Professional Documents
Culture Documents
PRIVACY
CAPABILITY MODEL
beta release
10/2022
About OCEG
OCEG is a global, non-profit think tank and community founded in 2002. We invented
GRC. We inform, empower, and help advance more than 120,000 members on
governance, risk management, and compliance (GRC).
This license allows you to use the Model under the following terms:
● Share — Copy and redistribute the material in any medium or format
● Adapt — Remix, transform, and build upon the material
● Attribution — You must give appropriate credit, provide a link to the license,
and indicate if changes were made. You may do so in any reasonable manner, but
not in any way that suggests the licensor endorses you or your use.
● Non-Commercial — You may not use the material for commercial purposes.
● Share Alike — If you remix, transform, or build upon the material, you must
distribute your contributions under the same license as the original.
● No additional restrictions — You may not apply legal terms or technological
measures that legally restrict others from doing anything the license permits.
We understand that some organizations are not able to use open-source content and
code in their products and/or projects. As such, we also offer other licenses, including
commercial use licenses. Contact us at support@oceg.org.
OCEG developed this Integrated Data Privacy Capability Model (IDP-CM) with the
assistance of experts from the Data Protection Excellence Network and Straits
Interactive, an OCEG training partner that teaches courses based on the GRC Capability
Model. Having expertise in both GRC and data privacy, they took the role of principal
authors.
We also invited a group of experts in data privacy from a range of roles (academia,
business, former regulators), and from different countries, to participate on our review
committee. Their valuable comments have been addressed in this final version of the
Model.
Development of the IDP-CM was led by: Carole Switzer, OCEG Co-Founder &
President, and edited by Scott Mitchell, Founder and Chair, OCEG, and Kelly Ray,
GRC Solutions Strategist (retired).
Principal Authors:
● Kevin Shepherdson, GRCP, FIP, CIPP/E, CIPP/A, CIPT, CIPM, Certified DPO (Exin)
● Lyn Boxall, GRCP, GRCA, FIP, CIPP/E, CIPP/A, CIPM, Certified DPO (Exin), LLM
● William Hioe, GRCP, FIP, CIPP/E, CIPP/A, CIPT, CIPM, Certified DPO (Exin)
● Celine Chew, GRCP, FIP, CIPP/E, CIPP/A, CIPT, CIPM, Certified DPO (Exin)
Data Protection Excellence Network www.dpexnetwork.org
Learn ........................................................................................................................... 18
Align ............................................................................................................................ 20
Perform ....................................................................................................................... 22
Review ......................................................................................................................... 25
Components ................................................................................................................ 31
Elements ..................................................................................................................... 34
Practices ...................................................................................................................... 35
DP-L: Learn.................................................................................................................... 39
DP-L3 Culture............................................................................................................. 44
DP-P3 Communication............................................................................................... 58
The terminology used in data privacy laws and regulations varies greatly from
jurisdiction to jurisdiction. The chart below indicates the terms that we use, and
equivalent terms applied in various jurisdictions.
The GRC Capability Model helps organizations produce value and protect value with
integrity – and Data Privacy is an important part of this mission.
Increasingly, countries around the world are establishing laws and regulations
governing how organizations collect, use, disclose, transfer, store, and dispose of or
destroy personal information (hereinafter “data management” or “management of
data”). These laws and regulations set boundaries so that organizations can protect
value (protect their customers, workforce, partners, and organization as a whole) while
producing value.
Different parts of an organization may manage data differently. Ensuring consistent and
compliant data management has become a significant challenge that presents a real risk
to the achievement of organizational objectives. Data management has also become ever
more costly as the volume of information increases and the requirements continue to
evolve with different standards that may not always be easily reconciled.
Some organizations fail to consider the lifecycle needed to fully govern, manage, and
provide assurance for data privacy requirements. They fail to appreciate the need to
fully integrate such efforts throughout the organization at all levels of operation. They
do not take a mature approach to monitoring the external and internal environments of
the organization to determine data privacy needs, nor do they establish reliable and
measurable control efforts. They have weak or non-existent metrics for measuring
outcomes of their data privacy capability and often fail to apply the necessary
technologies to support a fully realized capability.
The OCEG GRC Capability Model can be applied to a variety of topics and risk areas,
including data privacy. This publication provides an Integrated Data Privacy Capability
Model (hereinafter “the Model” or “IDP-CM”) that addresses the specific concerns of
data privacy.
The Model establishes standards from which an organization may customize its
approach to data privacy governance, management, and assurance.
The reader should note that the Model does not describe all data privacy requirements
imposed by law everywhere in the world; nor does it detail the data privacy
requirements of a particular legal system. Instead, it is jurisdiction neutral.
The Model sets out a framework for identifying and monitoring changes in potentially
relevant requirements, assessing their application to the activities of the organization,
and establishing an effective capability to address such requirements while taking into
consideration the impact on organizational objectives and outcomes.
The volume of data collected and maintained by businesses, governments, and other
organizations is growing exponentially. Losses due to cyberattacks and accidental data
releases continue to escalate. Personal information, such as customer financial or
identifying information, can be used to commit identity theft and financial crimes. Theft
of passwords and other access information also puts corporate and governmental data at
risk, and this can lead to ransomware attacks and security threats. Such losses greatly
reduce stakeholder and societal confidence in businesses and other organizations.
Overall, the protection of data is critical and has been made more challenging as the use
of advanced, connected technologies and “smart” products for everyday tasks has
expanded. It is no longer as simple as locking a filing cabinet or using a safe that holds
paper copies of private or sensitive information. Data is now compiled and analyzed in
privacy-intrusive technologies such as those using automated decision-making, artificial
intelligence (AI), algorithms, predictive analytics, and surveillance. The challenge today
is to establish both technology controls and strong policies and procedures for handling
data within these complex systems.
Globally, this ubiquity and increasing volumes of notifications and media coverage of
cyberattacks and theft of data has resulted in an increased awareness among the general
population of how data experts have obliquely used their personal information. There
has been a rise in social consciousness that peoples’ interactions with technology,
Data ethics are also under discussion. There is widespread debate about the use of facial
recognition in commercial settings and law enforcement, the use of predictive
technologies particularly in the context of law enforcement, the use of personal
information to target individuals with spam and propaganda, and the use of personal
information collected through the ‘Internet of Things’ (IoT). These discussions stem
from a realization that just because personal information can be collected and used does
not mean that it should be collected or used without consent. Ethical guidelines on data
use are evolving and regulations may soon follow.
The resulting regulatory fines may be large; but, in many cases, they are not as
significant as the losses to reputation, stock price, productivity, and customer revenues
(including resulting loss of customer trust and, therefore, future business) - all of which
force organizations to re-look at their business objectives and priorities on an ‘after the
fact’ basis.
They realize subsequently that there are regulatory risks that threaten operations. This
realization prompts management to put in place the necessary governance frameworks
and measures to minimize business disruption and ensure continued optimal
performance. There is no active governance of data privacy, only reactive mitigation,
and risk management, which is less effective and most often costs more. In other words,
governance becomes an afterthought instead of the main strategic driver spearheading
the holistic and integrated approach to privacy risk management and compliance.
While the challenges of data privacy have come into view more clearly in recent years,
the problem of ineffective compliance and risk management has been around longer.
The lessons learned from prior challenges and failed approaches can be well applied in
this current context.
During the early 2000s, scandals rocked the global economy evaporating millions of
jobs and trillions of dollars of wealth. At the root of these scandals were siloed and
ineffective systems intended to address governance, risk, compliance, and ethics.
Strategic systems were separate from performance management systems, which were
separate from risk management systems, which were separate from compliance systems,
and so on. In addition, each type of risk was managed separately with inconsistent
methods and technologies, and often different geographic units and departments within
the business were also segregated. This siloed nature of business led to a lack of risk
visibility, failure to establish adequate controls, and absence of resiliency.
Unfortunately, this siloed approach was all too common, and the seeds of future
problems continued to grow in this deficient state. OCEG and its members sought to
create a future state that was more effective, more efficient, more agile, more resilient,
and better able to address modern challenges. This led to OCEG’s innovation of the
ideas behind Principled Performance and GRC.
The acronym GRC is a shorthand reference to the collection of critical capabilities that
must work together to achieve Principled Performance. GRC denotes governance, risk
management, and compliance, but it connotes much more than those three terms
simply put together into an acronym.
It is important to remember that organizations have been governed, and risk and
compliance have been managed, for a long time — G, R, and C individually are nothing
new. However, many have not approached these activities in a mature and integrated
way, nor have these capabilities supported each other to enhance the likelihood of
achieving objectives. That makes GRC, as we understand it today, totally revolutionary.
Integrating GRC capabilities does not mean creating a mega-department of GRC and
doing away with decentralized or programmatic approaches to risk and compliance
management. Nor does it necessarily call for the use of only one GRC technology system.
