compensation/bonus decisions, and hiring and promotions.
● Develop performance evaluations and promotion process for key roles with data
privacy duties that specifically rely on expected conduct.
.3 Develop and implement compensation/reward/recognition

programs
● Develop compensation and bonus structures that include consideration and
reward for following decision-making criteria, and that avoid incentives that
encourage (even unintentionally) misconduct in any role related to data privacy.
● Analyze compensation and bonus plans for roles that have substantial authority
and those that relate to revenue generation or financial responsibilities,
confirming that they do not induce non-compliant or unethical behavior with
regard to data privacy.
● Develop awards and other incentives for contributions by individuals or
organizational or extended enterprise units that result in reduced compliance
failures, enforcement actions, or other external challenges to the organization
regarding data privacy.

DP-P6 Notification
Establish channels and pathways for stakeholders to notify management of

their level of satisfaction with the data privacy practices of the organization,
and for individuals to make requests and exercise rights regarding their
personal information, as well as pathways to report the actual or potential
occurrence of undesirable conduct and events pertaining to data privacy.
.1 Capture notifications
● Establish multiple pathways with anonymous options for external and internal
stakeholders to access their personal information, provide feedback regarding
their satisfaction or non-satisfaction with the data privacy practices of the
organization, and to report any identified or suspected violations or failures to
comply with established procedures or incidents.
● Provide multiple pathways for requests by individuals, according to applicable
data privacy laws and regulations, to exercise their rights over their data
(including rejections) and establish procedures to ensure an appropriate response
to such requests, including by:
o having procedures to channel the notification, feedback, or request to the
relevant organizational department(s) to handle, and to escalate the
notification, feedback, or request up the organizational hierarchy where
required; and
o maintaining records of all notifications, feedback, rejections, and requests
for follow-up actions and for use to determine any needed improvement to
the organization’s data privacy processes and practices.
● Establish methods and tools for analyzing the effectiveness of the multiple
pathways in achieving objectives.
.2 Filter and Route Notifications

● Create uniform procedures to manage notifications, including methods to
efficiently review and address each notification.
● Establish methods to track each notification (including requests regarding an
individual’s personal information) through resolution.
● Establish procedures to communicate feedback to the notifier.
● Maintain records of all notifications and resolutions.
.3 Adhere to Data Privacy Requirements

● Understand requirements that are applicable to your organization such as
stipulated periods to respond and fulfil requests, and provide hotlines that comply
with all applicable data privacy-related mandates.
● Establish separate hotlines, or routing approaches, as needed to comply with legal
requirements based on the locale of the notifier and of the organization.

DP-P7 Inquiry
Periodically analyze data and seek input about progress toward objectives
related to data privacy and the existence of undesirable conduct,
conditions, and events pertaining to data privacy.
.1 Establish multiple pathways to obtain information

● Gather information through observations and formal and informal conversations.
● Define an approach to surveys.
● Establish self-assessments.
● Develop a technology strategy for automating some inquiries and tracking
progress toward data privacy objectives.
.2 Report Information and Findings

● Report the findings to the relevant organizational entity to address and act upon.
● Maintain records of all findings for follow-up actions and improvement to the
organization’s data privacy processes and practices.
● Flag any trends, patterns, or anomalies that may require concerted organization-
wide actions (e.g., systemic issues).

DP-P8 Response
Respond, in accordance with applicable data privacy laws and regulations,

to any individual’s request to exercise their rights over their information,
identified data or privacy breach, or complaint about data privacy
management; and any identified or suspected undesirable conduct, events,
or management weaknesses affecting data privacy.
.1 Design response structure for individual requests

● Understand the various rights that are available to individuals (data subjects)
according to the provisions of the relevant data privacy laws
● Establish standard request forms and procedures including those needed to verify
the identity of the requester, respond according to requirements for form and
timeframe, and track any exceptions or denials.
● Validate that third-party data handlers’ response structures for individual requests
meet organizational and DPMP objectives.
.2 Establish a data breach response plan

● Create a data breach response team with clearly defined roles and responsibilities.
● Document the response plan including defined actions to repress, return, resolve,
report, identify root causes, and improve the management system.
● Define process for determining reporting requirements and delivering reports.
● Develop mock scenarios and perform tabletop exercises.
● Validate that third-party data handlers’ response structures for data breaches meet
organizational and DPMP objectives.
.3 Establish investigation processes

● Map investigation types, including third-party investigation types, into
“investigation tiers” that may be resolved by line managers, senior management
and/or outside counsel, special investigators, those that must be escalated to the
Board or a Board committee, and those that must be externally disclosed.
● Establish a core team (including a list of pre-approved outside counsel) to handle
data privacy-related issues and roles responsible for implementing or overseeing
procedures for each type of investigation (augmenting the team for specialty
investigations).
● Define an issue management methodology that defines adaptable standard
response management plans with key steps for each investigation type and tier
meeting all legal mandates (including external disclosures), while protecting
anonymity, confidentiality, and privilege.

● As appropriate to the investigation tier, establish procedures for informing senior
management (including public and stakeholder relations), the Board, Audit
Committee, independent auditors, and regulators of the onset of and outcomes
from investigations.
● Establish multiple pathways to handle questions regarding investigations, with
acceptable answers to expected questions and requisite standards and procedures
regarding referral of inquiries to in-house or external counsel or pre-cursor
inquiries to third-party investigations to appropriate personnel responsible for
vetting such investigations.
● Establish policies and procedures that ensure investigation team members
(including outside counsel) have been screened for no conflict of interest or bias,
have clear authority, and make others aware of that authority.
.4 Prepare to address crisis situations

● For each type of data privacy related crisis:
o Develop business and privacy impact analysis;
o Business continuity and recovery goals;
o Create detailed continuity and recovery plans;
o Identify crisis readiness and response teams.
● Conduct preparedness exercise plans.
.5 Follow resolution processes

● Respond to each investigation or crisis situation in accordance with the
established processes and plans, including communication plans.
● Ensure adequate documentation is kept of response activities.
.6 Discipline and retrain

● For each type of misconduct, discipline consistently according to applicable
policies, procedures, laws, and regulations and provide retraining as appropriate.
● Track disciplinary actions and periodically report material disciplinary measures
to the Board.
.7 Determine and make disclosures

● As specified in the applicable investigation or crisis response plan, either
voluntarily or as mandated—within mandatory timeframes--disclose results--and,
when appropriate, changes to the data privacy capability--to internal and external
stakeholders (including regulators and affected individuals).

DP-R: Review
Conduct activities to monitor and improve design and operating

effectiveness of the DPMP, including its continued alignment to the
objectives and strategies of both the program and the organization overall.
As changes arise in the internal and external context and a record of data privacy events
requiring response is built, the design of the DPMP may no longer be the best to meet its
established objectives, or it may conflict with what is necessary to protect the objectives
of the organization overall. Even if the design remains appropriate, identified
weaknesses in operational effectiveness may form the basis for changes. The Data
Privacy Steering Committee may need to revisit and revise objectives and strategies, or
the DPO and DPMP managers may need to apply decision-making criteria and revise
the defined actions and controls.
At a minimum, the Data Privacy Steering Committee should directly or indirectly:
● Monitor and periodically evaluate the performance of the DPMP to ensure it is

designed and operated to be effective, efficient, and responsive to change.
● Provide assurance to management, the governing authority, and other stakeholders
that the DPMP is reliable, effective, efficient, and responsive.
● Review information from monitoring of changes in context, periodic evaluations,
detective and responsive actions and controls, and assurance reports, to identify
opportunities for data privacy capability improvements.

DP-R1 Monitoring
Monitor and periodically evaluate the performance of the DPMP to
ensure it is designed and operated to be effective, efficient, and
responsive to change.
.1 Monitor and evaluate DPMP design

● Establish schedules and specific metrics for monitoring each key type of event
or aspect of operation, including:
o the aftermath of a security or privacy incident;

o an increased spate of privacy-related complaints;
o indications of an insider threat;
o appointment of new third-party service providers;
o deterioration of a business function;
o retrenchments or exodus of staff;
o new business products, services, or technology; and
o changes in requirements.
● Establish the mechanisms to be used for monitoring (e.g., via dashboards, system
logs, customer complaints; and records of staff violations of internal rules, data
breaches, and failures to meet stakeholder expectations).
.2 Identify Monitoring Information

● Identify sufficient reliable sources and types of internal and external information
that may help to determine if the DPMP is effective, efficient, and responsive.
● Identify risk management activities and how the failure of any may have an impact.
● Identify and use suitable technology to assist in monitoring.
.3 Perform Monitoring, Analyze, and Report Results

● Review identified documents and samples of data about data privacy; conduct
interviews and surveys then consolidate and analyze information and document
findings in reports.
● Address and act upon findings, including escalating up the organizational hierarchy
where required.
● Maintain records of all findings for follow-up actions and improvement to the
organization’s data privacy processes and practices; including flagging any trends,
patterns, or anomalies that may require concerted organization-wide actions (e.g.,
systemic issues).
● Periodically review the effectiveness and relevance of the monitoring mechanisms
and metrics.

DP-R2 Assurance
Provide assurance to management, the governing authority, and other

stakeholders that the DPMP is meeting the privacy objectives and design.
.1 Plan Assurance Assessment
● Determine the scope of review and the level of assurance desired (ranging from a
formal benchmark against applicable laws to a management-run self-assessment or
gap analysis)
● Engage the appropriate internal or external auditor (with relevant professional and
data privacy certifications) to assess the data privacy management program and
associated processes.
● Where available and appropriate, plan to apply for and achieve an external privacy
seal or certification.
.2 Perform Assurance Assessment

● Select a sufficient sample to test each operation of the DPMP.
● Document auditor report on findings and recommendations.
● Document organization follow-up on audit findings and recommendations, including
any application for an appropriate and available data privacy seal or certification for
the DPMP and achievement of any recommended data privacy certifications for the
data privacy managers and staff.

DP-R3 Improvement
Review information from periodic evaluations, detective and responsive

actions and controls, and assurance, to identify opportunities for DPMP
improvements.
.1 Develop Improvement Plan

● Develop a portfolio of improvement initiatives relating to data privacy capability.
Such initiatives could include addressing root causes of data privacy incidents or
data breaches or closing gaps to areas of weaknesses identified in an audit.
● Develop a prioritized action plan to improve the areas of weaknesses and close the
gaps, addressing items including:
o newly-identified threats/risks that need to be assessed – update risk

registers;
o identified risks with planned actions not yet executed or implemented –
determine whether planned actions need to be accelerated;
o identified risks with implemented actions, where incident or breach occurred
nonetheless because of ineffective controls – determine what changes are
required to prevent a recurrence of the incident;
o policies and procedures documented but not implemented – determine whether

implementation of documented policies needs to be accelerated;
o non-compliant practices identified – determine what changes are required to
prevent a recurrence of the incident; and
o outdated policies and procedures – determine what changes are required to
prevent a recurrence of the incident.
● Determine the resources required to execute the action plan (e.g., manpower,
budget, external expertise).
● Submit recommendations to the Steering Committee or senior management for
approval and either document any reasons for lack of approval and/or a
remedial timetable, or obtain approval to proceed with remediation actions.
.2 Implement Improvement Initiatives

● Perform the improvement activities as soon as possible or, as the case requires,
per the approved timetable.
● Confirm completion and assess whether targeted improvements are achieved.
● Document changes made to the DPMP and its strategic plan.

DETAILED PRACTICES
DP-L: Learn
Examine and analyze the external and internal business contexts, culture,
and stakeholders that affect the Data Privacy Capability in relation to each
of the organization’s business operations that process personal data.
DP-L1 External Context

Analyze and monitor the external business context in which the
organization operates, especially data privacy requirements and the forces
that drive them.
DP-L1.1 Analyze the External Context
DP-L1.1.01 From the business perspective, understand the three main drivers of the
evolution of data privacy laws and regulations and practices around the world and the
extent to which they may change the DPMP:
 Growth of international trade and e-commerce (leading to cross-border data flows).
 Social concerns as a result of data proliferation and technological innovation

(especially data privacy-intrusive technologies).
 Data privacy as a human right or as a consumer right.
DP-L1.1.02 From the regulatory perspective, determine which data privacy legislation
applies to the organization and, at a high level, what is required for the DPMP. There is
no “one size fits all”, but at a minimum-and in no particular order–these actions
should be carried out concurrently, not consecutively:
 Determine, at a high level, what data privacy law, if any, in the organization’s
headquarters jurisdiction requires for the DPMP.
 Determine, at a high level, what data privacy law, if any, in each jurisdiction of the
organization’s affiliate/group companies requires for the DPMP.
 Determine, at a high level, for each jurisdiction where the organization markets
goods or services, where profiled individuals are located, and where its data
processing or storage capabilities are located, what the data privacy law (including
any extra-territorial provisions) requires for the DPMP.