Rather, it is about establishing an approach that ensures the right people get the
appropriate and correct information at the right times, that the right objectives are
established, and that the right actions and controls necessary to address uncertainty and
act with integrity are put in place. When business activities are siloed with separate
information, it is likely that wrong or counter-productive objectives will be established,
sub-optimal strategies will be selected, and performance will not be optimized.
The relationship between Principled Performance and the management of data privacy
runs in both directions, with each supporting the other. Strong data management is an
essential aspect of Principled Performance for the organization, as it strives to reliably
achieve its objectives while addressing uncertainty and acting with integrity. At the same
time, the structures and processes put in place to drive Principled Performance overall
also support a principled and mature approach to the management of data privacy.
The quest for Principled Performance benefits from strong, integrated GRC capabilities
as organizations face a plethora of ever-changing compliance requirements across a
range of topics, compounded by growing related risks. Data privacy is one compliance
and risk domain that presents such challenges, perhaps even more than many others.
Countries are introducing and enforcing privacy laws at a rapid rate, typically reflecting
needs arising from the rapid development of information technology in today’s highly
digitalized world. Increasingly, smart but privacy-intrusive technologies drive unique
and differentiated employee, customer, and business partner “experiences” leveraging
data and contextually-sensitive meta-data. Organizations find they are grappling with a
plethora of different laws and requirements.
The General Data Protection Regulation (GDPR) came into force in the European Union
(EU) in May 2018. This was followed in 2020 by the enactment of the California
Consumer Privacy Act (CCPA); several other U.S. states have implemented either
general or sector-specific and/or technology-specific privacy laws or are in the process
of doing so, leading to increasing discussion about a US privacy law at the Federal level.
The Brazilian General Data Protection Law (LGPD) came into force in September 2020
(some aspects of enforcement were delayed until August 2021), a Personal Information
Protection Law came into effect in China on 1 November 2021, and a Data Protection
Act is scheduled to be finalized in India in mid-2022. The countries that are members of
In a typical privacy law, personal information is defined as any information that can
identify the individual to whom it relates, either directly or indirectly. Because loss of
personal information may affect the well-being and privacy of individuals, there are
regulatory rules governing when information may be processed and, if so, how it may be
processed.
The US and many other jurisdictions treat sensitive personal information differently
from non-sensitive personal information. This is because the potential harm to the well-
being and privacy of individuals is greater when sensitive personal information is being
processed. For example, there may be a higher risk of identity theft or of the personal
information being used to discriminate against individuals. So, there are rules that
either require a higher level of security, restrict the processing of sensitive personal
information to specific circumstances, or put other safeguards into place.
The laws and regulations governing how personal information is processed establish
when organizations may legally process it. These rules are often explicitly, but otherwise
implicitly, referred to as lawful bases for processing personal information. These rules
also spell out the principles that organizations must follow when they process personal
information to protect the interests, including the privacy interests, of individuals.
Organizations are not legally permitted to process personal information whenever it
happens to be convenient for them to do so, for whatever purpose and in whatever way
suits their commercial ends. They must consider the potential impact of processing such
information on the well-being of individuals, including the impact on their privacy.
For example, personal information relating to health, financial matters, or children may
be processed by organizations in the U.S. only by strict rules set out in Federal and
sometimes State legislation designed to protect the rights of individuals, including their
constitutional rights. Implicitly, there must be a lawful basis for processing such
personal information that is within the scope of specific laws.
Many organizations respond to the increasing legal requirements for data privacy by
seeing them simply as regulatory requirements and assigning responsibility for them to
specialized teams that are part of their legal or compliance functions. They treat the
requirements as something to be addressed solely by legal contracts that are
documented and audited as part of their internal audit function. In other words, the
approach to complying with the law is through ticking off a compliance checklist
passively, rather than taking a proactive Principled Performance approach towards
dealing with legal requirements for privacy compliance.
Despite the obvious need for a fully integrated approach to proactive data management,
many organizations, especially those in non-regulated sectors, continue to take a
reactive stance – they will comply with the relevant laws only if they are forced by
The more that employees responsible for business operations do not take responsibility
for compliance with privacy laws and the more siloed the risk and compliance activities
are from business operations, the less likely it is that the organization will be able to
comply effectively with privacy requirements. This, in turn, impacts business
performance and creates disruptions: decision-makers need to deal with complaints,
incidents, data breaches, and investigations from regulators while, often, dealing
simultaneously with inquiries from the mainstream media and the results of speculative
or critical comments in social media.
A key concept associated with data privacy is the Integrated Data Privacy Lifecycle
which includes the stages of Collect & Gather, Use & Process, Disclose &
Transfer, and Store & Dispose. Each of these continuously operates, with new data
regularly coming in and leaving at each stage. References to the Integrated Data Privacy
Lifecycle (“the IDP Lifecycle” or sometimes the “C-U-D-S Lifecycle”, which is a useful
mnemonic based on the initial letters in the names of each stage) are made throughout
the Model.
Effective data privacy management is an essential aspect of a GRC capability that drives
the attainment of Principled Performance. The OCEG GRC Capability Model (also called
the “Red Book”) describes core governance, risk management, and compliance
capabilities and processes that must be developed and implemented to ensure the
Principled Performance outcome.
The Red Book defines Elements and Practices for successful GRC capability in four
overarching Components. The Integrated Data Privacy Capability Model tailors each of
these for data privacy and the development of a Data Privacy Management Program.
This Red Book Component highlights the importance of examining and analyzing the
external and internal context, company culture, and stakeholder needs as they change
over time. It requires organizations to monitor and align their mission, vision, values,
philosophy, and strategies with all stakeholders’ needs and changing conditions.
From an external context perspective, beyond the obvious need for tracking new
and proposed privacy laws and regulations, organizations must take three main drivers
of privacy into consideration:
These three drivers particularly shape the regulatory, market, societal, and political
forces that define the external context perspective for organizations seeking Principled
Performance in Data Privacy Management.
There also are three distinct factors in play in the external context:
These factors give rise to a need for organizations to examine current and future
developments in data privacy laws, regulations, and standards – as well as community
expectations. Organizations also need to consider the interplay between these forces.
For example, in the two-year “sunrise” period after the GDPR was passed and before it
came into force in May 2018, organizations based in the US that marketed their goods
and services to individuals in the EU had to consider how they would align their internal
data privacy policies and operations to comply with the GDPR. In some cases, this
resulted in organizational restructuring with EU operations transferred to newly
established entities in the EU; in others, it resulted in changes in operating models that
took the applicable GDPR requirements into account. Meanwhile, organizations in the
EU that had been complying with privacy laws made by the 1995 EU Data Protection
Directive (which were repealed when the GDPR came into force), were required to align
their internal data privacy policies to the GDPR’s stricter and more prescriptive
processing requirements.
Mere legal compliance – as evidenced only by “paper policies” and contracts – is not
enough, however, for Principled Performance. In addition, privacy requirements must
shape an organization’s governance culture and, through standard operating
procedures, ensure that the organization operates its business consistently with those
privacy requirements.
Organizations must recognize the rights, and meet the expectations, of all
stakeholders, but particularly customers and employees whose data they manage. In
an increasingly competitive world, where stakeholders have many options open to them,
gaining and retaining stakeholder trust is essential, not optional, for success.
Stakeholders are tired of “oops, sorry we made a mistake, but it wasn’t our fault”- when
it comes to the treatment of their personal information.
To summarize, the data privacy management capability will fail if it is not able to quickly
learn and appropriately respond to changes in the external and the internal context to
ensure compliance, satisfy cultural imperatives, and meet stakeholder expectations.
Align
This Red Book Component addresses the need for alignment between performance
goals, legal requirements, contractual requirements, risks, and controls that may affect
the outcome of the objectives of the organization.
Data privacy management must consider the strategic direction and objectives of the
organization overall in determining data management needs and policies. The design of
Where compliance, legal, and risk management functions are siloed, efforts to comply
with legal requirements of data privacy laws are often seen by senior management and
business unit leaders as roadblocks or distractions from focusing on business objectives.
Compliance and legal functions, acting within their silos, often frame the failure to
comply with mandatory legal requirements solely in terms of regulatory consequences,
such as financial penalties and other regulatory sanctions.
Some would argue, inappropriately, that it is not within their remit to highlight the
undesirable effects of compliance failures on objectives and business performance. This
misalignment also applies to the enterprise risk management function, as it may fail to
identify data privacy risks that may lead to an unauthorized processing of personal
information or leakage of personal information in their risk management plans.
The Red Book defines Risk Management as the act of managing processes and
resources to address risk (based on its impact and likelihood) while pursuing reward.
It is important to note that privacy laws, such as the GDPR, and the expectations and
approaches of regulators have evolved to embrace a risk-based approach to privacy
management. Organizations are obliged to identify and assess the privacy risks resulting
from processing personal information and to do so throughout every stage of the
information lifecycle of all relevant business activities. Based on the likelihood and
severity of these identified risks, they are obliged to implement appropriate technical
and organizational measures to manage them.
Perform
This Red Book Component outlines the core actions and controls that are needed to
proactively encourage conduct that supports objectives; prevent conduct that challenges
the desired outcomes; and to detect and appropriately respond to undesired conduct
when it happens.
In the context of privacy laws, actions and controls consist of appropriate technical,
administrative, and physical measures:
Management and supervisory personnel should be trained to handle and record such
notifications, which may be in the form of a complaint or dispute involving personal
information. For example, a human resources manager must be trained to know that
they should not escalate issues brought up by employees without first knowing whether
the complainant wants to reveal their identity in the ensuing investigation. They must
also be trained to know about any requirements under applicable whistleblowing laws.
There are strong restrictions in certain countries on how whistleblowing may be done:
rules about the anonymity of the whistleblower (where permitted or required); and rules
about the impacts on those who may be the subject(s) of the whistleblowing. These must
be considered as part of achieving Principled Performance.
Inquiry is where the organization periodically analyzes data and seeks input about
progress towards objectives. In this element, the organization should also take note of
stakeholder sentiments towards how the organization respects and treats personal
information. In the context of privacy management, organizations need to ensure that
stakeholders (including both customers and employees) feel that they can trust how the
organization handles personal information. An unhappy stakeholder is the weakest link
when it comes to privacy management.
Good customer service is essential to data management and ensuring the well-being of
customers. Good employee relationship management is also essential to good customer
Incentives should also be put in place to recognize and encourage efforts that respect
the privacy of individuals, both customers and employees, as well as the proper
treatment of their personal information.
Such responses also lead to experience within the organization that feeds into the
Review component of the Integrated Data Privacy Capability Model.
As in other areas of risk management, the range of actions and controls performed in
data privacy management are proactive, detective, and corrective. Failure to
develop and implement such measures inevitably will lead to failures to comply with
privacy laws and consequent regulatory action being taken against the organization.
Typically, when they investigate an organization, privacy regulators expect and require
the organization to demonstrate accountability – that is, to provide evidence that the
organization has identified the relevant mandatory requirements and taken action to
comply with them from both a legal and an operational perspective. Regulators require
evidence of actions and controls being implemented and documented. This includes
providing to the regulator privacy-related policies and standard operating procedures
approved by management, training records, other documents such as records of
Review
This Red Book Component describes methods for establishing and layering various
types of monitoring actions and controls to ensure the performance of the established
GRC capability, making changes to improve them when needed, and providing
assurance of both design and operating effectiveness to management, governing
authorities, and stakeholders.
Organizations should also conduct regular audits to uncover any gaps or exposures in
the way they process personal information, especially following a data privacy breach or
any other incident, such as a customer complaint, that may indicate a failure to comply
with relevant data privacy laws and regulations.
One myth is that the CPO/DPO or another senior officer (such as a compliance officer)
will be held responsible for data privacy failures. More typically, the regulator will
investigate and expect the relevant business unit head to be accountable on behalf of the
overall organization. The regulator might consider the advice and guidance of the
CPO/DPO or another senior officer to the relevant business unit and liaise closely with
them and their team during the investigation. However, it is not the role of the
For example, if there is a data breach in IT systems, the regulator will hold the IT head
accountable on behalf of the organization. If the consent/lawful basis principle has been
breached in a marketing process, the regulator will hold the head of marketing
responsible on behalf of the organization. From the regulator's perspective, it is the lack
of - or failure to implement - proper policies and standard operating procedures and
inadequate staff training that caused the data breach or consent failure.
The relevant business unit being held accountable on behalf of the organization by the
regulator is consistent with the three lines of defense set out in the OCEG Red Book -
that is, the three lines of defense apply to data privacy management in the same way as
they apply for other subject matter areas:
The three lines of defense model and the expectations of regulators are in alignment –
the business unit managers are expected to take responsibility for ensuring compliance
and meeting performance objectives. All business unit leaders should be accountable to
comply with data privacy principles, actions and controls in all their business activities
and processes. Even where they delegate a data processing task to a third party outside
of the organization, the data privacy laws and the regulators continue to hold the
organization accountable – the task can be delegated, but not the responsibility.
In the absence of a satisfactory defense (including adequate due diligence and clear
contractual allocation of responsibilities), regulators will always hold the organization
Principles of Integrated Data Privacy are derived from the many directives, resolutions,
laws, and regulations regarding data privacy that have developed over time. From an
international perspective, in 1980 the OECD established what may well be the first
principle of data privacy, limiting the collection of personal information to lawful and
fair means and, where appropriate, with the knowledge or consent of the relevant
individual. In 1995, the European Data Protection Directive introduced criteria for
lawful or legitimate processing and in 2009, the Madrid Resolution created universal
data privacy principles. Other discussions of data privacy principles have followed with
the establishment of the GDPR and the ISO 29100 framework for the protection of
personal information within information and communication technology (ICT) systems.
Taken together, these and other established data privacy principles, sit at the core of the
Integrated Data Privacy Capability Model. While data privacy principles are defined,
named, and described differently in the many official and unofficial publications that
establish them, overall they can be consolidated into eight overarching categories that
should be applied to the Integrated Data Privacy lifecycle.
Principle 1: Accountability
Demonstrate compliance with the data privacy laws of the countries where the business
operates by documenting actions to:
o appoint a governing body such as a data privacy steering committee and a top
management executive such as a data protection officer;
o develop, enforce, monitor, audit, and update data privacy policies and
procedures; and
o establish processes for notification of data breaches to privacy regulators as
required, and for response to data subjects’ requests regarding personal
information.
Principle 3: Transparency
Ensure that each data subject understands exactly why and what is being collected,
used, disclosed, and stored (e.g through privacy notices, consent clauses, terms and
conditions, etc.) at the time of collection (whether directly or indirectly) as well as what
his or her rights over the data are
Principle 4: Limitation
Ensure that appropriate limits are set for collection, use, disclosure, and storage, with
processing only as necessary for, and proportionate to the needs of, a specific, lawful
purpose and provision for disposal/destruction once the business or legal purposes for
processing the personal information have been fulfilled.
Principle 5: Minimization
Ensure that only the minimum amount of personal information that is strictly necessary
for the specified purposes, is collected, used, disclosed, and stored and that it is only
accessed by the minimally necessary number of roles/individuals.
Principle 6: Quality Ensure that reasonable steps are taken to validate that personal
information is accurate, complete and kept up-to-date to the extent necessary for the
purposes for which they are processed, especially if the data is used to make decisions
that will likely impact the individuals concerned.
Principle 7: Security
Ensure that data is collected, used, disclosed, and stored in a manner that is secure both
at rest and in transit with reasonable security safeguards against such risks as loss or
unauthorized access, destruction, use, modification, or disclosure.
Data privacy laws will generally contain these principles to govern the life-cycle of
personal information. The Principles can be used to guide the organization when
processing personal information throughout the C-U-D-S Lifecycle.
Each of the principles should first be implemented at the start of the data life-cycle. - As
an example, at the collect/gather stage, particular emphasis should be placed on the
consent/lawful basis principle and the transparency principle because a failure in
relation to either or both of these principles will ‘poison’ subsequent processing of the
personal information.
The limitation principle requires limits to be placed when collecting, using, disclosing
and storing data based on the intended purposes of processing (whatever you intend to
do to the data). Similarly, data should be minimised at each of these stages while
ensuring data quality.
Next, the security principle is not only applicable to the store/dispose stage, but the
entire life-cycle where data needs to be protected and secured.
Finally, the safe disclosure / transfer principles should be applied where personal
information is disclosed to a third party (which includes disclosure to any entities within
the same corporate group)) or when personal information is transferred to a third party
in another jurisdiction (which includes transfer to any entities within the same
corporate group).
The Model does not include details of all data privacy and protection requirements
imposed by law; nor does it detail the data privacy requirements of any particular legal
system. Instead, it is jurisdiction neutral and presents a framework for thinking through
and establishing needed policies, procedures, and controls, onto which the specific
requirements of law and the relevant legal system are readily grafted.
MODEL STRUCTURE
Components
Components provide an iterative continuous improvement structure for
data privacy. While there is an implied sequence, Components operate concurrently,
interactively, and symbiotically. Each Component has a description, a brief discussion of
key points, and defined Elements.
DP-L: LEARN
An organization must understand and analyze the external context, the internal context,
culture, and stakeholders to determine the way data privacy must be addressed in
aspects of the organization that involve processing personal information – that is, the
“what” of data privacy.
DP-P: PERFORM
An organization must manage identified risks and compliance requirements through a
sound and effective data privacy management program that covers data privacy-related
policies and procedures as well as relevant actions and controls, including
administrative, technical, and physical measures, at all levels within the organization.
Compliance with data privacy requirements must be enforced throughout the
organization when established policies and controls have been communicated to and
implemented by relevant internal stakeholders. Then, the organization must respond
according to applicable data privacy laws and regulations, both to individuals’ requests
to exercise their rights over their data and in the event of a data or privacy breach.