DP-L1.1.03 Identify and understand how proposed or recently enacted data privacy
rules, laws, standards, or other guidance will affect the organization and its ability to
meet its objectives and mandatory requirements.
DP-L1.1.04 Identify external forces that can affect the organization's DPMP, drive
changes to the IDP Lifecycle, and alter ethical expectations including:
 Industry forces (shifts to “as-a-service” business and delivery models, digitalization,

business process outsourcing, information services outsourcing, cloud-based
platforms, and services, etc.);
 Market forces and expectations, including:
o customer demographics, especially in processing sensitive personal

information, and special considerations for processing personal
information of children, vulnerable groups, elderly and disabled;
o political and economic conditions, etc. that may drive the evolution
of applicable data privacy laws; and
o consumer expectations regarding the IDP Lifecycle;
 Regulatory forces (enforcement trends, upcoming/new amendments in data

privacy laws, cyber-security laws);
 Societal forces (community needs, ethical expectations, media trends, self-

expression and self-generated content in social media, tolerance of state
surveillance);
 Technology forces (technological shifts and breakthroughs, such as privacy-

intrusive technologies, automated decision-making, artificial intelligence, big data,
behavioral advertising, cloud computing, data analytics, facial recognition, mobile
app technology, social media, surveillance, information/cyber-security defenses);
 Geopolitical forces:
o Government’s concerns about national security, including

surveillance and other factors;
o Government’s national policy on data privacy and rights of
individuals (human rights, consumer rights, other rights); and
o International access to information processing technologies, etc.,
and cross-border transfers of personal information that may raise
concerns about privacy versus national security.
DP-L1.1.05 Identify key external stakeholders and influencers on the organization’s

compliance with applicable data privacy laws, including:

 shareholders – for example, expectations regarding the organization’s revenue
generation versus its approach to the DPMP;
 customers, the community at large, and the media – for example, the extent to
which earning and retaining their trust through the DPMP is relevant and/or
important to the organization;
 suppliers/partners – for example, the extent to which their data privacy capability
in compliance with data privacy laws qualifies them to be suppliers/partners of the
organization;
 regulators; and
 government.
DP-L1.2 Identify External Stakeholder and Influencer Needs
DP-L1.2.01 Assemble and review available information about each key stakeholder
category and, where applicable, their organizations, including in connection with the
IDP Lifecycle:
 key individuals important to the relationship; and
 any information about ethical conduct or non-compliance issues or concerns.
DP-L1.2.02 Identify reasons and opportunities to influence stakeholders. For

example, join industry bodies that may influence legislative development concerning
the data privacy capability and participate when regulatory agencies invite industry
players for consultation and feedback before introducing new or amending data
privacy legislation/regulation.
DP-L1.2.03 Identify opportunities where the organization can affect stakeholder and
influencer perceptions and requirements with regards to the data privacy capability.
For example, hold education and awareness sessions and position the organization as
an industry leader.
DP-L1.2.04 Assign responsibility to keep information about each key stakeholder

group current and to inform relationship executives of any relevant changes.

DP-L1.3 Watch the External Context for Change
DP-L1. 3.01 Monitor stakeholder groups for changes in views and key individuals with
regards to the DPMP.
DP-L1.3.02 Monitor market conditions and geopolitical changes in all relevant

areas of operation related to the DPMP.
DP-L1.3.03 Monitor industry participants and partners/suppliers for data privacy

risk and compliance issues.
DP-L1.3.04 Monitor regulatory agencies for changes in emphasis and focus related
to data privacy risk and compliance issues.
DP-L1.3.05 Monitor changes in external requirements related to the DPMP

including those from:
o laws, rules, and regulations;

o administrative guidelines and rulings;
o significant judicial rulings;
o regulatory guidance;
o legal interpretations;
o consent orders and integrity agreements;
o enforcement activities;
o contracts;
o standards; and
o trade association commitments.
DP-L1. 3.06 Monitor changes in customary practices in the industry and cultural
differences in the locations in which the organization/group operates that may have
an impact on the IDP Lifecycle.
DP-L1.3.07 Notify individuals responsible for relevant data privacy risk optimization
activities about context changes, including those that require immediate consideration
and those that are emerging as potential “over the horizon” developments.
DP-L1.3.08 Notify individuals responsible for data privacy risk analysis and
optimization activities to augment or revise the prioritized risk matrix and risk
optimization plan to reflect, as appropriate:
o changes in the form of additional, altered, or eliminated risks and

requirements;
o revised inherent risk analysis;
o current residual risk analysis;
o categorization and prioritization of risks;
o risk optimization strategy;

o risk optimization activities; and
o planned residual risk.
DP-L1.3.09 Monitor the enforcement activities of data privacy regulatory agencies and
consider how these enforcement actions may impact the organization:
 indirectly through changing conditions in the relevant jurisdiction(s) generally, or

as a result of enforcement activities and developments in other jurisdictions; and
 directly if the regulator investigates or audits the organization.
DP-L1.3.10 Identify triggers for consideration of changes to the data privacy

capabilities of the organization, in response to changes in the external context.

DP-L2 Internal Context
Analyze and monitor the internal business context in which the
organization operates, especially where it relates to data privacy
throughout the IDP Lifecycle.
DP-L2.1 Analyze the Internal Context
DP-L1.2.01 Determine whether the organization seeks to comply with applicable data
privacy law in each applicable jurisdiction by:
 establishing a series of separate jurisdiction-specific policies and standard

operating procedures; or
 determining which applicable data privacy law has the strictest requirements and
applying that law across all of the organization’s group companies/activities so that
organization/group-wide policies and standard operating procedures can apply; or
 another approach (which might be a mix of the above two approaches) that best fits
the organization’s group-wide activities.
DP-L2.1.02 Determine what aspects of the internal context can, and should be,
changed to enable the departments in the organization (or the organization’s group
companies) to better support organizational objectives through the IDP Lifecycle.
DP-L2.1.03 Identify and outline the internal organizational structure, key business
processes, and their relationship to each other for the appropriate IDP Lifecycle.
DP-L2.1.04 Identify and outline key assets in human capital, technology, physical
materials/locations, and information necessary for the DPMP, including the IDP
Lifecycle.
DP-L2.1.05 Identify and outline key products and services that need to take into
consideration data privacy requirements in their design and development, such as data
privacy by design and data privacy by default.
DP-L2.1.06 Identify the interrelationships between and among elements of the

structure, people, processes, technology, information, and physical assets to understand
how they are used together to accomplish objectives through the DPMP.
DP-L2.1.07 Identify triggers for consideration of changes to the organization’s data

privacy capabilities in response to changes in the internal context.

DP-L2.2 Watch the Internal Context for Change
DP-L2.2.01 Monitor significant changes in business strategy where changes could

affect the DPMP.
DP-L2.2.02 Monitor changes in personnel, especially those who have privileged

access to confidential and sensitive personal information and critical information
assets, to detect risks (e.g., arising from the potential actions of disgruntled
personnel).
DP-L2.2.03 Monitor changes in data privacy processes and their impact on

business operations.
DP-L2.2.04 Monitor changes in data privacy technologies and how they can be
harnessed to enhance and strengthen the protection and safeguarding of personal
information and information assets.
DP-L2.2.05 Notify individuals responsible for relevant data privacy risk optimization
activities about context changes, including those that require immediate consideration.
DP-L2.2.06 Ensure that individuals responsible for data privacy risk analysis and
optimization activities augment or revise any prioritized risk matrix and risk
optimization plan to reflect, as appropriate:
o additional, altered, or eliminated risks and requirements;

o revised inherent risk analysis;
o current residual risk analysis;
o categorization and prioritization of risks;
o risk optimization strategy;
o risk optimization activities; and
o planned residual risk.

DP-L3 Culture
Understand the existing culture, including how leadership models
culture, the organizational climate, and individual mindsets about
governance, management, and assurance of data privacy.
DP-L3.1 Analyze Data Governance Culture and “Tone at the Top”
DP-L3.1.01 Brief the Board about the organization’s plans for data privacy
and find out the Board’s views on data privacy and its impact on
organizational objectives, including whether the Board supports such plans
(if not, why not) and:
 how plans might be amended to gain or strengthen Board support and what
additional communication might align the Board and management on the DPMP;
and
 what more does the Board want to be done, how often does the Board want to be
updated, what degree of oversight does the Board seek, and how would the Board
like its support to be communicated to all staff of the organization.
DP-L3.1.02 Poll staff on their attitudes about the organization developing and
implementing a data privacy compliance culture and their role in it. Take that
feedback into account to devise plans to address staff concerns and educate staff
generally on why the organization is embarking on a data privacy capability
initiative: that is, to communicate the “tone at the top”.
DP-L3.2 Analyze Management Culture
DP-L3.2.01 Periodically, ask a sufficient sample of the workforce about their

perceptions of whether the data privacy steering committee does the following in
managing data privacy in the organization:
 communicates ethical processing of personal information conduct and integrity in

connection with personal information as a priority;
 ensures internal stakeholders are properly trained about and makes ethical
processing of personal information and integrity a priority;
 makes ethical decisions regarding the processing of personal information and

emphasizes integrity in connection with processing personal information;
 talks about how ethics and integrity relate to organizational objectives, initiatives,
and success in connection with processing personal information; and

 links ethical processing of personal information and integrity to organizational
performance metrics.
DP-L3.2.02 Determine if ethics and integrity in connection with personal information

are considered when evaluating and promoting staff, including whether it is included in
job descriptions and, where applicable, key performance indicators (“KPIs”).
DP-L3.2.03 In connection with personal information, monitor staff achievement of

ethical conduct and integrity in their behavior, together with their achievement of KPIs.
In the case of shortfalls (other than isolated shortfalls), determine the root cause (for
example, a failure by leadership to instill appropriate staff behaviors, failure to lead by
example, failure to take disciplinary action when standard operating procedures are
disregarded).
DP-L3.3 Analyze Risk Culture
DP-L3.3.01 Periodically, ask a sufficient sample of senior management and the

workforce questions that enable assessment of the data privacy risk culture,
including:
 whether senior management communicates risk appetite and tolerances, including

to the data privacy steering committee, so that the committee can make decisions
and develop and implement policies and standard operating procedures
accordingly;
 whether senior management model appropriate risk-taking conduct; and
 whether there is a clear avenue for staff to report data privacy risks and to arrange
for the risk to be managed.
DP-L3.3.02 Evaluate the current data privacy risk culture (for example, risk-averse or
risk-taking) for each aspect of the IDP Lifecycle.
DP-L3.3.03 Define the desired state of data privacy risk climate/perceptions/

indicators in accordance with guidance from the steering committee.
DP-L3.3.04 Determine whether employees believe it is more important to achieve

performance targets at all costs or take calculated risks following the decision-making
criteria.
DP-L3.3.05 Determine whether performance evaluation processes incentivize

management or employees to take on an unacceptable level of risk.

DP-L3.4 Analyze Ethical Culture
DP-L3.4.01 Assess the existing ethical climate including observable, formal

elements in the organization and individual mindsets, to determine the degree to
which the workforce believes the organization expects and supports responsible
behavior and integrity with regard to data privacy.
DP-L3.4.02 Periodically, ask a sufficient sample of the workforce and management

(including members of the steering committee) to assess the ethical climate
concerning data privacy, including questions about:
 perceptions about stated values and principles concerning the IDP Lifecycle and
organizational support for them;
 clarity of procedures in relation to the DPMP;
 clarity of procedures by which potential issues can be raised, discussed, and

reported with confidence that they will be addressed;
 misconduct by employees (including management and the members of the steering

committee in relation to the DPMP) that is observed by other employees (including
the type of misconduct observed), the willingness of employees to report such
misconduct, and their satisfaction with organizational responses to reports of
misconduct.
DP-L3.4.03 Identify how the organization discusses the following (where

relevant to data privacy) through multiple avenues of communication:
 the importance of integrity, values, and principles in decision-making;
 the importance of asking questions and raising data privacy issues when concerns
arise;
 how to report data privacy incidents and data breaches and to ask questions;
 assurance that data privacy incidents and data breaches will receive a timely
response;
 assurance that reporting data privacy incidents and data breaches will not result in
any retaliation;
 a commitment to anonymous reporting options; and
 an approach to ethical decision-making.

DP-L3.5 Analyze Workforce Engagement
DP-L3.5.01 Assess workforce views on the alignment of personal values with

organizational mission and values with regards to data privacy.
DP-L3.5.02 Periodically, ask a sample of the workforce about their satisfaction with the
organization’s data privacy policies and standard operating procedures.
DP-L3.5.03 Periodically, ask a sample of the workforce about their level of

commitment to executing the organization’s data privacy policies and standard
operating procedures.
DP-L3.5.04 Periodically, ask a sample of the workforce and management about their
perceptions of senior management’s commitment to the competence of employees in
being able to effectively execute the organization’s data privacy policies and standard
operating procedures.
DP-L3.5.05 Periodically, ask senior management about its commitment to developing

the competencies of the workforce to effectively execute the organization’s data
privacy policies and standard operating procedures, including whether sufficient
resources (in terms of both financial budget and headcount) are provided in
connection with the IDP Lifecycle.
DP-L3.6 Watch the Decision-Making Culture
DP-L3.6.01 Monitor changes in culture within the organization including any significant
variance of DPMP culture metrics in business units, departments, jobs, or locations.
DP-L3.6.02 Monitor changes in the risk appetite, preferences, and general business
outlook of steering committee members and the impact they may have on the DPMP
(for example, whether an individual is pressured by competing objectives—such as
meeting their revenue targets versus their role on the committee—and whether
competitor behavior or competitive pressures are influencing their decisions as
committee members).

DP-L4 Stakeholders
Interact with stakeholders to understand data privacy
expectations, requirements, and perspectives.
DP-L4.1 Identify Internal and External Stakeholders
DP-L4.1.01 Identify internal stakeholders and business unit leaders with defined
business performance objectives impacted by data privacy (e.g., heads of external
customer-facing business units/functions processing personal information; legal,
compliance, and risk management; and human resources, learning and development,
marketing communications) including those which process personal information.
DP-L4.1.02 Identify key external stakeholders including regulators, insurers/

underwriters, customers, and business partners.
DP-L4.1.03 Develop an inventory of key stakeholders by category in relation to the

data privacy capability, including:
o government oversight and regulatory agencies;

o insurers and underwriters (for example, for cyber insurance);
o customers and business partners; and
o employees, agents, unions.
DP-L4.2 Analyze Stakeholder and Influencer Expectations
DP-L4.2.01 Assemble and review available information about each key stakeholder
organization including:
 key individuals important to the relationship and the DPMP; and
 any information about ethical conduct or noncompliance issues or concerns about

the DPMP.
DP-L4.2.02 Assign ownership for responsibility to assess stakeholder views and

needs; keep information about each key stakeholder group current.
DP-L4.2.03 Establish procedures to track, review, and comment on proposed rules,

standards, and guidance from stakeholders including data privacy regulatory agencies.