DP-R: REVIEW
An organization must periodically monitor and provide assurance that the data privacy
management program is effectively designed and implemented and continuously
improve the DPMP through timely, prioritized, and well-managed change initiatives.
Each Element includes a discussion of key actions and controls, which are further
detailed in the Practices. Each Element (identified by the starting letter of the
Component it sits within followed by a number) expands on that Component to describe
the key aspects of high-performing integrated data privacy management programs.
● to frame the discussion with governing bodies and executive leadership about
how data privacy supports the achievement of objectives,
Practices
Practices describe key actions within each Element that, taken together, are
hallmarks of effective data privacy capabilities.
High-Level Practices are identified in the Elements. Related sub-practices are in the
Detailed Practices section at the end of this document.
Practices may be customized and scaled for use by any organization on an entity-wide,
unit, or project level.
The Practices describe the sound operating procedures and policies that should be
considered for adoption by each business unit in the organization that processes
personal information, and thus by the organization overall, to comply with applicable
data privacy law.
Applicable data privacy laws and/or other external mandates set out the outcomes that
organizations are expected or required to achieve as regards data privacy. They are not
specific regarding how each organization must achieve them.
Accordingly, an organization must choose the Practices that apply in the context of the
organization’s business operations, adopting and adapting the Practices to the extent
considered necessary or desirable by that organization. As a result, not all organizations
will adopt all of the Practices or adopt any particular Practice in the same way as does
another organization.
The goal for all organizations is to operationalize the organization’s compliance– that is,
to build the policies and standard operating procedures that help the organization
address the applicable data privacy laws and/or other external mandates as well as
organizational mandates in a defined, repeatable, and documented fashion.
Throughout the Model, there are numerous references to “actions and controls”. As in
the GRC Capability Model, an organization should consider three types and three
perspectives when setting policies and standard operating procedures to achieve
compliance with applicable data privacy law.
There are three types of actions and controls, and organizations must utilize a mix of
these actions and controls that are appropriate for them:
There are also three perspectives for actions and controls, and organizations should
consider which are appropriate for any given situation:
As the Model is applied, the practices and their specific actions and controls will operate
within and between each of the CUDS stages of the IDP Lifecycle, as represented in this
operational view:
When examining the external context, identify and monitor all relevant data privacy
requirements in the jurisdictions that apply to the organization. In addition to generally
applicable privacy law, an organization may also be required to comply with sectoral
laws, industry guidelines, codes of conduct, and other standards. These apply to an
organization in specific circumstances or a specific industry sector or in relation to
specific types of personal information (for example, the Children’s Online Privacy
Protection Act (COPPA) and/or the Health Insurance Portability and Accountability Act
(HIPAA). A state or provincial privacy law also may apply.
When examining the internal context, consider that each organization has its own
mission, vision and values that guide voluntary choices which are also important
boundaries to consider when establishing a data privacy capability. Determine what
personal information (including sensitive personal information) is being processed by
the organization and the extent of processing in the internal context considering the
business model, culture, and stakeholders of the organization. Also identify how, if at
all, data privacy currently is being managed in the organization and how organizational
culture and stakeholder requirements affect data privacy practices.
Exact aspects of what must be learned and monitored on an ongoing basis will differ
depending on scope (entity-wide, departmental, project, etc.), scale, and style of
organization. In every case, however, it is important to consider that context changes
may give rise to a need for reconsideration of objectives, strategies, risk assessments, or
defined actions and controls. Take all necessary steps to:
o Key processes and resources: Identify all business activities that involve
the organization processing personal information from an information
lifecycle perspective.
● Identify the interrelationships between and among elements of the structure, people,
processes, technology, information, and physical assets to understand how they are
used together to accomplish objectives through the IDP Lifecycle.
o Notify individuals responsible for data privacy risk analysis and optimization
activities to augment or revise any prioritized risk matrix and risk
optimization plan as needed.
Data privacy objectives must align to the overall organizational objectives and strategies
and the context, culture, and demands of stakeholders for data privacy. The data privacy
steering committee should set data privacy objectives, develop clear decision-making
criteria, and provide continuing oversight.
Proactively identify and assess impacts of all privacy-related threats throughout the
business environment including processing of personal information from customers and
vendors, recruitment and human resource management activities, face-to-face
interactions with individuals, biometric, geospatial, telephonic, and online activities,
social media presence, operations, and analytics. Design actions and controls to manage
the identified privacy risks. Rank threats in terms of risk severity, impact, and
likelihood.
Establish a personal information inventory and process data flow maps, each addressing
the categories of privacy threats and levels of risks arising from the organization’s
processing of personal information. Map these to the organizational objectives they may
affect, the controls to address them, and the roles responsible for overseeing them.
Define a balanced set of measurable objectives for the DPMP that support
organizational objectives and ensure compliance with requirements
regarding the IDP Lifecycle.
.2 Analyze Threats/Risk
● Use the history of the organization and peers (based on industry, geography, business
activities, and workforce scale and footprint) to analyze vulnerabilities affecting data
privacy.
● Assess the acceptability of residual personal information risks (including risks
related to sensitive personal information) having regard to the organization’s
personal information inventory and its data flow maps.
● Consider the suitability of existing controls for personal information requiring
special protection.
● Assess residual privacy risks related to business process risks (including multiple
engagement channels/tools, disclosures/transfers to outsourced processors and
other third parties), paying particular attention to the potential for cascading risk.
● Assess project or product risks by conducting detailed data privacy impact
assessments and examining the results to determine that the projects or products
should remain in the portfolio when considering the cost/benefit of controls needed
to manage privacy risks.
Develop strategic and tactical initiatives to address data privacy threats and
related risks, and to ensure compliance with requirements.
Manage all of the organization’s identified risks and compliance requirements through a
sound and effective Data Privacy Management Program that has data privacy-related
policies, procedures, actions, and controls at all levels within the organization. Establish
policies, processes, and controls to manage each phase of the IDP Lifecycle for all
business activities across the organization that involve processing personal information,
according to the various applicable privacy principles.
.2 Determine Controls
● Define proactive actions and controls for data privacy risks, including those in the
following categories, depending on applicable data privacy laws:
o Regulatory requirements regarding approvals, authorizations, pre-submission
reviews, quality reviews
o Process controls
o Administrative controls
o Technological controls
o Physical controls
o Data subject’s consent or other lawful basis requirements
o Privacy notice requirements
o Contractual arrangements
o Out of Country/Jurisdiction Transfer Controls
● For each control define:
o Who will “own” and perform the control
o When and how often it will be performed
o Who will have override or modification authority
o Requirements for modification or override
.1 Determine Policies
.3 Champion Policies
● Ensure management shows support for policies and SOPs in word and action.
.4 Implement Education
● Integrate data privacy training into existing job training when possible.
● Use appropriate technology to deliver and to measure understanding.
● Maintain records of delivery and understanding.
.1 Capture notifications
● Establish multiple pathways with anonymous options for external and internal
stakeholders to access their personal information, provide feedback regarding
their satisfaction or non-satisfaction with the data privacy practices of the
organization, and to report any identified or suspected violations or failures to
comply with established procedures or incidents.
● Provide multiple pathways for requests by individuals, according to applicable
data privacy laws and regulations, to exercise their rights over their data
(including rejections) and establish procedures to ensure an appropriate response
to such requests, including by:
o having procedures to channel the notification, feedback, or request to the
relevant organizational department(s) to handle, and to escalate the
notification, feedback, or request up the organizational hierarchy where
required; and
o maintaining records of all notifications, feedback, rejections, and requests
for follow-up actions and for use to determine any needed improvement to
the organization’s data privacy processes and practices.
● Establish methods and tools for analyzing the effectiveness of the multiple
pathways in achieving objectives.
Periodically analyze data and seek input about progress toward objectives
related to data privacy and the existence of undesirable conduct,
conditions, and events pertaining to data privacy.
As changes arise in the internal and external context and a record of data privacy events
requiring response is built, the design of the DPMP may no longer be the best to meet its
established objectives, or it may conflict with what is necessary to protect the objectives
of the organization overall. Even if the design remains appropriate, identified
weaknesses in operational effectiveness may form the basis for changes. The Data
Privacy Steering Committee may need to revisit and revise objectives and strategies, or
the DPO and DPMP managers may need to apply decision-making criteria and revise
the defined actions and controls.
● Establish the mechanisms to be used for monitoring (e.g., via dashboards, system
logs, customer complaints; and records of staff violations of internal rules, data
breaches, and failures to meet stakeholder expectations).
● Determine the scope of review and the level of assurance desired (ranging from a
formal benchmark against applicable laws to a management-run self-assessment or
gap analysis)
● Engage the appropriate internal or external auditor (with relevant professional and
data privacy certifications) to assess the data privacy management program and
associated processes.