DP-A: Align
Align data privacy objectives, strategies, decision-making criteria, actions,
and controls with the organizational objectives and strategies, and with the
context, culture, and stakeholder requirements for data privacy.
DP-A1 Direction
Provide oversight and structure for managing data privacy by establishing a
data privacy steering committee, authorizing a Data Privacy Management
Program (DPMP), and appointing a chief data privacy executive.
DP-A1.1 Create a Data Privacy Steering Committee
DP-A1.1.01 Empower the committee to support and guide the data privacy
management program (DPMP), ensure alignment of objectives, define acceptable
levels of residual risk related to personal information processing, and provide decision-
criteria including views of risk tolerance, avoidance, and mitigation options.
DP-A1.1.02 Form a steering committee at the ‘headquarters’ level, in the case of a group
of companies, and establish a reporting hierarchy for the steering committee of each
group entity to the ‘headquarters’ committee.
DP-A1.1.03 Include heads of external customer-facing business functions processing

personal information; legal, compliance, risk management, human resources, learning
and development, marketing, and communications representatives.
DP-A1.2 Authorize the DPMP, Define Its Mission/Vision/Values, and

Provide Management Commitment and Resources
DP-A1.2.01 Define the steering committee goals and create a formal statement to
support those goals by publishing the committee’s expectations regarding the
workforce in connection with the IDP Lifecycle.
DP-A1.2.02 Align the goals of the steering committee with the mission, vision, and
values of the organization.
DP-A1.2.03 Obtain commitment to the goals of the steering committee from senior
management and the Board.

DP-A1.2.04 Periodically, review the goals of the steering committee and update them in
light of changes to the external context, the internal context, stakeholder expectations,
and the mission, vision, and values of the organization.
DP-A1.3 Appoint a Chief Privacy Officer or Data Protection Officer
DP-A1.3.01 Appoint a sufficiently credentialled CPO/DPO (or other designated similar

officer)—who, depending on the size of the organization, may be supported by team
members—to lead the organization’s DPMP under the oversight of the steering
committee–but with, where required by law, the requisite degree of independence from
management.
DP-A1.3.02 Assign responsibility to support the steering committee for data privacy
formally to the CPO/DPO and enable the officer by providing subject matter expertise
and project management support.

DP-A2 Objectives
Define a balanced set of measurable objectives for the DPMP that support
organizational objectives and ensure compliance with requirements
regarding the IDP Lifecycle.
DP-A2.1 Perform High-Level Analysis of Data Privacy Threats and

Requirements
DP-A2.1.01 Identify:
 what categories of information are collected (e.g., identifying—name, address, date

of birth—, relational, financial, health-related) or generated (e.g., records of
transactions);
 which categories of personal information are considered sensitive; and
 when, how, and where the personal information flows through the organization.
DP-A2.1.02 Evaluate:
 the purposes for which the organization uses or discloses both non-sensitive and
sensitive personal information;
 why the organization discloses personal information to third parties; and
 why the organization transfers personal information to other jurisdictions (i.e.,

countries, states, provinces).
DP-A2.2 Determine Relevant Legal and Other Requirements
DP-A2.2.01 Determine what data privacy laws apply to the organization in light of its
geographic locations and business activities, together with relevant industry and
sectoral specific requirements.
DP-A2.2.02 Identify any additional requirements imposed by organization

governance or policy, or by any stakeholder group (e.g., union, association).
DP-A2.2.03 Determine what data privacy principles and obligations are applicable in the
IDP Lifecycle, including accountability principles to demonstrate accountability and
operational compliance.

DP-A2.2.04 Identify applicable bases of lawful processing (for example, under the
GDPR, in terms of one or more of the following (3Cs and 3Is): Consent from the
individual concerned; Compliance with a legal obligation; Contract fulfillment or
performance; vital Interest of the individual; public Interest or task performed by a
public authority; legitimate Interest of the organization or a relevant third party).
DP-A2.3 Establish DPMP Objectives to Meet Requirements
DP-A2.3.01 Define the scope of a DPMP for the organization to prepare it to comply
with relevant data privacy laws, and industry and sectoral requirements.
DP-A2.3.02 Determine the target maturity of the DPMP, including obtaining any data
privacy seal or certifications.
DP-A2.3.03 Formally document specific, measurable, achievable, relevant, and time-

bound objectives that are consistent with and mapped to organizational objectives.
DP-A2.3.04 Determine what resources (including both budget and headcount) are
required to develop and implement a DPMP across the organization, define the extent
to which the support of external consultants or other subject matter experts will be
required, and ensure that all needed resources are available.
DP-A2.3.05 Define career models for each specific role in the DPMP, including
professional credentialling targets.
DP-A2.3.06 As part of the statement of objectives, justify permissible information

processing purposes in business activities for each applicable data privacy law.
DP-A2.3.07 Cascade data privacy objectives down to the individual team level.
DP-A2.3.08 Assign accountability for achieving DPMP objectives at every level of the
organization.

DP-A3 Identification
Identify all personal information processing activities, their purposes, and
their data flows to enable the assessment and monitoring of forces that may
affect the achievement of objectives or compel a change in the DPMP.
DP-A3.1 Prepare a personal information inventory
DP-A3.1.01 Require each business unit in the context of its business operations
(because each business unit best understands its information requirements and
processes) to create an inventory of:
 all collection points at which the organization collects personal information, such
as:
o face-to-face at service counters or event registration;

o phone by call center operators or general customer service lines;
and
o online forms or chat on the organization’s website or apps;
 assets processing or maintaining personal information:
o name of each system or repository by entity/department/function;

o categories of personal information processed or stored;
o classification of personal information types and level of potential
impact to individuals and the organization of any breach of
personal information;
o purpose(s) for collecting the personal information;
o means of collecting the personal information (for example,
biometric and geospatial systems, online forms/chats, paper forms,
telephone calls);
o whether personal information processing will be outsourced to a
third-party processor;
o whether personal information is provided to other personal
information controllers, and if so, to whom (or to which group of
recipients);
o retention period of each type of personal information processed by
each processing system;
o geographical areas where the personal information was collected or
processed; and
o whether cross-border (state or country) data transfer is involved.
DP-A3.1.02 Map an inventory of items of personal information against the categories,

purposes, and disclosures

DP-A3.1.03 Identify external and internal forces (events, conditions, requirements)
linked to data privacy for each category throughout the IDP Lifecycle, that may affect
the achievement of the DPMP and the organization’s objectives.
DP-A3.1.04 Update the personal information inventory regularly as external context

changes suggest.
DP-A.3.2 Prepare data flow maps
DP-A3.2.01 Using the information in the data inventory, map the flow of personal
information as it moves through the organization—including between business units
within the organization—, when it is disclosed by the organization to third parties (both
domestically and internationally), and where it is stored by the organization.
DP-A.3.2.02 Compare the purposes for the organization processing personal

information in the data inventory with the purposes for the flows of personal
information, resolve any discrepancies and correct the data inventory or the data flow
mapping (as the case may require) to clearly document all the purposes for which the
organization collects, uses, discloses and stores (CUDS) personal information.
DP-A.3.2.03 Verify if all the respective business units’ processing purposes have
a relevant lawful basis or justification for processing the personal information.
DP-A3.2.04 Update regularly as changes are made in business operations and

data usage
DP-A3.3 Identify privacy-related threats and requirements in business

operations
DP-A3.3.01 Identify external forces (events, conditions, requirements) linked to

the IDP Lifecycle that affect the achievement of the organization’s objectives:
 applicable global and local privacy laws, regulations, and standards;
 external publicized or internal privacy incidents/breaches;
 significant judicial rulings or enforcement cases relating to privacy (both in the

organization’s “home” jurisdiction and elsewhere if the regulator in the “home”
jurisdiction may be influenced by significant judicial rules or enforcement cases
elsewhere);

 new privacy amendments that may have immediate effect or that may indicate
“over the horizon” changes; and
 actions by external privacy organizations, such as organizations acting as privacy

advocates for individuals generally.
DP-A.3.3.02 Identify internal forces that may give rise to privacy threats by examining
the data inventory and the flows of personal information:
 to establish a baseline of privacy knowledge among internal stakeholders and

information on the organization’s current compliance policies relating to data
privacy;
 to identify whether business departments are acting fairly, legitimately, and

transparently in their IDP Lifecycle; and
 to assess current compliance with data privacy principles at each stage of the IDP
Lifecycle: that is, the collect, use, disclose, and store (CUDS) stages.
DP-A3.3.03 Identify personal information risks in relation to sensitive personal

information – particularly, for example:
 personal information that is defined as sensitive in applicable data privacy laws; for
example:
o personal data revealing racial, tribal, or ethnic origin, political

opinions, religious or philosophical beliefs, or trade union
membership;
o genetic data;
o biometric data;
o data concerning a data subject’s health;
o data concerning a data subject’s sex life or sexual orientation;
o government identification documents;
o financial information;
o passwords;
o children’s data; and
o criminal convictions and offenses.
 personal information that affects the data subject's most intimate sphere;
 personal information likely to be misused or subjected to unlawful or arbitrary

discrimination;

 personal information that, if disclosed publicly, may give rise to a serious risk to the
data subject.
DP-A3.3.04 Assess compliance-related risks – that is, the risk of not complying
with data privacy and regulatory requirements, considering matters such as:
 material scope/obligations of organizations (controllers) and third-party service

providers (processors);
 territorial applicability and scope;
 data privacy processing principles relating to the IDP Lifecycle;
 rights of individuals;
 management and administrative requirements (for example, registration of

DPO/organization/data processing system); and
 enforcement and penalties for non-compliance.
DP-A3.3.05 Assess business process risks and identify areas relating to third-party
service providers, such as:
 contractual and legal compliance requirements;


 types of data outsourced (including, for example, where the organization
outsources the processing of sensitive personal information);
 types of data disclosed to another organization on a controller-to-controller basis
(e.g., to an insurance broker or insurance company) to obtain services from such a
third party;
 any joint processing of personal information by both the organization and another
organization as data controllers;
 information security policies and practices adopted by the third-party organization;
 location of data--including whether it will be stored in the jurisdiction in which it is

collected or if it will be transferred by the organization or by a third party (e.g., a
data processor) outside of the jurisdiction and, if so, the destination jurisdiction;
 use by the organization of cloud computing platforms, including software-as-a-

service applications, for storage and backups of personal information and whether
personal information will be stored in the jurisdiction in which it is collected or
elsewhere.

DP-A3.3.06 Review existing rules (if any) about retention periods in relation to
personal information collected by the organization and determine if such retention
periods comply with applicable data privacy requirements, such as:
 personal information may not be retained when the purpose for which it was
collected has been completed unless there is a legal requirement to retain it;
 personal information may not be retained indefinitely: that is, it may not be
retained without a period being determined and documented (with the
documentation including both the period of retention and the reason(s) for
choosing that period);
 personal information may not be retained “just in case” it is needed in the future or
may be useful for some undefined future purpose.
DP-A3.3.07 Identify how new or changing products and services (including changing
channels of delivery, the format of customer interaction like biometrics and geolocation,
and intended and unintended customers—geriatric, disabled, and children) alter IDP
Lifecycle processes and data privacy risks.

DP-A4 Assessment
Analyze current and planned approaches to address threats, and
requirements that are relevant to, or have an impact on, data privacy
DP-A4.1 Prepare for Assessment
DP-A4.1.01 Identify internal resources with which to collaborate during the Assess
phase of data privacy compliance and/or during subsequent phases, such as:
 human resources generally (for example, to provide input in relation to recruitment

and onboarding of employees and the IDP Lifecycle);
 learning and development specialists (for example, to help assess staff

developmental needs in connection with the IDP Lifecycle and to design and deliver
appropriate training courses);
 IT resources, in particular in relation to information security and IT system design

to best deal with the IDP Lifecycle;
 marketing and other customer-facing departments (for example, to learn about

initial customer expectations and to assist in shaping them for the future); and
 any other business unit that processes personal information.
DP-A4.1.02 Establish an enterprise-wide risk management framework to assess

threats and the related inherent and residual privacy-related risks or, ensure that
data privacy risk management is integrated into the enterprise framework to assess
inherent and residual privacy-related risks.
DP-A4.1.03 Reconcile variances across the rating schema to permit a comparison for
heat mapping and prioritization purposes across the data privacy capability,
aligning the initiative portfolio management approach to any enterprise-wide
change management framework.
DP-A4.1.04 Prioritize the data privacy impact assessments on the organization’s high-
risk processing activities, which may include:
 use of new technologies (artificial intelligence, facial recognition, etc.);
 systematic and extensive profiling or automated decision-making to make

significant decisions about people;

 processing sensitive data or criminal offense data on a large scale;
 systematically monitoring a publicly accessible place on a large scale;
 profiling individuals on a large scale;
 processing biometric or genetic data;
 combining, comparing, or matching data from multiple sources;
 tracking individuals’ online or offline location or behavior;
 processing children’s data for profiling or automated decision-making or marketing

purposes, or offering online services directly to them; and
 processing personal data which could result in a risk of physical harm in the event
of a security breach.
DP-A4.1.05 Adapt the schedule based on the current portfolio of planned or in-
process change initiatives.
DP-A4.1.06 Secure buy-in for the schedule considering time conflicts for the
internal stakeholders (e.g., peaks/valleys in business operations,
examiner/regulator reviews, or audit plans).
DP-A4.2 Analyze Threats/Risk
DP-A4.2.01 Use the history of the organization and peers (based on industry, geography,
business activities, and workforce scale and footprint) to analyze vulnerabilities affecting
data privacy, considering likelihood and impact.
DP-A4.2.02 Analyze the likelihood that a data privacy-related threat will materialize
including identification of likely: single vs. multiple events and short-term vs. long-
term events.
DP-A4.2.03 Analyze the likely speed of onset (velocity) and momentum

once the data privacy-related threat occurs.
DP-A4.2.04 Analyze relationships of data privacy-related threats with other

threats and established risks.
DP-A4.2.05 Assess the level of inherent risk/reward pertaining to data privacy,

assuming the absence of relevant actions and controls.

DP-A4.2.06 Evaluate the level of residual risk/reward pertaining to data privacy,
assuming the risk/reward remaining after the application of relevant actions and
controls currently in place. This should be done first on high inherent risk/reward
items that exceed risk tolerance levels.
DP-A4.2.07 Identify and evaluate current actions and controls to address

risk/reward pertaining to data privacy that either:
 ACCEPT or TOLERATE the risk at the current residual level;
 AVOID or TERMINATE the risk and cease activities (or change requirements) that
give rise to the risk;
 SHARE or TRANSFER the impact or optimization of the risk with other entities;
 REDUCE and TREAT:

o likelihood of the risk by implementing incentives, controls, and
other activities that prevent or reduce the probability that
undesirable activities occur or
o impact by more quickly detecting and responding to undesirable
activity, or otherwise preventing risks from accelerating into high
impact levels.
DP-A4.3 Analyze Requirements/Compliance
DP-A4.3.01 Conduct impact assessments on the organization’s existing

information processing activities to determine the legal risks that may arise –
that is:
 to determine if and where the organization may not be complying with applicable
data privacy laws and regulations and/or with industry and sectoral requirements
or expectations; and
 to otherwise determine organizational capability, including weaknesses, of existing

policies and standard operating procedures (if any) concerning the IDP Lifecycle
and develop a plan to remediate weaknesses as part of the DPMP.
DP-A4.3.02 Use the history of the organization and peers (based on industry,
geography, business activities, and workforce scale and footprint) to analyze the
likelihood and impact of data privacy-related compliance violations.
DP-A4.3.03 Assess the inherent level of compliance concerning data privacy,

assuming the absence of relevant actions and controls.

DP-A4.3.04 Evaluate the level of residual compliance concerning data privacy,
assuming the likelihood and impact of compliance violations after the application of
relevant actions and controls currently in place.
DP-A4.3.05 Identify and evaluate current actions and controls to ensure data
privacy-related compliance (conformance with requirements), including:
 incentives for desired conduct;

 proactive, detective, and corrective controls to address undesired conduct or
events;
 issue identification and management;
 monitoring activities;
 policies and procedures; and
 education and awareness programs.
DP-A4.3.06 Identify and evaluate who is accountable for managing each action and
control pertaining to data privacy, including:
 mainline business functions, departments, and staff;

 risk management, ethics, and compliance departments and staff;
 assurance departments and staff; and
 oversight by the steering committee and of the committee by the Board.
DP-A4.4 Prioritize Management of Threats and Requirements
DP-A4.4.01 Identify any gaps and unnecessary overlaps in actions and controls related
to data privacy, as well as appropriate overlaps and layering.
DP-A4.4.02 Analyze the effect of current actions and controls related to data
privacy on the likelihood, timing, and impact of each risk/reward.
DP-A4.4.03 Analyze the effect of current actions and controls related to data
privacy on the likelihood, timing, and impact of compliance with requirements.
DP-A4.4.04 Determine the cost/benefit to maintain current actions and controls

related to data privacy, considering their current operating effectiveness.
DP-A4.4.05 Determine if the current level of data privacy-related residual

risk/reward and compliance with requirements is acceptable based on
management boundaries and defined decision-making criteria.
DP-A4.4.06 Determine areas where data privacy-related requirements are not

addressed or fail to meet stated levels of compliance.

DP-A4.4.07 Identify data privacy-related risks, rewards, and requirements that
call for high prioritization for improved or additional action or control, including
when:
 current residual risk/reward is unacceptable based on the organization's risk

appetite;
 current residual risk/reward is unacceptable and immediate action is required;
 current actions and controls are ineffective, inconsistently effective, or inefficient;

and
 an inherently high risk/reward requires actions and controls that must be

constantly monitored.
DP-A4.4.08 Ensure that inherently high data privacy-related risks/rewards are

specifically addressed since any breakdown in actions or controls to address these
risks may result in a significant impact on the organization.

DP-A5 Design
Develop strategic and tactical initiatives to address data privacy threats and
related risks, and to ensure compliance with requirements.
DP-A5.1 Explore Options to Address Compliance with Requirements
DP-A5.1.01 When the current level of compliance with data privacy-related

requirements is not acceptable, or when existing actions and controls are not optimal,
explore additional actions and controls to address requirements.
DP-A5.1.02 Design actions and controls to address gaps and unnecessary overlap in
the way that requirements pertaining to data privacy are addressed.
DP-A5.1.03 Analyze the costs/benefits of proposed actions and controls to ensure

that selected approaches are appropriate given the likelihood of non-compliance
with data privacy requirements and the impact of that occurring so that budgets are
appropriately allocated across all compliance needs.
DP-A5.2 Explore Options to Address Threats and Associated Risks
DP-A5.2.01 When the current residual risk/reward related to data privacy is

unacceptable or when the current approach can be improved, explore alternative
actions and controls to address risk/reward, applying defined decision-making
criteria.
DP-A5.2.02 Evaluate and select actions and controls to accept, avoid, share, shift, or
reduce data privacy risk, including transfer and risk financing instruments and
approaches, consistent with defined risk appetite, tolerance, and capacity.
DP-A5.2.03 Evaluate and select actions and controls that prevent, detect, and
respond to undesirable events and conditions related to data privacy.
DP-A5.2.04 Consider privacy and data protection issues at the design phase of any
system, service, product or process and then throughout the IDP lifecycle
(Privacy/Data Protection by Design).
DP-A5.2.05 Design a layered approach to avoid "single response bias" in

addressing high impact risks/rewards related to data privacy.
DP-A5.2.06 Identify areas where actions and controls can address more than one
risk/reward and requirements related to data privacy — dual-purpose controls.

DP-A5.2.07 Design actions and controls so that they generate information that can be
used for monitoring data privacy-related risk/reward.
DP-A5.2.08 If the primary option to address a particular risk, reward, or compliance

requirement related to data privacy will take some time to implement, define interim
options including consideration of delaying the action that presents the risk.
DP-A5.2.09 Estimate the cost/benefit associated with planned actions and

controls, to determine if the cost is appropriate given the prioritization of the data
privacy-related risk/reward and compliance and the benefit achieved.
DP-A5.3 Design Transfer and Risk Financing Strategies
DP-A53.01 Review data privacy-related risk/reward assessment findings to

determine which risks/rewards should be addressed solely by risk financing
options.
DP-A5.3.02 Review residual risk/reward related to data privacy after application of

designed actions and controls to identify risks that require risk financing as a backup
for the applied actions and controls.
DP-A5.3.03 Identify options for types of risk financing appropriate to each identified
risk/reward related to data privacy.
DP-A5.3.04 Determine available options for particular risk-sharing instruments or

approaches. Examples of risk areas to consider when outsourcing personal
information processing to third-party processors include:
o Contractual and legal compliance requirements

o Types of personal information outsourced (whether it is sensitive)
o Joint processing of personal information
o Information security policies and practices
o Location of data (whether outside the jurisdiction)
o Use of cloud computing platforms/storage
o Records retention practices
DP-A5.3.05 Determine any mandates or policies that preclude or require, a

particular risk-sharing instrument or approach for a particular type of data
privacy-related risk/reward.
DP-A5.3.06 Select data privacy-related risks /rewards to be insured (e.g., through

cyber insurance) or transferred to others (e.g., outsourced to third party
vendor/supplier), and construct indemnifications, assignments, warranties, or other
contractual language that transfers or allocates risk to the other contractual parties.

DP-A5.3.07 Assign accountability for maintaining compliance with requirements
related to data privacy for each risk financing approach.
DP-A5.4 Determine Planned Residual Risk
DP-A5.4.01 Assess the planned residual risk related to data privacy that is anticipated
when the proposed actions and controls are put in place.
DP-A5.4.02 If planned residual risk related to data privacy is not acceptable,

reconsider actions and controls.
DP-A5.4.03 If planned residual risk and compliance related to data privacy

are acceptable, implement the selected actions and controls.
DP-A5.4.04 Analyze the costs and benefits of planned actions and controls.
DP-A5.5 Address Inherently High Risks
DP-A5.5.01 Identify actions and controls that currently are in place or are planned to
address inherently high risks. Examples of high-risk personal information processing
activities include:
 Use of new technologies (artificial intelligence, facial recognition, etc.).
 Systematic and extensive profiling or automated decision-making to make

significant decisions about people.
 Processing sensitive data or criminal offense data on a large scale.
 Systematically monitoring a publicly accessible place on a large scale.
 Profiling of individuals on a large scale.
 Processing biometric or genetic data.
 Combining, comparing, or matching data from multiple sources.
 Tracking individuals’ online or offline location or behavior.
 Processing children’s data for profiling or automated decision-making or marketing

purposes or offering online services directly to them.

 Processing personal data which could result in a risk of physical harm in the event
of a security breach.
DP-A5.5.02 Design additional monitoring activities to ensure that actions and controls
continue to be effective and operate according to plan.
DP-A5.5.03 Augment the prioritized risk matrix with the planned risk optimization
actions and controls and planned residual risk analysis.
DP-A5.5.04 Include inherently high risks in assurance plans.
DP-A5.6 Develop Key Indicators
DP-A5.6.01 Develop key performance indicators (KPI) for each objective related
to data privacy.
DP-A5.6.02 Develop key compliance indicators (KCI) for each requirement

related to data privacy.
DP-A5.6.03 Develop key risk indicators (KRI) for each key risk or category of key risk
DP-A5.6.04 Identify thresholds for each indicator that triggers:
o escalation/reporting;
o corrective action; or
o re-evaluation of approaches.
DP-A5.6.05 Assign accountability to periodically, or continuously, monitor each

established key indicator.
DP-A5.6.06 Design management reports and dashboards to inform appropriate

personnel about key indicator values and changes.
DP-A5.7 Define Information Management Structure
DP-A5.7.01 Determine the definitions, classifications, and procedures necessary to

identify and manage information in the organization and extended enterprise, as part of
an information management plan.
DP-A5.7.02 Define and maintain a data classification schema and methodology.

DP-A5.7.03 Define an ongoing process for personal information inventory and
classification, following the IDP Lifecycle CUDS stages, including characteristics such
as:
 type;
 sensitivity;
 requirements (privacy, confidentiality, preservation, retention, disposition, and

availability);
 disclosures/transfers to a third party (including recipients outside the jurisdiction);
 operational / strategic values;
 data owner (that is, the department within the organization that collects, uses,
and/or discloses the data);
 source of information (database/application, email, Excel, etc.) from within the

organization or from third parties outside the organization;
 associated business processes; and
 associated policies.
DP-A5.7.04 The information management structure for personal information should

capture at least the following:
 name of each identified processing system by entities / departments / functions;
 types of personal information (including sensitive information) processed by these

systems; examples of sensitive personal information include (non-exhaustive):
o personal data revealing racial or ethnic origin, political opinions,

religious or philosophical beliefs, or trade union membership;
o genetic data;
o biometric data;
o data concerning health;
o data concerning a natural person’s sex life or sexual orientation;
o government-issued identification numbers;
o financial information;
o passwords;
o children’s data; and
o criminal convictions and offenses;

 classification of all types of personal information and level of potential impact to
individuals and the organization of any breach of personal information;
 purpose(s) for collecting the personal information;
 means of collecting the personal information;
 whether personal information processing will be outsourced to a processor;
 whether personal information is disclosed or transferred to other personal

information controllers, and if so, to whom (or to which group of recipients);
 retention period of each type of personal information processed by each processing

system;
 geographical area where the personal information was collected or processed; and
 whether cross-border (country, state, or other jurisdiction) data transfer is

involved.
DP-A5.7.05 Periodically, consider changes to the data classification structure, and

its underlying definitions and classifications, to reduce future reconciliation needs.
DP-A5.7.06 Define information management policies and procedures including

outsourcing information processing to third-party vendors or service providers.
DP-A5.8 Develop Technology Architecture
DP-A5.8.01 Identify key data privacy-related processes and controls that are less
error-prone and more efficient if enabled by technology.
DP-A5.8.02 Understand the existing technology environment and emerging

technological trends.
DP-A5.8.03 Map functionality requirements to existing capabilities.
DP-A5.8.04 Identify redundancies and shortcomings in existing technology

solutions.
DP-A5.8.05 Identify unmet functional requirements based on existing capabilities.
DP-A5.8.06 Prioritize and determine which technology solutions must share

information or develop/store easily combined or compared information.

DP-A5.8.07 Decide what existing solutions can and should be enhanced or extended
to apply to similar needs.
DP-A5.8.08 Decide what new solutions should supplement or replace existing

solutions, and whether to build or buy identified new solutions.
DP-A5.9 Develop Integrated Plan
DP-A5.9.01 Identify opportunities to consolidate data privacy-related activities into

fewer actions and controls.
DP-A5.9.02 Identify opportunities to embed data privacy-related risk

management and compliance activities into business processes.
DP-A5.9.03 Identify opportunities to leverage existing programs, projects,

processes, and resources (people, budgets, and technology) before creating new
structures.
DP-A5.9.04 Define initiatives that address related activities in a coordinated fashion.
DP-A5.9.05 Establish a timeline to implement each action and control initiative.
DP-A5.9.06 Assign accountability for each initiative and for monitoring events that
may require changes to initiatives.
DP-A5.9.07 Obtain support and approval for data privacy-related strategic and
tactical plans from management and resources necessary for each initiative.
DP-A5.9.08 Include a change management plan to ensure strategic and tactical

plans related to data privacy are implemented.

DP-P: Perform
Operationalize the Data Privacy Management Program (DPMP) by
developing and implementing the controls and actions required to manage
data privacy risks, and document them in appropriate policies.
DP-P1 Controls
Establish technical, administrative, and physical controls to manage each
phase of the IDP Lifecycle for all business activities across the
organization that involve processing personal information, according to
the various applicable privacy principles, as needed to reduce the
likelihood, impact, or velocity of undesirable conditions or events.
DP-P1.1 Establish Controls to Achieve Privacy by Design and by Default
DP-P1.1.01 When responding to assessed risks to data privacy, achieve “Privacy by

Design” by considering privacy issues in both:
 the design phase of any system, service, product, or process that involves
processing personal information: that is, taking the appropriate technical, and
organizational measures designed to comply with the applicable privacy principles
from the outset (including by integrating the necessary safeguards into the
processing to fulfill privacy requirements and to protect data subject rights); and
 throughout the entire IDP Lifecycle, to ensure that privacy practices and
considerations are “baked in” to business practices and processing activities
proactively and do not need to be added at some time in the future reactively.
DP-P1.1.02 When responding to assessed risks to data privacy, achieve “Privacy by

Default” by applying the central privacy principles of personal information
minimization and purpose limitation to ensure that:
 only personal information necessary for a stated purpose is processed;
 there is a short storage period, which is long enough only to allow the processing to
occur for the stated purpose; and
 there is limited accessibility to personal information by employees and (where

applicable) by other stakeholders – disclose personal information only on a “need
to know” basis.