● Where available and appropriate, plan to apply for and achieve an external privacy
seal or certification.
● Determine the resources required to execute the action plan (e.g., manpower,
budget, external expertise).
● Submit recommendations to the Steering Committee or senior management for
approval and either document any reasons for lack of approval and/or a
remedial timetable, or obtain approval to proceed with remediation actions.
DP-L1.1.01 From the business perspective, understand the three main drivers of the
evolution of data privacy laws and regulations and practices around the world and the
extent to which they may change the DPMP:
DP-L1.1.02 From the regulatory perspective, determine which data privacy legislation
applies to the organization and, at a high level, what is required for the DPMP. There is
no “one size fits all”, but at a minimum-and in no particular order–these actions
should be carried out concurrently, not consecutively:
Determine, at a high level, what data privacy law, if any, in the organization’s
headquarters jurisdiction requires for the DPMP.
Determine, at a high level, what data privacy law, if any, in each jurisdiction of the
organization’s affiliate/group companies requires for the DPMP.
Determine, at a high level, for each jurisdiction where the organization markets
goods or services, where profiled individuals are located, and where its data
processing or storage capabilities are located, what the data privacy law (including
any extra-territorial provisions) requires for the DPMP.
DP-L1.1.04 Identify external forces that can affect the organization's DPMP, drive
changes to the IDP Lifecycle, and alter ethical expectations including:
Geopolitical forces:
customers, the community at large, and the media – for example, the extent to
which earning and retaining their trust through the DPMP is relevant and/or
important to the organization;
suppliers/partners – for example, the extent to which their data privacy capability
in compliance with data privacy laws qualifies them to be suppliers/partners of the
organization;
regulators; and
government.
DP-L1.2.01 Assemble and review available information about each key stakeholder
category and, where applicable, their organizations, including in connection with the
IDP Lifecycle:
DP-L1.2.03 Identify opportunities where the organization can affect stakeholder and
influencer perceptions and requirements with regards to the data privacy capability.
For example, hold education and awareness sessions and position the organization as
an industry leader.
DP-L1. 3.01 Monitor stakeholder groups for changes in views and key individuals with
regards to the DPMP.
DP-L1.3.04 Monitor regulatory agencies for changes in emphasis and focus related
to data privacy risk and compliance issues.
DP-L1. 3.06 Monitor changes in customary practices in the industry and cultural
differences in the locations in which the organization/group operates that may have
an impact on the IDP Lifecycle.
DP-L1.3.07 Notify individuals responsible for relevant data privacy risk optimization
activities about context changes, including those that require immediate consideration
and those that are emerging as potential “over the horizon” developments.
DP-L1.3.08 Notify individuals responsible for data privacy risk analysis and
optimization activities to augment or revise the prioritized risk matrix and risk
optimization plan to reflect, as appropriate:
DP-L1.3.09 Monitor the enforcement activities of data privacy regulatory agencies and
consider how these enforcement actions may impact the organization:
DP-L1.2.01 Determine whether the organization seeks to comply with applicable data
privacy law in each applicable jurisdiction by:
determining which applicable data privacy law has the strictest requirements and
applying that law across all of the organization’s group companies/activities so that
organization/group-wide policies and standard operating procedures can apply; or
another approach (which might be a mix of the above two approaches) that best fits
the organization’s group-wide activities.
DP-L2.1.02 Determine what aspects of the internal context can, and should be,
changed to enable the departments in the organization (or the organization’s group
companies) to better support organizational objectives through the IDP Lifecycle.
DP-L2.1.03 Identify and outline the internal organizational structure, key business
processes, and their relationship to each other for the appropriate IDP Lifecycle.
DP-L2.1.04 Identify and outline key assets in human capital, technology, physical
materials/locations, and information necessary for the DPMP, including the IDP
Lifecycle.
DP-L2.1.05 Identify and outline key products and services that need to take into
consideration data privacy requirements in their design and development, such as data
privacy by design and data privacy by default.
DP-L2.2.04 Monitor changes in data privacy technologies and how they can be
harnessed to enhance and strengthen the protection and safeguarding of personal
information and information assets.
DP-L2.2.05 Notify individuals responsible for relevant data privacy risk optimization
activities about context changes, including those that require immediate consideration.
DP-L2.2.06 Ensure that individuals responsible for data privacy risk analysis and
optimization activities augment or revise any prioritized risk matrix and risk
optimization plan to reflect, as appropriate:
DP-L3.1.01 Brief the Board about the organization’s plans for data privacy
and find out the Board’s views on data privacy and its impact on
organizational objectives, including whether the Board supports such plans
(if not, why not) and:
how plans might be amended to gain or strengthen Board support and what
additional communication might align the Board and management on the DPMP;
and
what more does the Board want to be done, how often does the Board want to be
updated, what degree of oversight does the Board seek, and how would the Board
like its support to be communicated to all staff of the organization.
DP-L3.1.02 Poll staff on their attitudes about the organization developing and
implementing a data privacy compliance culture and their role in it. Take that
feedback into account to devise plans to address staff concerns and educate staff
generally on why the organization is embarking on a data privacy capability
initiative: that is, to communicate the “tone at the top”.
ensures internal stakeholders are properly trained about and makes ethical
processing of personal information and integrity a priority;
talks about how ethics and integrity relate to organizational objectives, initiatives,
and success in connection with processing personal information; and
whether there is a clear avenue for staff to report data privacy risks and to arrange
for the risk to be managed.
DP-L3.3.02 Evaluate the current data privacy risk culture (for example, risk-averse or
risk-taking) for each aspect of the IDP Lifecycle.
perceptions about stated values and principles concerning the IDP Lifecycle and
organizational support for them;
the importance of asking questions and raising data privacy issues when concerns
arise;
how to report data privacy incidents and data breaches and to ask questions;
assurance that data privacy incidents and data breaches will receive a timely
response;
assurance that reporting data privacy incidents and data breaches will not result in
any retaliation;
DP-L3.5.02 Periodically, ask a sample of the workforce about their satisfaction with the
organization’s data privacy policies and standard operating procedures.
DP-L3.5.04 Periodically, ask a sample of the workforce and management about their
perceptions of senior management’s commitment to the competence of employees in
being able to effectively execute the organization’s data privacy policies and standard
operating procedures.
DP-L3.6.01 Monitor changes in culture within the organization including any significant
variance of DPMP culture metrics in business units, departments, jobs, or locations.
DP-L3.6.02 Monitor changes in the risk appetite, preferences, and general business
outlook of steering committee members and the impact they may have on the DPMP
(for example, whether an individual is pressured by competing objectives—such as
meeting their revenue targets versus their role on the committee—and whether
competitor behavior or competitive pressures are influencing their decisions as
committee members).
DP-L4.1.01 Identify internal stakeholders and business unit leaders with defined
business performance objectives impacted by data privacy (e.g., heads of external
customer-facing business units/functions processing personal information; legal,
compliance, and risk management; and human resources, learning and development,
marketing communications) including those which process personal information.
DP-L4.2.01 Assemble and review available information about each key stakeholder
organization including:
DP-A1 Direction
Provide oversight and structure for managing data privacy by establishing a
data privacy steering committee, authorizing a Data Privacy Management
Program (DPMP), and appointing a chief data privacy executive.
DP-A1.1.01 Empower the committee to support and guide the data privacy
management program (DPMP), ensure alignment of objectives, define acceptable
levels of residual risk related to personal information processing, and provide decision-
criteria including views of risk tolerance, avoidance, and mitigation options.
DP-A1.1.02 Form a steering committee at the ‘headquarters’ level, in the case of a group
of companies, and establish a reporting hierarchy for the steering committee of each
group entity to the ‘headquarters’ committee.
DP-A1.2.01 Define the steering committee goals and create a formal statement to
support those goals by publishing the committee’s expectations regarding the
workforce in connection with the IDP Lifecycle.
DP-A1.2.02 Align the goals of the steering committee with the mission, vision, and
values of the organization.
DP-A1.2.03 Obtain commitment to the goals of the steering committee from senior
management and the Board.
DP-A1.3.02 Assign responsibility to support the steering committee for data privacy
formally to the CPO/DPO and enable the officer by providing subject matter expertise
and project management support.
DP-A2.1.01 Identify:
when, how, and where the personal information flows through the organization.
DP-A2.1.02 Evaluate:
the purposes for which the organization uses or discloses both non-sensitive and
sensitive personal information;
DP-A2.2.01 Determine what data privacy laws apply to the organization in light of its
geographic locations and business activities, together with relevant industry and
sectoral specific requirements.
DP-A2.2.03 Determine what data privacy principles and obligations are applicable in the
IDP Lifecycle, including accountability principles to demonstrate accountability and
operational compliance.
DP-A2.3.01 Define the scope of a DPMP for the organization to prepare it to comply
with relevant data privacy laws, and industry and sectoral requirements.
DP-A2.3.02 Determine the target maturity of the DPMP, including obtaining any data
privacy seal or certifications.