DP-P1.1.03 As part of “Privacy by Design” and “Privacy by Default”, respond to
identified risks by making business decisions to:
 Terminate or Avoid the risk (by terminating the business process that gives rise to
the risk);
 Tolerate / Retain / Accept or Keep the risk (by continuing the business process that
gives rise to the risk – for example, because the balance between accepting the risk
or terminating the relevant business process lies in favor of the organization
accepting the risk);
 Treat, Control, or Reduce the risk by developing and implementing proactive

controls, detective controls, and/or responsive controls to mitigate the risk; and/or
 Transfer or Share the risk (for example, by insuring against the risk or by obtaining
relevant indemnities from third parties).
DP-P1.2 Determine Controls
DP-P1.2.01 Determine what proactive actions and controls the organization should
develop and implement to manage risks, including the following categories for
example, and depending on applicable data privacy laws:
 Regulatory: Determine what proactive / preventive controls are required under

data privacy-related mandates or voluntary commitments, including:
o approvals;
o authorizations;
o pre-submission reviews; and/or
o quality reviews.
 Process: privacy impact assessments, audits, approvals, authorizations, pre-

submission reviews, quality reviews, audits, etc.;
 Administrative: privacy notices, consent clauses, defined job/role descriptions,

segregation of duties, background checks, codes of conduct, contractual
arrangements, training, etc.;
 Technological: data classification, application access controls, physical access

controls, configuration controls, encryption, data loss prevention tools, penetration
tests, vulnerability assessments, standards (ISO 27001/02, ISO 29100, ISO 27701,
etc.);

 Physical: environmental protection for key physical assets containing personal data
(data-centers, fax machines/copiers, filing cabinets, CCTV surveillance, etc.); and
 Consent Requirements: depending on the applicable jurisdiction(s), consent may

include requirements that it:
o must be freely given;

o must be specific;
o must be informed;
o must be unambiguous; and
o can be revoked – upon any withdrawal of consent the organization
is usually required to inform individuals of the likely consequences,
or, in any event, that consent is relevant only where there is no
other lawful basis for processing personal information.
 Privacy Notice Requirements: while there may be some variations depending on the
applicable jurisdiction(s), generally privacy notices:
o must be concise, easily accessible, easy to understand, and in clear

and plain language;
o must identify the organization and its location (and how to contact
it);
o must list the types and categories of personal information
processed;
o must notify the purpose(s) for processing;
o in some jurisdictions, must state the specific lawful basis for each
instance of processing;
o must disclose third party recipients of personal information (for
example, service providers to the organization);
o must disclose any transfer of personal information outside the
jurisdiction;
o must state the retention period for each category of personal
information;
o must provide information about the rights of the data subject - the
substance of the rights and how to exercise them; and
o in some jurisdictions, must state if auto-decision making (profiling,
auto-decision logic) is used and if so, must provide information
about it.
 Contractual arrangements with third-party service providers processing personal

information on behalf of the organization: the following requirements typically
apply:
o the service provider may process personal information only on the

documented instructions of the data controller;

o the service provider must get consent to engage or change sub-
contractors and must take responsibility for them;
o the service provider must ensure the confidentiality of personal
information;
o the service provider must implement appropriate security
measures;
o the service provider must provide the data controller with
assistance regarding any data breach notifications;
o the service provider must delete or return personal information
upon completion/termination of the service contract;
o the service provider must assist the data controller where necessary
when a data subject exercises their rights;
o the service provider must demonstrate compliance with applicable
data privacy laws; and
o the service provider must submit to regular audits or provide other
evidence, such as certifications or third-party independent audits.
 Controls for transfer of personal information to other countries/jurisdictions:
o country/jurisdiction level - adequacy decisions (whitelist of

countries where data may be transferred);
o organization-level - appropriate safeguards:
• binding corporate rules (BCRs);

• standard contractual clauses;
• codes of conduct or certification mechanisms;
• ad hoc contractual clauses authorized by supervisory authorities (i.e.,
non-standardized contractual clauses); and
• case by case – derogations may include:
> consent of the data subject;

> performance of a contract;
> public interest;
> establishment, exercise, or defense of legal claims;
> vital interests;
> transfer from a public register; and
> legitimate interests of the data controller.
DP-P1.2.02 Establish proactive technology controls including:
 application access controls that limit access to systems, applications, and

information repositories;
 physical access controls which limit access to physical technology components such
as networks, servers, and workstations;

 configuration controls that prevent or restrict changes to hardware, system, and
application configurations; and
 master data controls that prevent or restrict changes to the information stored in
data sources
DP-P1.2.03 Determine what detective actions and controls the organization should
example:
o user access logs;

o system access logs;
o feedback and complaints;
o intrusion detection software and devices; and
o unusual usage trends and anomalies (pertaining to IT resources).
DP-P1.2.04 Determine what responsive actions and controls the organization should
example:
o procedures to respond to data subject rights requests;

o procedures to manage feedback, queries, and complaints;
o response to repress, return, resolve data breach or incident;
o report to regulators and affected individuals;
o security patches and enhancements; and
o system or process redesign.
DP-P1.2.05 For each control activity:
 define who will perform the activity;
 define when and how often the activity will be performed;
 identify individuals with appropriate authority to modify or override controls and

set out the documentary requirements for doing so.

DP-P2 Policies
Develop and implement appropriate policies and standard operating
procedures (SOPs) to establish the rationale and rules for governing
and protecting personal information in the organization, taking into
consideration the risks and controls.
DP-P2.1 Determine Policies
DP-P2.1.01 Define a hierarchy for policies and standard operating procedures (SOPs)
considering the following factors (if and to the extent relevant to the organization), as
well as the risks and controls that the organization will adopt, and consider what
additional factors should be considered – there is no “one size fits all” in developing
data privacy policies:
 define the framework and hierarchy of policies and SOPs;
 define the outline for each policy and SOP;
 determine the audience for the policy and SOP - external stakeholders, internal
stakeholders, etc.;
 determine the responsible parties/entities for developing and maintaining the

policies and SOPs;
 develop the content for each policy and SOP, taking into consideration the
mandatory and voluntary requirements to comply with data privacy laws and
internal organizational practices respectively; and
 develop standard templates and style guides for standardization of policies, codes
of conduct, and SOPs across organizational entities where relevant.
DP-P2.1.02 An organization typically needs to develop most, if not all, of the

following policies though the final requirements depend on the organization’s
business activities and scope:
 Data Privacy Policy (including Cookie Policy, if required by applicable law).
 IT Acceptable Use Policy.
 Bring Your Own Device (BYOD) Policy.
 CCTV Policy.

 Data Retention / Disposal Policy.
 Information Security Policy and any other IT-related policies.
 Social Media Policy.
 Ethics and AI Governance Policy.
 Policies relevant to selecting, engaging, and managing vendors/third-party service

providers, generally supported by standard templates and style guides for various
types of data privacy-related standard operating procedures/codes of conduct:
 Data privacy impact assessment;
 Data ethics impact assessment;
 Legitimate interest assessment
 Data transfer impact assessment
 procedures for handling access and correction requests;
 procedures for obtaining consent and processing withdrawal of consent;
 procedures about other data subject rights, such as (depending on applicable

legislation), the right to object to processing, the right to restrict processing, and
data portability);
 procedures to check the accuracy of personal information; and
 standard operating procedures relevant to specific areas or functions within the

organization.
 third party due diligence and contractual requirements where personal information
may be disclosed to a third party or transferred to another jurisdiction (including,
in each case, where the third party is a member of the same corporate group)
DP-P2.1.03 Consider which policies need to be supported with SOPs – that is, detailed
instructions about what staff must do and must not do, which are often provided in the
form of bullet points of “Do’s” and “Don’ts” and define a process:
 for SOPs to be developed by the head of the department in which the SOP is to be
used (or by their delegate within the department);

 for ensuring compliance with SOPs by departmental staff is included in the job
description and/or key performance indicators (KPIs) of heads of department;
 for the relevant head of department to ensure that departmental staff are trained
before they commence a role in the SOPs that are relevant to that role; and
 for the relevant head of the department to audit compliance by departmental staff
with relevant SOPs regularly and to ensure that there are disciplinary consequences
for a failure to comply with relevant SOPs.
DP-P2.1.04 Define the objective of each policy, which should be aligned to the
objectives of the organization, and ensure that only individuals with appropriate
authority issue and modify policies, standard operating procedures, and/or codes of
conduct about data privacy.
DP-P2.1.05 Define the target audience for each policy, including all the relevant
stakeholders (both internal and external). There should be two versions of the data
privacy policy – a less-detailed public version for external stakeholders and a more-
detailed private version for internal stakeholders.
DP-P2.1.06 Have appropriate experts approve policies that must satisfy data privacy-
related mandates. Such mandates must comply with the lawful bases for processing
personal information as prescribed in the local data privacy law. For example, the EU’s
General Data Protection Regulation (GDPR) spells out six lawful bases for processing
personal information:
 Consent from the individual concerned;
 Compliance with a legal obligation;
 Contract fulfillment or performance;
 Vital Interest of the individual;
 Public Interest or task performed by a public authority; or
 Legitimate Interest of the organization or a relevant third party (balancing the

interests of the individuals concerned)
DP-P2.1.07 Understand business model elements that are affected by each policy.
DP-P2.1.08 Define when to review, revisit, modify, or expire each policy.

DP-P2.1.09 Identify personnel for each policy and SOP addressing different levels of
responsibility (e.g., Responsible, Accountable, Consulted, and Informed).
DP-P2.1.10 Define resources needed for roll-out/implementation/enforcement of each

policy.
DP-P2.1.11 Determine which policies to impose through extended enterprise or to

require partners to address directly.
DP-P2.1.12 Translate or localize policies when determined to be necessary.
DP-P2.1.13 Identify interrelated or dependent policies to understand how changing

one may affect others.
DP-P2.2 Implement and Manage Policies and SOPs
DP-P2.2.01 Determine how to make each policy about data privacy available to each
target audience.
DP-P2.2.02 Determine whether training or testing of the target audience is required for
each policy.
DP-P2.2.03 Define specific scenarios and their applicability for relevant audience for
each policy and SOP.
DP-P2.2.04 Deliver policies to target audiences.
DP-P2.2.05 Confirm and document target audience receipt of policies.
DP-P2.2.06 Define awareness, education, and support practices for each policy
and each target audience.
DP-P2.2.07 Define methods for assessing knowledge of the existence and

understanding of each policy by target audiences.
DP-P2.2.08 Define the procedure to notify the help desk of any additions,
modifications, or expiration of policies.
DP-P2.2.09 Establish a method to assess periodically the effectiveness of each

policy in meeting the requirement or objective it is meant to address.
DP-P2.2.10 For each process control activity, establish appropriate awareness,

education, and support for responsible personnel.
DP-P2. 2.11 Determine the need to assess or certify responsible personnel to ensure
that they can perform process control activities.

DP-P2.2.12 Establish a method to periodically assess the effectiveness of each process
control activity.
DP-P2.2.13 For each procedure, define a testing approach and related monitoring
activities to ensure that the procedure is operating effectively within defined
tolerances.
DP-P2.2.14 Define procedures and accountability for exceptions to procedures
DP-P2.2.15 Determine which process control activities should be established

throughout the extended enterprise.
DP-P2.2.16 Determine needs for continuous control monitoring based on risk

assessment related to data privacy.
DP-P2.2.17 Create a common vocabulary to describe the types of technology controls.
DP-P2.3 Champion Policies
DP-P2.3.01 Obtain support and commitment from management for policies about
data privacy.
DP-P2.3.02 Have management show support for policies in both word and
action, so stakeholders realize the genuine commitment to policies by
management.

DP-P3 Communication
Establish communications to deliver and receive relevant, reliable, and
timely information to and from defined audiences as required by mandates,
or as needed to perform responsibilities and effectively shape attitudes
DP-P3.1 Develop Reporting Plan
DP-P3.1.01 Identify required external reports to data privacy regulators and other
stakeholders, and create a matrix indicating the:
o schedules or triggering events for each;

o content required;
o location and classification of each report copy as it will be retained;
o method for confirmation of delivery and receipt.
DP-P3.1.02 Define internal reports needed to allow the entity to certify there are no
violations or infringements of mandates or policies relating to data privacy, and those
needed to manage the data privacy capability, and prepare a matrix indicating the:
o schedules or triggering events for each;

o content required;
o person or office responsible for preparing each report;
o intended recipients of each report;
o need for confirmation of receipt.
DP-P3.1.03 Define any additionally desired voluntary reports to stakeholders and

create a matrix indicating the:
o schedules or triggering events for each report;

o content required;
and
o record retention and protection rules.

DP-P3.1.04 Define policies and procedures regarding review and resolution when
reports reflect performance outside targets and tolerances.
DP-P3.1.05 Analyze existing reporting and determine gaps against the planned
reports and their desired management.
DP-P3.2 Develop Process Architecture
DP-P3.2.01 Identify information and communications that are related to similar

processes and control owners to ensure each individual receives the necessary
communications to perform their respective duties about data privacy.
DP-P3.2.02 Develop a communications process architecture that meets the

needs of the various, but related process and control owners.
DP-P3.2.03 Ensure communications are in a relevant format to allow process and

control owners to execute their duties and take actions consistent with decision-
making criteria.
DP-P3.3 Develop Communication Plan and Strategy
DP-P3.3.01 Prepare to develop a high-level communication plan about data privacy by:
o defining the current behavior/knowledge state of each audience;

o defining the desired state;
o analyzing gaps; and
o identifying areas where there is likely to be resistance to change.
DP-P3.3.02 Develop a high-level communication plan about data privacy that identifies:
o people who are responsible for developing the communication

messages;
o all key program messages with identified senders and target
audiences;
o the various communication pieces that will deliver each message;
and
o the high-level delivery schedule and triggering events.
DP-P3.3.03 Determine what methods of communication should be used for each

category of message, applying multiple methods for key messages, and taking into
consideration the purpose of the communication (education, persuasion, information,
interview).

 use a range of methods such as:
o paper-based;
o email;
o chat platforms (e.g., WhatsApp, Telegram, Signal);
o websites;
o shared folders or shared drives;
o postings;
o live events or meetings;
o video/audio broadcast; or face-to-face personal or group
communication;
 develop communication/messaging objective and content;
 obtain required approvals;
 determine who will respond to questions;
 determine the most effective method(s) of communication;
 determine the need for redundant communication (frequency and type);
 define primary communication methods:
o between data privacy capability roles;

o between data privacy capability roles and business roles; and
o between data privacy capability roles and external stakeholders;
and
 obtain feedback from participating audience after the event.
DP-P3.3.05 Define communication/message inter-dependencies and how each fits

into the overall landscape of other entity communications/messages.
DP-P3.3.06 Maintain records of communication campaigns and participants.
DP-P3.3.07 Periodically, review and update the communication materials to keep them
current and relevant.

DP-P4 Education
Educate the governing authority, management, the workforce, and the
extended enterprise about expected conduct, and increase the skills and
motivation needed to help the organization address opportunities, threats,
and requirements pertaining to data privacy.
DP-P4.1 Develop an Awareness and Education Plan
DP-P4.1.01 Define a plan to make each target population generally aware of the data
privacy capability and their responsibilities and expected conduct, and as part of the
plan:
 Consider the scope of awareness required in the extended enterprise.
 Consider the existing level of skills when designing the plan.
 Categorize content; general awareness versus specific, in-depth training.
 Ensure people only get training relevant to their function/position.
 Ensure the approach to education considers cultural differences, generational

differences, and learning style differences in the target populations.
DP-P4.1.02 Develop materials describing the primary elements of the data privacy
capability including the alignment with the underlying mission, vision, and values of
the organization.
DP-P4.1.03 Determine which target audiences require more specific education about
particular aspects of the data privacy capability or specific policies and procedures.
DP-P4.2 Develop a Curriculum Plan
DP-P4.2.01 Define content and target audience for each course.
DP-P4.2.02 For each course that contains legal and/or policy content, map the
objective to specific legal and/or policy requirements pertaining to data privacy.
DP-P4.2.03 Define the competence required for specific roles and positions.
DP-P4.2.04 Map the series of required and desired courses for each role and position.
DP-4.2.05 Conduct a needs assessment that identifies high risk and mandatory
training needs, and develop a training plan for each job or job family that details:

o learning objectives;
o training modules;
o target duration of training module;
o timeline for conducting training;
o timeline and method(s) for assessing knowledge and/or skill; and
o frequency for each course, including any "refresh" courses.
DP-P4.2.06 Define the time frames for training newly hired, promoted, or transferred
individuals for their new roles.
DP-P4.2.07 For each learning object, select the appropriate training mode,
media, and synchronicity based on:
o current skill level of the target audience;

o target skill level of the target audience;
o total population size and geographic distribution of the audience;
and
o existing resources and technical capability to deliver training.
DP-P4.3 Develop or Acquire Content
DP-P4.3.01 Inventory all standardized awareness messages, capturing critical

information on each and comparing to desired communications in awareness and
education plan pertaining to data privacy.
DP-P4.3.02 Inventory all live, online, and self-paced courses and related training
vendors, capturing critical information on each and comparing them to desired courses
in the master curriculum.
DP-P4.3.03 Prepare a content development plan to fill gaps in the inventory.
DP-P4.3.04 Use qualified individuals to develop training modules including, as

appropriate, learning professionals and subject matter experts with relevant training
and experience.
DP-P4.3.05 Tailor content and delivery model to an understanding of the target

audience's general ability, readiness to learn, and learning preferences (e.g., face-to-
face or e-learning).

DP-P4.4 Implement Education
DP-P4.4.01 Integrate data privacy capability training into existing job training wherever
possible.
DP-P4.4.02 Use appropriate technology to develop, deliver, and measure

education and awareness.
DP-P4.4.03 Prepare help desk to support questions regarding training access and
content.
DP-P4.4.04 Distribute communications and deliver courses in accordance with the plan
to target audiences.
DP-P4.4.05 Deliver training to potential and newly promoted leaders about

responsible and ethical decision-making so that they can lead by example.
DP-P4.4.06 Deliver training for all employees about responsible and ethical decision-
making.
DP-P4.4.07 Confirm that training was delivered/attended by the target

audience and completed.
DP-P4.4.08 Assess knowledge, competency, and skills when required and for
training that addresses significant risks pertaining to data privacy.
DP-P4.4.09 Measure training progress against the training plan including the
administration of tests and quizzes for the participants.
DP-P4.4.10 Augment or revise the prioritized data privacy-related risk matrix

and risk optimization plan to reflect:
o implemented awareness and education initiatives;

o revised current residual risk analysis; and
o performance against planned residual risk.
DP-P4.5 Provide Helpline and Integrated Support
DP-P4.5.01 Define the helpline approach and policy, including the preference for
posing questions to a supervisor (or another internal route) first or to the helpline first
(this may differ based on the type of issue).
DP-P4.5.02 Define whether helpline (for questions) and hotline (for reporting
concerns) are combined or separate.

DP-P4.5.03 Determine whether a caller must or may remain anonymous or be assured
of confidentiality, which in some circumstances may create an atmosphere of greater
trust and openness.
DP-P4.5.04 Establish a process to determine if a question is driven by observations of

(or belief that there has been) noncompliance or undesirable conduct, including:
 if concerns or allegations about noncompliance or misconduct are expressed either

directly or after probing about the reason for a question, determine if the allegation
or concerns are specific and credible enough to act on;
 obtain as much information as possible to assist in the process of categorizing the

issue within established investigation tiers; and
 after gaining basic information, redirect to the hotline process if an issue has been
identified that constitutes a report.
DP-P4.5.05 Provide helpline personnel with a list of frequently asked questions and
answers.
DP-P4.5.06 Staff the helpline with personnel who are well trained to respond to, or
seek assistance to answer, a variety of anticipated inquiries related to the data privacy
capability and requirements.
DP-P4.5.07 Establish a method to log questions and responses, indicating final

resolutions.
DP-P4.5.08 Ensure that supervisors and data privacy capability personnel embedded
in the business can answer questions about authority, responsibilities, and issues
related to data privacy-related compliance, ethics, and undertaking risks.
DP-P4.5.09 Inform employees about who is available within their work location
to answer questions about authority, responsibilities, and issues related to data
privacy-related compliance, ethics, and undertaking risks.
DP-P4.5.10 Develop and make available "self-help" materials that employees and other
agents can use to answer questions without requiring human interaction.
DP-P4.5.11 Provide self-service resources (electronic or otherwise) to help individuals

answer their questions.

DP-P5 Incentives
Implement incentives that motivate desired conduct and recognize
those who contribute to positive outcomes to reinforce desired
conduct pertaining to data privacy.
DP-P5.1 Define the Desired Conduct
DP-P5.1.01 Determine the types of desired conduct by the organization’s mission,

vision, values, and decision-making criteria about data privacy.
DP-P5. 1.02 Develop definitions, classifications, and procedures for identifying those
who exhibit the defined desired conduct and contribute to positive organizational
outcomes.
DP-P5.1.03 Include as desired conduct, the expectation to notify the

organization when individuals identify allegations or indications of undesirable
conduct.
DP-P5.2 Hire and Promote Based on Conduct Expectations
DP-P5.2.01 Build ethical personal information handling considerations into job

descriptions, hiring decisions, employee performance evaluation, promotion
decisions, compensation and bonus decisions, termination criteria, and
disciplinary actions.
DP-P5.2.02 Conduct performance evaluations for key jobs/roles with

data privacy capability-related duties.
DP-P5.2.03 Include data privacy capability-related criteria in performance evaluations

including an understanding of values, incidents of ethical or alleged unethical conduct,
and compliance responsibilities related to the position.
DP-P5.2.04 Consider ethical conduct as a positive factor (and unethical conduct as a

negative factor) when evaluating and promoting employees and when selecting
leaders.
DP-P5.2.05 Define a promotion process that considers an individual's support

for and achievement of data privacy capability objectives.

DP-P5.3 Develop and Implement Compensation/Reward/Recognition
Programs
DP-P5.3.01 Develop compensation and bonus structures that include consideration and
reward for following decision-making criteria and following desired compliance and
ethical conduct in any role related to data privacy.
DP-P5.3.02 Avoid compensation or bonus incentives that encourage misconduct in any

role.
DP-P5.3.03 Analyze compensation and bonus plans for jobs/roles that relate to
revenue generation or financial roles/responsibilities, confirming that they do
not induce non-compliant or unethical behavior.
DP-P5.3.04 Analyze compensation and bonus plans for key roles including roles with
substantial authority confirming that they do not induce non-compliant or unethical
behavior.
DP-P5. 3.05 Analyze discretionary budgets or allowances for all roles, confirming
that they do not induce non-compliant or unethical behavior.
DP-P5.3.06 Develop awards and other incentives to reward model conduct and
leadership in data privacy practices.
DP-P5.3.07 Develop incentives that encourage reporting of misconduct or flaws in data

privacy capabilities.
DP-P5.3.08 Develop awards and other incentives to recognize organizational units

and extended enterprise partners for exemplary management of the data privacy
capability or group conduct.
DP-P5.3.09 Develop awards and other incentives for suggestions that improve the data
privacy capabilities.
DP-P5.3.10 Develop awards and other incentives for contributions by individuals

or organizational or extended enterprise units that result in reduced compliance
failures, enforcement actions, or other external challenges to the organization.
DP-P5.3.11 Reward by at least acknowledging members of the workforce for the

successful completion of on-the-job training and self-initiated continuous learning
and improvement.

DP-P6 Notification
Establish channels and pathways for stakeholders to notify management of
their level of satisfaction with the data privacy practices of the organization,
and for individuals to make requests and exercise rights regarding their
personal information, as well as pathways to report the actual or potential
occurrence of undesirable conduct and events pertaining to data privacy.
DP-P6.1 Capture Notifications
DP-P6.1.01 Use multiple channels to collect information:
o in person;
o phone;
o mail;
o email;
o chat platforms;
o technology solutions; and
o web.
DP-P6.1.02 Make some channels available 24 hours per day, 7 days per week, 365 days
per year. For example, a channel for anonymous reporting. Where feasible, use a neutral
party to receive the reporter’s feedback (helps avoid chilling effect on notifications by
whistleblowers).
DP-P6.1.03 Define the notification approach and policy, including the preference for
reporting to a supervisor (or another internal route) first or to the hotline first (this may
differ based on the type of issue and local custom and law).
DP-P6.1.04 Define which channels will be delivered using internal and/or external
resources.
DP-P6.1.05 Define procedures for protecting the anonymity of notifiers in jurisdictions

where that is required or allowed.
DP-P6.1.06 Make the notification pathways available and accessible to multiple

stakeholders:
o employees;
o agents (contract employees acting on behalf of the entity);
o suppliers and customers; and
o public
DP-P6.1.07 Communicate the availability of the notification pathways to the workforce,

customers, and other stakeholders.

DP-P6.1.08 Define procedures for reducing abandonment of initiated notifications,
including:
o limiting or disallowing hold time on phone notifications;

o providing multiple language capabilities; and
o training intended notification recipients to respect reporting
individuals.
DP-P6.1.09 Define procedures for protecting the confidentiality of all reported

information during intake.
DP-P6.1.10 Obtain requisite internal and external approvals or licenses of the defined
approach.
DP-P6.1.11 Consistent with local custom and law, create a policy, either separately or as
part of the code of conduct, requiring employees to use one of the notification pathways
if they observe or know of misconduct.
DP-P6.1.12 Define a policy, either separately or as part of the code of conduct, stating
that the organization will not retaliate against individuals who notify the organization
about misconduct or data privacy capability flaws.
DP-P6.1.13 Document the inquiry, personal request to exercised rights over data,
rejection or issue using a system or method that allows for subsequent analysis.
DP-P6.1.14 Train personnel (particularly supervisory personnel expected to receive

notifications through the open-door policy) on how to handle notifications they receive.
DP-P6.1.15 Take into consideration informal notification methods (e.g., through

supervisory personnel) and ensure these information notifications are also captured and
addressed by the organization.
DP-P6.1.16 Utilize technology solutions, enabling the organization to analyze data as an

inquiry method.
DP-P6.1.17 Develop a technology solutions strategy to help provide input about progress
towards objectives related to data privacy, and the existence of undesirable conduct,
conditions, and event.

DP-P6.2 Filter and Route Notifications
DP-P6.2.01 Create uniform procedures to manage notifications, including:
 taxonomy and uniform vocabulary for types of incidents, data breaches. or

concerns;
 uniform notification forms or data entry fields;
 issue routing and escalation protocols depending on the severity or the criticality of
the notification;
 single ultimate repository for all notifications; and
 methods by which recipients of notifications outside of the hotline process enter

information into the repository for processing.
DP-P6.2.02 Define procedures to efficiently review and confirm the validity of

notifications.
DP-P6.2.03 Define information retention requirements associated with all notification

pathways.
DP-P6.2.04 Track the issue as it flows through the resolution process until closure.
DP-P6.2.05 Establish a procedure to deliver feedback to the notifier so that he or she

understands that the issue is being processed or has been resolved.
DP-P6.2.06 Utilize technology solutions to filter and route notifications to the right
person at the right time, so the organization can respond to notifications from humans
and systems.
DP-P6.2.07 Maintain records of all notifications and feedback for follow-up actions and
improvement to the organization’s data privacy processes and practices.
DP-P6.2.08 Flag out any trends, patterns, or anomalies that may require concerted
organization-wide actions (e.g., systemic issues).

DP-P6.3 Adhere to Data Privacy Requirements
DP-P6.3.01 Define whether hotline (for reporting concerns) and helpline (for
questions) are combined or separate.
DP-P6.3.02 Determine whether an anonymous reporting system is required,

allowed, or not allowed in a given location or circumstance, and design a hotline
accordingly.
DP-P6.3.03 Understand data privacy requirements that are globally applicable to your
organization and design the approach so that the hotline complies with all applicable
data privacy-related mandates.
DP-P6.3.04 Establish separate hotlines, or routing approaches, as needed to

comply with different legal requirements based on the locale of the notifier and of
the organization.