DP-A2.3.04 Determine what resources (including both budget and headcount) are
required to develop and implement a DPMP across the organization, define the extent
to which the support of external consultants or other subject matter experts will be
required, and ensure that all needed resources are available.
DP-A2.3.05 Define career models for each specific role in the DPMP, including
professional credentialling targets.
DP-A2.3.07 Cascade data privacy objectives down to the individual team level.
DP-A2.3.08 Assign accountability for achieving DPMP objectives at every level of the
organization.
DP-A3.1.01 Require each business unit in the context of its business operations
(because each business unit best understands its information requirements and
processes) to create an inventory of:
all collection points at which the organization collects personal information, such
as:
DP-A3.2.01 Using the information in the data inventory, map the flow of personal
information as it moves through the organization—including between business units
within the organization—, when it is disclosed by the organization to third parties (both
domestically and internationally), and where it is stored by the organization.
DP-A.3.2.03 Verify if all the respective business units’ processing purposes have
a relevant lawful basis or justification for processing the personal information.
DP-A.3.3.02 Identify internal forces that may give rise to privacy threats by examining
the data inventory and the flows of personal information:
to assess current compliance with data privacy principles at each stage of the IDP
Lifecycle: that is, the collect, use, disclose, and store (CUDS) stages.
personal information that is defined as sensitive in applicable data privacy laws; for
example:
personal information that affects the data subject's most intimate sphere;
DP-A3.3.04 Assess compliance-related risks – that is, the risk of not complying
with data privacy and regulatory requirements, considering matters such as:
rights of individuals;
DP-A3.3.05 Assess business process risks and identify areas relating to third-party
service providers, such as:
any joint processing of personal information by both the organization and another
organization as data controllers;
personal information may not be retained when the purpose for which it was
collected has been completed unless there is a legal requirement to retain it;
personal information may not be retained indefinitely: that is, it may not be
retained without a period being determined and documented (with the
documentation including both the period of retention and the reason(s) for
choosing that period);
personal information may not be retained “just in case” it is needed in the future or
may be useful for some undefined future purpose.
DP-A3.3.07 Identify how new or changing products and services (including changing
channels of delivery, the format of customer interaction like biometrics and geolocation,
and intended and unintended customers—geriatric, disabled, and children) alter IDP
Lifecycle processes and data privacy risks.
DP-A4.1.01 Identify internal resources with which to collaborate during the Assess
phase of data privacy compliance and/or during subsequent phases, such as:
DP-A4.1.03 Reconcile variances across the rating schema to permit a comparison for
heat mapping and prioritization purposes across the data privacy capability,
aligning the initiative portfolio management approach to any enterprise-wide
change management framework.
DP-A4.1.04 Prioritize the data privacy impact assessments on the organization’s high-
risk processing activities, which may include:
processing personal data which could result in a risk of physical harm in the event
of a security breach.
DP-A4.1.05 Adapt the schedule based on the current portfolio of planned or in-
process change initiatives.
DP-A4.1.06 Secure buy-in for the schedule considering time conflicts for the
internal stakeholders (e.g., peaks/valleys in business operations,
examiner/regulator reviews, or audit plans).
DP-A4.2.01 Use the history of the organization and peers (based on industry, geography,
business activities, and workforce scale and footprint) to analyze vulnerabilities affecting
data privacy, considering likelihood and impact.
DP-A4.2.02 Analyze the likelihood that a data privacy-related threat will materialize
including identification of likely: single vs. multiple events and short-term vs. long-
term events.
AVOID or TERMINATE the risk and cease activities (or change requirements) that
give rise to the risk;
SHARE or TRANSFER the impact or optimization of the risk with other entities;
to determine if and where the organization may not be complying with applicable
data privacy laws and regulations and/or with industry and sectoral requirements
or expectations; and
DP-A4.3.02 Use the history of the organization and peers (based on industry,
geography, business activities, and workforce scale and footprint) to analyze the
likelihood and impact of data privacy-related compliance violations.
DP-A4.3.05 Identify and evaluate current actions and controls to ensure data
privacy-related compliance (conformance with requirements), including:
DP-A4.3.06 Identify and evaluate who is accountable for managing each action and
control pertaining to data privacy, including:
DP-A4.4.01 Identify any gaps and unnecessary overlaps in actions and controls related
to data privacy, as well as appropriate overlaps and layering.
DP-A4.4.02 Analyze the effect of current actions and controls related to data
privacy on the likelihood, timing, and impact of each risk/reward.
DP-A4.4.03 Analyze the effect of current actions and controls related to data
privacy on the likelihood, timing, and impact of compliance with requirements.
DP-A5.1.02 Design actions and controls to address gaps and unnecessary overlap in
the way that requirements pertaining to data privacy are addressed.
DP-A5.2.02 Evaluate and select actions and controls to accept, avoid, share, shift, or
reduce data privacy risk, including transfer and risk financing instruments and
approaches, consistent with defined risk appetite, tolerance, and capacity.
DP-A5.2.03 Evaluate and select actions and controls that prevent, detect, and
respond to undesirable events and conditions related to data privacy.
DP-A5.2.04 Consider privacy and data protection issues at the design phase of any
system, service, product or process and then throughout the IDP lifecycle
(Privacy/Data Protection by Design).
DP-A5.2.06 Identify areas where actions and controls can address more than one
risk/reward and requirements related to data privacy — dual-purpose controls.
DP-A5.3.03 Identify options for types of risk financing appropriate to each identified
risk/reward related to data privacy.
DP-A5.4.01 Assess the planned residual risk related to data privacy that is anticipated
when the proposed actions and controls are put in place.
DP-A5.4.04 Analyze the costs and benefits of planned actions and controls.
DP-A5.5.01 Identify actions and controls that currently are in place or are planned to
address inherently high risks. Examples of high-risk personal information processing
activities include:
DP-A5.5.02 Design additional monitoring activities to ensure that actions and controls
continue to be effective and operate according to plan.
DP-A5.5.03 Augment the prioritized risk matrix with the planned risk optimization
actions and controls and planned residual risk analysis.
DP-A5.6.01 Develop key performance indicators (KPI) for each objective related
to data privacy.
DP-A5.6.03 Develop key risk indicators (KRI) for each key risk or category of key risk
related to data privacy.
o escalation/reporting;
o corrective action; or
o re-evaluation of approaches.
sensitivity;
data owner (that is, the department within the organization that collects, uses,
and/or discloses the data);
associated policies.
geographical area where the personal information was collected or processed; and
DP-A5.8.01 Identify key data privacy-related processes and controls that are less
error-prone and more efficient if enabled by technology.
DP-A5.9.06 Assign accountability for each initiative and for monitoring events that
may require changes to initiatives.
DP-A5.9.07 Obtain support and approval for data privacy-related strategic and
tactical plans from management and resources necessary for each initiative.
DP-P1 Controls
Establish technical, administrative, and physical controls to manage each
phase of the IDP Lifecycle for all business activities across the
organization that involve processing personal information, according to
the various applicable privacy principles, as needed to reduce the
likelihood, impact, or velocity of undesirable conditions or events.
the design phase of any system, service, product, or process that involves
processing personal information: that is, taking the appropriate technical, and
organizational measures designed to comply with the applicable privacy principles
from the outset (including by integrating the necessary safeguards into the
processing to fulfill privacy requirements and to protect data subject rights); and
throughout the entire IDP Lifecycle, to ensure that privacy practices and
considerations are “baked in” to business practices and processing activities
proactively and do not need to be added at some time in the future reactively.
there is a short storage period, which is long enough only to allow the processing to
occur for the stated purpose; and
Terminate or Avoid the risk (by terminating the business process that gives rise to
the risk);
Tolerate / Retain / Accept or Keep the risk (by continuing the business process that
gives rise to the risk – for example, because the balance between accepting the risk
or terminating the relevant business process lies in favor of the organization
accepting the risk);
Transfer or Share the risk (for example, by insuring against the risk or by obtaining
relevant indemnities from third parties).
DP-P1.2.01 Determine what proactive actions and controls the organization should
develop and implement to manage risks, including the following categories for
example, and depending on applicable data privacy laws:
o approvals;
o authorizations;
o pre-submission reviews; and/or
o quality reviews.
Privacy Notice Requirements: while there may be some variations depending on the
applicable jurisdiction(s), generally privacy notices:
physical access controls which limit access to physical technology components such
as networks, servers, and workstations;
master data controls that prevent or restrict changes to the information stored in
data sources
DP-P1.2.03 Determine what detective actions and controls the organization should
develop and implement to manage risks, including the following categories for
example:
DP-P1.2.04 Determine what responsive actions and controls the organization should
develop and implement to manage risks, including the following categories for
example:
DP-P2.1.01 Define a hierarchy for policies and standard operating procedures (SOPs)
considering the following factors (if and to the extent relevant to the organization), as
well as the risks and controls that the organization will adopt, and consider what
additional factors should be considered – there is no “one size fits all” in developing
data privacy policies:
determine the audience for the policy and SOP - external stakeholders, internal
stakeholders, etc.;
develop the content for each policy and SOP, taking into consideration the
mandatory and voluntary requirements to comply with data privacy laws and
internal organizational practices respectively; and
develop standard templates and style guides for standardization of policies, codes
of conduct, and SOPs across organizational entities where relevant.