DP-P7 Inquiry
Periodically analyze data and seek input about progress toward objectives
related to data privacy; and the existence of undesirable conduct,
conditions, and events pertaining to data privacy.
DP-P7.1 Establish Multiple Pathways to Obtain Information
DP-P7.1.01 Establish an information gathering method to be used during key meetings

or conversations with key stakeholder groups and target audiences (employee council,
analyst briefings, customer/business partner advisory groups, lessons learned sessions,
knowledge sharing sessions, government relations meetings, audits) to gain information
about data privacy.
DP-P7.1.02 Institute opportunities for formal individual workforce conversations.
DP-P7.1.03 Encourage informal conversations and establish an open-door policy.
DP-P7.1.04 Develop a technology solutions strategy so the organization can leverage

technology to seek input about progress towards data privacy-related objectives, and
the existence of undesirable conduct, conditions, and event by analyzing
organizational and external data.
DP-P7.1.05 Utilize technology solutions to provide the organization with information

from data included in systems and databases.
DP-P7.1.06 Inventory existing data privacy surveys and self-assessments, analyze

audiences, timing, and content, and develop a plan to consolidate, retire, and augment
to close any gaps.
DP-P7.1.07 Establish an integrated calendar of surveys and self-assessments

to ensure that they are better coordinated and to mitigate survey/self-
assessment fatigue.
DP-P7.1.08 Determine appropriate methods to increase survey/self-assessment

response rates and candor:
o method of delivery (electronic, telephone, paper);

o opportunity to respond anonymously;
o incentive or reward for participating; or
o mandating completion.
DP-P7.1.09 Coordinate the scheduling of any focus groups or other meetings

established to discuss data privacy capability issues.

DP-P7.1.10 Establish methods to observe workforce behavior and glean information
about attitudes and beliefs regarding organizational commitment to values and the
data privacy capability.
DP-P7.2 Report Information and Findings
DP-P7.2.01 Analyze information and findings to identify and refer to any

issues requiring immediate attention.
DP-P7.2.02 Analyze information and findings to identify and refer to information

relevant to risk analysis and optimization choices.
DP-P7.2.03 Analyze information and findings to identify and refer for improvement
any data privacy capability weaknesses.
DP-P7.2.04 Document inquiries or issues using a system or method that allows for
subsequent tracking and further analysis.
DP-P7.2.05 Maintain records of all notifications and feedback for follow-up

actions and improvement to the organization’s data privacy processes and
practices.
DP-P7.2.06 Flag out any trends, patterns, or anomalies that may require
concerted organization-wide actions (e.g., systemic issues).

DP-P8 Response
Respond, in accordance with applicable data privacy laws and
regulations, to any individual’s request to exercise their rights over their
information, identified data or privacy breach, or complaint about data
privacy management; and any identified or suspected undesirable
conduct, events, or management weaknesses affecting data privacy.
DP-P8.1 Design Response Structure for Individual Requests
DP-P8.1.01 Understand the various rights that are available to individuals (data
subjects) according to the provisions of the data privacy law:
 Right to information (which includes notifying individuals of the purposes of

processing and ensuring transparency of processing).
 Right to withdraw any consent given (or to change it in some other way).
 Right to access personal information and correct it.
 Right to data portability.
 Right to object to processing.
 Right to restrict processing.
 Right to data deletion / erasure / ‘right to be forgotten’.
 Right to not be subject to automated decision-making.
 Right to opt out of the organization selling personal information.
DP-P8.1.02 Verify the identity of the individual requester first before acceding to
his/her request.
DP-P8.1.03 Use standardized request forms and procedures.
DP-P8.1.04 Respond to individuals’ requests according to the requirements and

timeframe as stipulated in the data privacy law, including any exceptions.
DP-P8.1.05 Take note of exceptions or denials to these requests and document the
reasons.
DP-P8.1.06 Make corrections to any inaccuracy or omission in the individual

requester’s personal information held by the organization.

DP-P8.2 Establish a Data Breach Response Plan
DP-P8.2.01 Establish processes and mechanisms to manage a data breach if it occurs

(including any data breach notification obligations, within time limits established by
applicable data privacy laws).
DP-P8.2.02 In preparation for data breaches, put in place a data breach management
plan and set up a data breach response team with roles and responsibilities spelled out.
DP-P8.2.03 Create mock data breach scenarios and carry out tabletop exercises to
practice how to respond to a data breach (repress, return, resolve, report data breach),
how to prepare an incident report, and how to escalate the incident to higher-level
management.
DP-P8.2.04 When a data breach does occur, activate the data breach response team,
and put in motion the data breach management plan:
 Initiate an internal investigation to find out the facts of the data breach and take
remedial actions.
 First action item is to reduce or minimize harm to the affected individuals.
 Next is to assess the nature and extent of the data breach and determine whether it
is notifiable to the regulator.
 If it is a notifiable data breach, inform the regulator within the mandatory time
frame as stated in the data privacy law and the affected individuals if required.
 Review the root cause(s) of the data breach and plug the gaps in the affected
systems or processes to ensure that a similar breach does not happen in the future.
DP-P8.3 Establish Investigation Processes
DP-P8.3.01 Establish a core team to process data privacy-related issues that are
identified by complaints, expressions of concern, or other discovery methods
(additional parties may be involved on a case-by-case basis to address specific types of
issues as they arise).
DP-P8.3.02 Develop and use taxonomies for classifying reported or identified issues
and their severity level.
DP-P8.3.03 Establish an initial screening process to separate issues that can be

quickly resolved from those that may need investigation.

DP-P8.3.04 Define issue management methodology including these key steps:
 recording and categorizing an issue or question (routing of questions for answers)

upon intake;
 confirmation/validation of an issue;
 analysis of an issue;
 investigation of an issue;
 escalation of an issue;
 resolution of the issue; and
 referral for remediation/discipline of individuals.
DP-P8.3.05 Define confidentiality and anonymity policies and procedures to protect

notifiers and confidential information and satisfy all legal mandates.
DP-P8.3.06 Define "investigation tiers" that identify who will address issues of
particular scope and type.
DP-P8.3.07 Define categories of issues that are escalated to the Board or a Board
committee immediately upon validation, such as those that are at the crisis level due
to impact on the organization and its operations.
DP-P8.3.08 Define categories of issues that are significant enough to be escalated to

senior management and/or outside counsel immediately upon validation, due to the
material nature of the potential effect on the organization.
DP-P8.3.09 Define categories of issues that are serious enough to be addressed in

special investigations by designated investigators (e.g., data forensic experts)
immediately upon validation, due to the nature of the potential effect on the
organization, for which specific procedures are established.
DP-P8.3.10 Define categories of issues that are anticipated in the course of

business, and which may be addressed based on recommendations of initial
investigations by line management using specifically established procedures.
DP-P8.3.11 Define template plans for standard and special investigations of common
issues within each investigation tier addressing:

 processing rules;
 provision of counsel rules;
 privilege rules;
 record retention rules;
 escalation rules;
 internal and external reporting rules; and
 investigation management rules (need for outside legal counsel or special in-house
investigators).
DP-P8.3.12 Establish an inventory of the types of possible third-party investigations

and assign management responsibility for each type (overall or within specific areas of
risk concern and/or part of the organization), including:
 compliance audit of the organization as a vendor;
 routine regulatory investigations;
 regulatory investigations that relate to possible civil or criminal violations;
 private party investigations related to litigation or legal claims;
 external stakeholder investigations;
 judicial investigations; and
 physical site or document seizures by government enforcement agents.
DP-P8.3.13 Determine and document organizational rights and procedural safeguards

in the context of each anticipated type of investigation based on investigating authority
and lawful basis of the investigation, taking privilege and confidentiality needs into
account.
DP-P8.3.14 Establish policies and procedures to follow at the onset of each identified
type of investigation including procedures for:
 establishing an internal response team and team leader;
 responding to interview requests and subpoenas;

 responding to document requests and subpoenas;
 responding to information that former employees or other stakeholders have been

contacted for interviews or documents; and
 responding to the sudden onsite presence of investigators demanding documents or

seizure of the premises.
DP-P8.3.15 Establish procedures to disclose the existence of a particular type of

investigation to the Board, independent auditors, regulatory agencies, or insurers
whenever there is an obligation to do so under agreements, contracts, or established
policies and procedures and ensure disclosure meets any timing requirements.
DP-P8.3.16 Establish procedures to quickly inform senior management and the Board
or audit committee of any investigation the outcome of which may be material to the
organization, implicate wrongdoing by any member of management, indicate criminal
wrongdoing by anyone in the organization, or lead to potential reputation damage,
taking privilege and confidentiality needs into account.
DP-P8.3.17 Establish procedures to inform those responsible for managing the public
relations and stakeholder relations of the organization about investigations as soon as
possible and, to the extent necessary, within the context of a privileged discussion.
DP-P8.3.18 Prepare a standard response management plan for each type of

investigation, which may be modified based on specific investigation facts and
circumstances, which addresses procedures to:
 collect or identify all requested documents and data and initiate document holds to
stop any routine destruction or removal;
 document exactly what is provided to the third party;
 track information that will be released as non-privileged, indicating that the release
is intentional and controlled;
 track the list of released items being maintained as privileged;
 determine individuals who will need to be interviewed to fulfill investigation

requests, both current personnel of the organization and former employees or
agents;
 determine if any requests for information will be refused and develop that response
under legal review;

 determine the need to negotiate confidentiality agreements regarding certain
information to be delivered to the third party and whether the organization needs
to seek to provide any privileged information under seal;
 inform individuals involved in the investigation as witnesses, interviewees, or

otherwise, that in-house and outside counsel represent only the organization and
not them individually, and document that they understand; and
 internally and externally communicate investigation results and recommended

actions.
DP-P8.3.19 Establish multiple pathways for intake of third-party questions

including, but not limited to, an anonymous helpline.
DP-P8.3.20 Establish procedures to screen incoming third-party questions, including:
 determine if initial questions are part of an ongoing investigation;
 refer inquiries to in-house or external counsel; and
 assign the non-investigative question to the appropriate person for timely response
or discussion (or refusal to provide information).
DP-P8.3.21 Establish accepted answers to expected questions that may be provided

without further review or approval, via helpline or otherwise.
DP-P8.3.22 Establish a list of types of questions requiring referral to in-house legal

counsel or that will not be answered without a decision by counsel.
DP-P8.3.23 Establish procedures to ensure that questions posed to the

organization via a helpline or other method, that are identified as part of or
precursor to a third-party investigation are forwarded to appropriate personnel
responsible for vetting such investigations.
DP-P8.3.24 Establish policies and procedures to require internal reporting of

knowledge of non-standard third-party inquiries or investigations to appropriate
management personnel.
DP-P8.3.25 Establish monitoring of external sources to identify the onset of

a third-party investigation when possible.
DP-P8.3.26 Establish initial lists of the people (roles) responsible for

implementing or overseeing procedures set for each type of investigation,
considering that:

 different people may be identified for investigations into different risk areas or
parts of the organization;
 different people may head up the team depending on the type of investigation; and
 some investigations will need to be completely managed by external legal counsel.
DP-P8.3.27 Establish a list of outside counsel selected or approved in advance to be

consulted when the need for counsel in a particular type of investigation arises and
establish procedures to engage such counsel if the need arises.
DP-P8.3.28 Utilize established rules, policies, and procedures for the type of
investigation to determine which people within the organization will be responsible
for overseeing the organization's role in the investigation, dealing directly with
investigators, and leading the internal investigation team.
DP-P8.3.29 Establish procedures to screen all selected team members to ensure no

conflict of interest or bias in the type of investigation and continually revisit as
information arises.
DP-P8.3.30 Establish policies that ensure team members have clear authority and
that their authority will be expressed to all personnel who may have to respond to
their requests for information, documents, or interviews.
DP-P8.3.31 Establish policies and procedures that ensure team members are relieved
of other duties as necessary to provide the time required to participate effectively in the
investigation.
DP-P8.3.32 Establish procedures to determine whether there is an obligation to

immediately disclose the existence of a specific investigation to the Board,
independent auditors, regulatory agencies, or insurers under agreements, contracts,
or established policies and procedures.
DP-P8.3.33 Prepare a standard response management plan for each type of

investigation, which may be modified based on specific investigation facts and
circumstances, which addresses procedures to:
 collect or identify all requested documents and data and initiate document holds to
stop any routine destruction or removal;
 document exactly what is provided to the third party;
 track information that will be released as non-privileged, indicating that the release
is intentional and controlled;

 track list of released items being maintained as privileged;
 determine individuals who will need to be interviewed to fulfill investigation

requests, both current personnel of the organization and former employees or
agents;
 determine if any requests for information will be refused and develop that response
under legal review;
 determine the need to negotiate confidentiality agreements regarding certain

information to be delivered to the third party and whether the organization needs
to seek to provide any privileged information under seal;
 inform individuals involved in the investigation as witnesses, interviewees, or

otherwise, that in-house and outside counsel represent only the organization and
not them individually, and document that they understand; and
 internally and externally communicate investigation results and recommended

actions.
DP-P8.4 Prepare to Address Crisis Situations
DP-P8.4.01 Identify the types of data privacy-related crises that might arise and create
a list of specific examples of ones deemed to be either likely or of significant impact if
they were to occur, including events with crisis level impacts on:
 access to data such as physical disruption to servers or technology failure;
 protection of confidential or personal information such as theft or breach of such

information;
 ability to operate such as technology or power interruptions, denial of service

attacks;
 public confidence in products or services that make use of stakeholders’ personal

information; and
 reputation of the organization.
DP-P8.4.02 Develop business impact analysis and/or privacy impact analysis for each
listed type of crisis by:
 refining internal and external context and risk analysis;

 analyzing implications of loss, delay, inability to access or serve key people,
systems, processes, suppliers, customers, and business partners; and
 analyzing anticipated information loss based on archive/back-up strategies for

systems and processes.
DP-P8.4.03 Address business continuity and recovery goals for each type of crisis by:
 determining recovery time objectives;
 prioritizing key business processes and critical functions;
 selecting and documenting business continuity strategies for interim operations

and recovery plans;
 documenting information systems interim operations and recovery plans; and
 documenting facilities’ interim responses and recovery.
DP-P8. 4.04 Establish detailed response and recovery plans that adhere to regulatory
and other requirements for each type of crisis that include the following:
 In the case of a physical crisis, policies, and procedures for coordination with first
responders from local authorities on plans, procedures, and communication
protocols so they can facilitate safety, rescue, and emergency operations.
 In the case of potential allegations of criminal conduct, procedures for interactions

with police or prosecution authorities.
 In the case of a data management disruption or failure, disaster recovery plans.
 An identified communications plan and team, including legal, public relations, and
investor relations as appropriate.
 Policies and procedures to direct public disclosures and communications through

identified organization representatives, and involve legal, public relations, and
investor relations as appropriate.
 Procedures for establishment of crisis response headquarters away from

danger/crisis area.
 Policies and procedures that prioritize the physical safety of employees and family
member communications.

 Procedures to evaluate pursuing contractual or other legal rights to demand
indemnification or file claims for insurance.
 Procedures to analyze response effectiveness and performance after action.
DP-P8.4.05 Identify Crisis Readiness and Response Teams for each type of crisis
including:
 personnel who will have responsibility for maintaining readiness and monitoring
for signs of impending crisis;
 a preliminary response team in each location, amending to stay fresh as necessary

to address personnel changes;
 leadership that is accountable for communicating with the workforce, families, and
external stakeholders for each type of crisis; and
 succession authorities if an individual with established authority is unavailable

when a crisis arises
DP-P8.4.06 Define and conduct preparedness exercise plans for each type of crisis, and:
 evaluate performance against the plan and effectiveness of the response;
 correlate local, regional, and national plans;
 coordinate and rationalize recovery time objectives across plans of individual

functions, departments, business units, or facilities with projected resource
availability; and
 rationalize recovery time objectives with information systems recovery capabilities.
DP-P8.5 Follow Resolution Processes
DP-P8.5.01 Respond to each investigation or crisis per the established processes and
plans.
DP-P8. 5.02 Coordinate and communicate with internal and external stakeholders
impacted by the investigation or crisis.
DP-P8.5.03 Ensure adequate documentation is kept of the response activities for use
in management monitoring, assurance, or other activities.

DP-P8.6 Discipline and Retrain
DP-P8.6.01 Define and enforce a procedure and criteria for consistent discipline given
the type of misconduct.
DP-P8.6.02 Administer appropriate discipline under applicable policies, procedures,

laws, and regulations.
DP-P8.6.03 Track discipline decisions and include them in workforce files and
extended enterprise relationship records.
DP-P8.6.04 Provide for retraining as appropriate.
DP-P8.6.05 Periodically, report to the Board on material disciplinary measures

taken (and underlying facts and circumstances).
DP-P8.6.06 Periodically, review past disciplinary actions to ensure consistency.
DP-P8.7 Determine Disclosure Process and Make Disclosures
DP-P8.7.01 As required, disclose the results of investigations to external stakeholders.
DP-P8.7.02 Establish procedures to voluntarily disclose results and resolution of

investigations to internal and external stakeholders as appropriate, including:
o regulatory agencies;
o enforcement authorities;
o insurers;
o customers; and
o workforce.
DP-P8.7.03 Provide a single point of communication with external stakeholders.
DP-P8.7.04 Inform stakeholders about resulting changes to the data privacy capability.

DP-R: Review
Conduct activities to monitor and improve the design and operating
effectiveness of the DPMP, including its continued alignment to the
objectives and strategies of both the program and the organization overall.
DP-R1 Monitoring
Monitor and periodically evaluate the performance of the DPMP to
ensure it is designed and operated to be effective, efficient, and
responsive to change.
DP-R1.1 Monitor and Evaluate DPMP Design
DP-R1.1.01 Define aspects of the data privacy capability design to be periodically re-
evaluated, including:
 effectiveness in preventing and detecting conduct or events that violate mandated

or voluntarily established requirements related to data privacy;
 efficiency of the controls established as part of the system;
 appropriateness of the selected controls relative to the level of risk; and
 responsiveness of the system.
DP-R1.1.02 Define the areas to be monitored, the metrics to be used for

monitoring, and the frequency of monitoring. Examples of areas suitable for
monitoring include:
o Appointment of new third-party service providers.

o The aftermath of a security or data privacy incident.
o Deterioration of a business function.
o An increased spate of data privacy-related complaints.
o Indications of an insider threat.
o New business products, services, or technology.
o Retrenchments or exodus of staff.
DP-R1.1.03 Select appropriate monitoring methods for each aspect of the data privacy
capability based on identified goals, assurance level, and sensitivity status, such as:

 technologies to flag incidents of non-conformance to established procedures;
 periodic review of samples of reports, forms, or other required documentation;
 periodic review of established metrics and performance indicators; and
 periodic review of testing controls information.
Examples of mechanisms and metrics that can be used for monitoring and collecting
relevant information include:
o dashboards;
o system logs;
o number of staff trained;
o customer inquiries, requests, and complaints;
o staff violations of internal rules; and
o data breaches.
DP-R1.2 Identify Monitoring Information
DP-R1.2.01 Identify persuasive information that can be used to conclude that a data
privacy-related risk optimizing activity is effective, efficient, and responsive.
DP-R1.2.02 Consider direct information from monitoring the external and internal
environments.
DP-R1.2.03 Consider direct information about substantiated incidents and general

patterns of misconduct.
DP-R1.2.04 Consider direct information from testing controls.
DP-R1.2.05 Consider indirect information generated by business processes for

operational purposes.
DP-R1.2.06 Ensure that information is sufficient, relevant, reliable, and timely.
DP-R1.2.07 Determine what information may be reviewed by samples and what

information requires complete review.
DP-R1.2.08 Determine what information must be considered that is not contained in

reviewable documents or dates, and determine methods for reviewing such information
such as interviews or surveys.
DP-R1.2.09 Identify the key risk optimizing activities whose failures may not be
detected promptly (single points of failure).

DP-R1.2.10 Identify the risk optimizing activities whose failure might trigger the
failure of other risk optimizing activities (points of cascading failure).
DP-R1.2.11 Identify the risk optimizing activities that may compensate for failures in
other key optimizing activities (key compensating activities).
DP-R1.2.12 Identify other related risk-optimizing activities.
DP-R1.2.13 Utilize technology solutions to aid in monitoring.
DP-R1.3 Perform Monitoring, Analyze, and Report Results
DP-R1.3.01 Review identified documents and samples of data about data

privacy.
DP-R1.3.02 Conduct identified interviews and surveys.
DP-R1.3.03 Consolidate information from different sources to enable

comparison and analysis.
DP-R1.3.04 Analyze information from:
 preventing, detecting, and responding activities including completed and ongoing

investigations about data privacy;
 Human capital control activities; and
 Context monitoring.
DP-R1.3.05 Identify and analyze reasons for conflicting information.
DP-R1.3.06 Determine the validity and reliability of the information.
DP-R1.3.07 Determine if misconduct or control failures are occurring beyond

established acceptable tolerances.
DP-R1.3.08 Determine if several instances of misconduct or control failures relate

to a particular location, supervisor, manager, or individual.
DP-R1.3.09 Determine if several control failures relate to a particular process,

human capital, technology, or physical control.
DP-R1.3.10 Report on the results and general proposed responses to appropriate

internal and external stakeholders.

DP-R1.3.11 Analyze the relative complexity of the control, as more complex controls
typically have a higher degree of potential failure.
DP-R1.3.12 Analyze the skills required to perform control and the availability of these
skills, as skills shortages will quickly affect these controls.
DP-R1.3.13 Analyze the degree of automation versus manual execution of the control
as manual controls are more prone to human error than automated controls, and
automated controls are more prone to voluminous and repeated error if there is a
systemic issue.
DP-R1.3.14 Analyze prior failures associated with controls.
DP-R1.3.15 Maintain records of all findings for follow-up actions and

improvement to the organization’s data privacy processes and practices.
DP-R1.3.16 Flag out any trends, patterns, or anomalies that may require concerted
organization-wide actions (for example, systemic issues).
DP-R1.3.17 Review the effectiveness and relevance of the monitoring mechanisms

and metrics periodically.

DP-R2 Assurance
Provide assurance to management, the governing authority, and other
stakeholders that the DPMP is meeting the privacy objectives and design.
DP-R2.1 Plan Assurance Assessment
DP-R2.1.01 Determine the scope of review of data privacy capability.
DP-R2.1.02 Determine the level of assurance desired. This could be a

benchmark against international standards such as the data privacy maturity
model, applicable laws, or internal standards.
DP-R2.1.03 Based on schedule, cost, and objectives, determine whether to define

standards, procedures, and criteria or to use objective, independently issued standards
or agreed-upon procedures for review and if so, identify them.
DP-R2.1.04 Identify parties to perform an assessment that supports the assurance,

using either internal or external auditors with relevant professional and data privacy
certifications.
DP-R2.1.05 Where available and appropriate, plan to apply for and achieve an
external privacy seal or certification for the DPMP.
DP-R2.2 Perform Assurance Assessment
DP-R2.2.01 Review monitoring reports and changes to the data privacy capability
previously undertaken by management as part of the assurance process.
DP-R2.2.02 Select a sufficient sample of each operation of the DPMP to determine if it

is being managed by the mission, vision, values, and decision-making criteria of the
organization.
DP-R2.2.03 Analyze the evidence collected, and results of testing, and develop
conclusions on the design and operating effectiveness of the data privacy capability.
DP-R2.2.04 Prepare an assurance report and recommendations for management and

the governing authority. To enable the organization to improve the maturity of the
DPMP, the assurance report could include recommendations to:
 have the organization apply for a data privacy seal or certification; and/or
 have data privacy professionals and leaders apply for relevant professional
certifications.

DP-R3 Improvement
Review information from periodic evaluations, detective and responsive
actions and controls, and assurance, to identify opportunities for DPMP
improvements.
DP-R3.1 Develop Improvement Plan
DP-R3.1.01 Develop a portfolio of improvement initiatives relating to data privacy

capability. Such initiatives could include addressing root causes of data privacy
incidents or data breaches or closing the gaps to areas of weaknesses identified in an
audit. Examples include:
 newly identified threats/risks not assessed in terms of severity and impact, and not
included in risk registers;
 identified risks with planned actions not executed or implemented;
 identified risks with implemented actions, yet incident or breach occurred because
of ineffective controls;
 policies and procedures documented but not implemented;
 non-compliant practices; and
 outdated policies and procedures.
DP-R3.1.02 Communicate improvement plan to management.
DP-R3.1.03 Define any recommendations from the investigation outcome and

assurance reports that are not in the improvement plan and provide an
explanation(s).
DP-R3.1.04 Obtain authorization to execute improvement plan including approval of

budgets and resources.
DP-R3.2 Implement Improvement Initiatives
DP-R3.2.01 Adapt existing priorities and plans to accommodate additions to the data
privacy capability.

DP-R3.2.02 Enhance change management and program management capability as
needed for additional initiatives.
DP-R3.2.03 Engage resources for initiatives.
DP-R3.2.04 Manage initiatives pursuant to project plans.
DP-R3.2.05 Periodically, report on project and portfolio status.
DP-R3.2.06 Confirm completion and assess whether targeted improvements are

achieved
DP-R3.2.07 Document changes to the DPMP, including changes, if any, to its

strategic plan, prioritized risk matrix, and the risk optimization plan.

Beta - OCEG.integrated Data Privacy Capability Model

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Beta - OCEG.integrated Data Privacy Capability Model

Uploaded by

Copyright:

Available Formats

INTEGRATED DATA

Independent of specific professions, we provide content, best practices, education, and

OCEG, Principled Performance, GRC Capability Model, and Integrated Data

© 2022 OCEG Page i

When attributing work to OCEG:

● Include in the site-wide or document-wide notice the text "Includes material

Other License Options:

© 2022 OCEG Page ii

© 2022 OCEG Page iii

● Dr. Prapanpong Khumon, Advisor to Secretary-General of the Personal Data

© 2022 OCEG Page iv

A Note About Terminology .............................................................................................. 1

The Need to Mature a Data Privacy Capability ............................................................... 3

Applying a Process Model ................................................................................................ 4

Why Ensuring Data Privacy Matters ............................................................................... 5

Focus on Principled Performance ................................................................................... 9

The Meaning of GRC ...................................................................................................... 10

Principled Performance and Data Privacy ..................................................................... 11

The Integrated Data Privacy Lifecycle ........................................................................... 16

Data Privacy and the GRC Capability Model..................................................................17

Principles of Integrated Data Privacy ............................................................................ 28

ANATOMY OF THE INTEGRATED DATA PRIVACY CAPABILITY MODEL ................ 31

MODEL STRUCTURE ................................................................................................... 31

A Note About Actions and Controls............................................................................... 36

INTEGRATED DATA PRIVACY CAPABILITY MODEL .................................................. 38

DP-L1 External Context .............................................................................................. 40

© 2022 OCEG Page v

DP-L4 Stakeholders .................................................................................................... 46

DP-A: Align .................................................................................................................... 47

DP- A1 Direction ......................................................................................................... 48

DP-A2 Objectives ........................................................................................................ 49

DP-A3 Identification .................................................................................................. 50

DP-A4 Assessment ..................................................................................................... 51

DP-A5 Design ............................................................................................................. 53

DP-P: Perform ................................................................................................................ 54

DP-P1. Controls .......................................................................................................... 56

DP-P2. Policies ........................................................................................................... 57

DP-P4 Education ........................................................................................................ 59

DP-P5 Incentives ........................................................................................................ 60

DP-P6 Notification ..................................................................................................... 61

DP-P7 Inquiry ............................................................................................................. 62

DP-P8 Response ......................................................................................................... 63

DP-R: Review ................................................................................................................. 65

DP-R1 Monitoring ...................................................................................................... 66

DP-R2 Assurance ........................................................................................................ 67

DP-R3 Improvement .................................................................................................. 68

DETAILED PRACTICES ................................................................................................... 69

© 2022 OCEG Page vi

A Note About Terminology

Terminology Used Elaboration and Equivalent Terminologies

Privacy Data protection*

Personal information / PII Personal data / Personally identifiable information

Sensitive personal information / Special categories of data (including employment,

Organization - where it determines Controller / data user / data fiduciary / personal

Third-party service provider Data processor / data intermediary / entrusted

Data Management / Management Collecting, using, disclosing, transferring, storing,

Individual Data subject / data principal

© 2022 OCEG Page 1

© 2022 OCEG Page 2

OCEG’s mission is to help organizations achieve Principled Performance – defined as

© 2022 OCEG Page 3

© 2022 OCEG Page 4

Several factors contribute to this challenge: including, ubiquitous connectivity and