CCTV Policy.
third party due diligence and contractual requirements where personal information
may be disclosed to a third party or transferred to another jurisdiction (including,
in each case, where the third party is a member of the same corporate group)
DP-P2.1.03 Consider which policies need to be supported with SOPs – that is, detailed
instructions about what staff must do and must not do, which are often provided in the
form of bullet points of “Do’s” and “Don’ts” and define a process:
for SOPs to be developed by the head of the department in which the SOP is to be
used (or by their delegate within the department);
for the relevant head of department to ensure that departmental staff are trained
before they commence a role in the SOPs that are relevant to that role; and
for the relevant head of the department to audit compliance by departmental staff
with relevant SOPs regularly and to ensure that there are disciplinary consequences
for a failure to comply with relevant SOPs.
DP-P2.1.04 Define the objective of each policy, which should be aligned to the
objectives of the organization, and ensure that only individuals with appropriate
authority issue and modify policies, standard operating procedures, and/or codes of
conduct about data privacy.
DP-P2.1.05 Define the target audience for each policy, including all the relevant
stakeholders (both internal and external). There should be two versions of the data
privacy policy – a less-detailed public version for external stakeholders and a more-
detailed private version for internal stakeholders.
DP-P2.1.06 Have appropriate experts approve policies that must satisfy data privacy-
related mandates. Such mandates must comply with the lawful bases for processing
personal information as prescribed in the local data privacy law. For example, the EU’s
General Data Protection Regulation (GDPR) spells out six lawful bases for processing
personal information:
DP-P2.1.07 Understand business model elements that are affected by each policy.
DP-P2.2.01 Determine how to make each policy about data privacy available to each
target audience.
DP-P2.2.02 Determine whether training or testing of the target audience is required for
each policy.
DP-P2.2.03 Define specific scenarios and their applicability for relevant audience for
each policy and SOP.
DP-P2.2.06 Define awareness, education, and support practices for each policy
and each target audience.
DP-P2.2.08 Define the procedure to notify the help desk of any additions,
modifications, or expiration of policies.
DP-P2. 2.11 Determine the need to assess or certify responsible personnel to ensure
that they can perform process control activities.
DP-P2.2.13 For each procedure, define a testing approach and related monitoring
activities to ensure that the procedure is operating effectively within defined
tolerances.
DP-P2.3.01 Obtain support and commitment from management for policies about
data privacy.
DP-P2.3.02 Have management show support for policies in both word and
action, so stakeholders realize the genuine commitment to policies by
management.
DP-P3.1.01 Identify required external reports to data privacy regulators and other
stakeholders, and create a matrix indicating the:
DP-P3.1.02 Define internal reports needed to allow the entity to certify there are no
violations or infringements of mandates or policies relating to data privacy, and those
needed to manage the data privacy capability, and prepare a matrix indicating the:
DP-P3.1.05 Analyze existing reporting and determine gaps against the planned
reports and their desired management.
DP-P3.3.01 Prepare to develop a high-level communication plan about data privacy by:
DP-P3.3.02 Develop a high-level communication plan about data privacy that identifies:
o paper-based;
o email;
o chat platforms (e.g., WhatsApp, Telegram, Signal);
o websites;
o shared folders or shared drives;
o postings;
o live events or meetings;
o video/audio broadcast; or face-to-face personal or group
communication;
DP-P3.3.07 Periodically, review and update the communication materials to keep them
current and relevant.
DP-P4.1.01 Define a plan to make each target population generally aware of the data
privacy capability and their responsibilities and expected conduct, and as part of the
plan:
DP-P4.1.02 Develop materials describing the primary elements of the data privacy
capability including the alignment with the underlying mission, vision, and values of
the organization.
DP-P4.1.03 Determine which target audiences require more specific education about
particular aspects of the data privacy capability or specific policies and procedures.
DP-P4.2.02 For each course that contains legal and/or policy content, map the
objective to specific legal and/or policy requirements pertaining to data privacy.
DP-P4.2.03 Define the competence required for specific roles and positions.
DP-P4.2.04 Map the series of required and desired courses for each role and position.
DP-4.2.05 Conduct a needs assessment that identifies high risk and mandatory
training needs, and develop a training plan for each job or job family that details:
DP-P4.2.06 Define the time frames for training newly hired, promoted, or transferred
individuals for their new roles.
DP-P4.2.07 For each learning object, select the appropriate training mode,
media, and synchronicity based on:
DP-P4.3.02 Inventory all live, online, and self-paced courses and related training
vendors, capturing critical information on each and comparing them to desired courses
in the master curriculum.
DP-P4.4.01 Integrate data privacy capability training into existing job training wherever
possible.
DP-P4.4.03 Prepare help desk to support questions regarding training access and
content.
DP-P4.4.04 Distribute communications and deliver courses in accordance with the plan
to target audiences.
DP-P4.4.06 Deliver training for all employees about responsible and ethical decision-
making.
DP-P4.4.08 Assess knowledge, competency, and skills when required and for
training that addresses significant risks pertaining to data privacy.
DP-P4.4.09 Measure training progress against the training plan including the
administration of tests and quizzes for the participants.
DP-P4.5.01 Define the helpline approach and policy, including the preference for
posing questions to a supervisor (or another internal route) first or to the helpline first
(this may differ based on the type of issue).
DP-P4.5.02 Define whether helpline (for questions) and hotline (for reporting
concerns) are combined or separate.
after gaining basic information, redirect to the hotline process if an issue has been
identified that constitutes a report.
DP-P4.5.05 Provide helpline personnel with a list of frequently asked questions and
answers.
DP-P4.5.06 Staff the helpline with personnel who are well trained to respond to, or
seek assistance to answer, a variety of anticipated inquiries related to the data privacy
capability and requirements.
DP-P4.5.08 Ensure that supervisors and data privacy capability personnel embedded
in the business can answer questions about authority, responsibilities, and issues
related to data privacy-related compliance, ethics, and undertaking risks.
DP-P4.5.09 Inform employees about who is available within their work location
to answer questions about authority, responsibilities, and issues related to data
privacy-related compliance, ethics, and undertaking risks.
DP-P4.5.10 Develop and make available "self-help" materials that employees and other
agents can use to answer questions without requiring human interaction.
DP-P5. 1.02 Develop definitions, classifications, and procedures for identifying those
who exhibit the defined desired conduct and contribute to positive organizational
outcomes.
DP-P5.3.01 Develop compensation and bonus structures that include consideration and
reward for following decision-making criteria and following desired compliance and
ethical conduct in any role related to data privacy.
DP-P5.3.03 Analyze compensation and bonus plans for jobs/roles that relate to
revenue generation or financial roles/responsibilities, confirming that they do
not induce non-compliant or unethical behavior.
DP-P5.3.04 Analyze compensation and bonus plans for key roles including roles with
substantial authority confirming that they do not induce non-compliant or unethical
behavior.
DP-P5. 3.05 Analyze discretionary budgets or allowances for all roles, confirming
that they do not induce non-compliant or unethical behavior.
DP-P5.3.06 Develop awards and other incentives to reward model conduct and
leadership in data privacy practices.
DP-P5.3.09 Develop awards and other incentives for suggestions that improve the data
privacy capabilities.
o in person;
o phone;
o mail;
o email;
o chat platforms;
o technology solutions; and
o web.
DP-P6.1.02 Make some channels available 24 hours per day, 7 days per week, 365 days
per year. For example, a channel for anonymous reporting. Where feasible, use a neutral
party to receive the reporter’s feedback (helps avoid chilling effect on notifications by
whistleblowers).
DP-P6.1.03 Define the notification approach and policy, including the preference for
reporting to a supervisor (or another internal route) first or to the hotline first (this may
differ based on the type of issue and local custom and law).
DP-P6.1.04 Define which channels will be delivered using internal and/or external
resources.
o employees;
o agents (contract employees acting on behalf of the entity);
o suppliers and customers; and
o public
DP-P6.1.10 Obtain requisite internal and external approvals or licenses of the defined
approach.
DP-P6.1.11 Consistent with local custom and law, create a policy, either separately or as
part of the code of conduct, requiring employees to use one of the notification pathways
if they observe or know of misconduct.
DP-P6.1.12 Define a policy, either separately or as part of the code of conduct, stating
that the organization will not retaliate against individuals who notify the organization
about misconduct or data privacy capability flaws.
DP-P6.1.13 Document the inquiry, personal request to exercised rights over data,
rejection or issue using a system or method that allows for subsequent analysis.
DP-P6.1.17 Develop a technology solutions strategy to help provide input about progress
towards objectives related to data privacy, and the existence of undesirable conduct,
conditions, and event.
issue routing and escalation protocols depending on the severity or the criticality of
the notification;
DP-P6.2.04 Track the issue as it flows through the resolution process until closure.
DP-P6.2.06 Utilize technology solutions to filter and route notifications to the right
person at the right time, so the organization can respond to notifications from humans
and systems.
DP-P6.2.07 Maintain records of all notifications and feedback for follow-up actions and
improvement to the organization’s data privacy processes and practices.
DP-P6.2.08 Flag out any trends, patterns, or anomalies that may require concerted
organization-wide actions (e.g., systemic issues).
DP-P6.3.01 Define whether hotline (for reporting concerns) and helpline (for
questions) are combined or separate.
DP-P6.3.03 Understand data privacy requirements that are globally applicable to your
organization and design the approach so that the hotline complies with all applicable
data privacy-related mandates.
DP-P7.2.03 Analyze information and findings to identify and refer for improvement
any data privacy capability weaknesses.
DP-P7.2.04 Document inquiries or issues using a system or method that allows for
subsequent tracking and further analysis.
DP-P7.2.06 Flag out any trends, patterns, or anomalies that may require
concerted organization-wide actions (e.g., systemic issues).
DP-P8.1.01 Understand the various rights that are available to individuals (data
subjects) according to the provisions of the data privacy law:
Right to withdraw any consent given (or to change it in some other way).
DP-P8.1.02 Verify the identity of the individual requester first before acceding to
his/her request.
DP-P8.1.05 Take note of exceptions or denials to these requests and document the
reasons.
DP-P8.2.02 In preparation for data breaches, put in place a data breach management
plan and set up a data breach response team with roles and responsibilities spelled out.
DP-P8.2.03 Create mock data breach scenarios and carry out tabletop exercises to
practice how to respond to a data breach (repress, return, resolve, report data breach),
how to prepare an incident report, and how to escalate the incident to higher-level
management.
DP-P8.2.04 When a data breach does occur, activate the data breach response team,
and put in motion the data breach management plan:
Initiate an internal investigation to find out the facts of the data breach and take
remedial actions.
Next is to assess the nature and extent of the data breach and determine whether it
is notifiable to the regulator.
If it is a notifiable data breach, inform the regulator within the mandatory time
frame as stated in the data privacy law and the affected individuals if required.
Review the root cause(s) of the data breach and plug the gaps in the affected
systems or processes to ensure that a similar breach does not happen in the future.
DP-P8.3.01 Establish a core team to process data privacy-related issues that are
identified by complaints, expressions of concern, or other discovery methods
(additional parties may be involved on a case-by-case basis to address specific types of
issues as they arise).
DP-P8.3.02 Develop and use taxonomies for classifying reported or identified issues
and their severity level.
confirmation/validation of an issue;
analysis of an issue;
investigation of an issue;
escalation of an issue;
DP-P8.3.06 Define "investigation tiers" that identify who will address issues of
particular scope and type.
DP-P8.3.07 Define categories of issues that are escalated to the Board or a Board
committee immediately upon validation, such as those that are at the crisis level due
to impact on the organization and its operations.
DP-P8.3.11 Define template plans for standard and special investigations of common
issues within each investigation tier addressing:
privilege rules;
escalation rules;
investigation management rules (need for outside legal counsel or special in-house
investigators).
DP-P8.3.14 Establish policies and procedures to follow at the onset of each identified
type of investigation including procedures for:
DP-P8.3.16 Establish procedures to quickly inform senior management and the Board
or audit committee of any investigation the outcome of which may be material to the
organization, implicate wrongdoing by any member of management, indicate criminal
wrongdoing by anyone in the organization, or lead to potential reputation damage,
taking privilege and confidentiality needs into account.
DP-P8.3.17 Establish procedures to inform those responsible for managing the public
relations and stakeholder relations of the organization about investigations as soon as
possible and, to the extent necessary, within the context of a privileged discussion.
collect or identify all requested documents and data and initiate document holds to
stop any routine destruction or removal;
track information that will be released as non-privileged, indicating that the release
is intentional and controlled;
determine if any requests for information will be refused and develop that response
under legal review;
assign the non-investigative question to the appropriate person for timely response
or discussion (or refusal to provide information).
different people may head up the team depending on the type of investigation; and
DP-P8.3.28 Utilize established rules, policies, and procedures for the type of
investigation to determine which people within the organization will be responsible
for overseeing the organization's role in the investigation, dealing directly with
investigators, and leading the internal investigation team.
DP-P8.3.30 Establish policies that ensure team members have clear authority and
that their authority will be expressed to all personnel who may have to respond to
their requests for information, documents, or interviews.
DP-P8.3.31 Establish policies and procedures that ensure team members are relieved
of other duties as necessary to provide the time required to participate effectively in the
investigation.
collect or identify all requested documents and data and initiate document holds to
stop any routine destruction or removal;
track information that will be released as non-privileged, indicating that the release
is intentional and controlled;
determine if any requests for information will be refused and develop that response
under legal review;
DP-P8.4.01 Identify the types of data privacy-related crises that might arise and create
a list of specific examples of ones deemed to be either likely or of significant impact if
they were to occur, including events with crisis level impacts on:
DP-P8.4.02 Develop business impact analysis and/or privacy impact analysis for each
listed type of crisis by:
DP-P8.4.03 Address business continuity and recovery goals for each type of crisis by:
DP-P8. 4.04 Establish detailed response and recovery plans that adhere to regulatory
and other requirements for each type of crisis that include the following:
In the case of a physical crisis, policies, and procedures for coordination with first
responders from local authorities on plans, procedures, and communication
protocols so they can facilitate safety, rescue, and emergency operations.
An identified communications plan and team, including legal, public relations, and
investor relations as appropriate.
Policies and procedures that prioritize the physical safety of employees and family
member communications.
DP-P8.4.05 Identify Crisis Readiness and Response Teams for each type of crisis
including:
personnel who will have responsibility for maintaining readiness and monitoring
for signs of impending crisis;
leadership that is accountable for communicating with the workforce, families, and
external stakeholders for each type of crisis; and
DP-P8.4.06 Define and conduct preparedness exercise plans for each type of crisis, and:
DP-P8.5.01 Respond to each investigation or crisis per the established processes and
plans.
DP-P8. 5.02 Coordinate and communicate with internal and external stakeholders
impacted by the investigation or crisis.
DP-P8.5.03 Ensure adequate documentation is kept of the response activities for use
in management monitoring, assurance, or other activities.
DP-P8.6.01 Define and enforce a procedure and criteria for consistent discipline given
the type of misconduct.
DP-P8.6.03 Track discipline decisions and include them in workforce files and
extended enterprise relationship records.
o regulatory agencies;
o enforcement authorities;
o insurers;
o customers; and
o workforce.
DP-P8.7.04 Inform stakeholders about resulting changes to the data privacy capability.
DP-R1 Monitoring
Monitor and periodically evaluate the performance of the DPMP to
ensure it is designed and operated to be effective, efficient, and
responsive to change.
DP-R1.1.01 Define aspects of the data privacy capability design to be periodically re-
evaluated, including:
DP-R1.1.03 Select appropriate monitoring methods for each aspect of the data privacy
capability based on identified goals, assurance level, and sensitivity status, such as:
Examples of mechanisms and metrics that can be used for monitoring and collecting
relevant information include:
o dashboards;
o system logs;
o number of staff trained;
o customer inquiries, requests, and complaints;
o staff violations of internal rules; and
o data breaches.
DP-R1.2.01 Identify persuasive information that can be used to conclude that a data
privacy-related risk optimizing activity is effective, efficient, and responsive.
DP-R1.2.02 Consider direct information from monitoring the external and internal
environments.
DP-R1.2.09 Identify the key risk optimizing activities whose failures may not be
detected promptly (single points of failure).
DP-R1.2.11 Identify the risk optimizing activities that may compensate for failures in
other key optimizing activities (key compensating activities).
DP-R1.3.12 Analyze the skills required to perform control and the availability of these
skills, as skills shortages will quickly affect these controls.
DP-R1.3.13 Analyze the degree of automation versus manual execution of the control
as manual controls are more prone to human error than automated controls, and
automated controls are more prone to voluminous and repeated error if there is a
systemic issue.
DP-R1.3.16 Flag out any trends, patterns, or anomalies that may require concerted
organization-wide actions (for example, systemic issues).
DP-R2.1.05 Where available and appropriate, plan to apply for and achieve an
external privacy seal or certification for the DPMP.
DP-R2.2.01 Review monitoring reports and changes to the data privacy capability
previously undertaken by management as part of the assurance process.
DP-R2.2.03 Analyze the evidence collected, and results of testing, and develop
conclusions on the design and operating effectiveness of the data privacy capability.
have the organization apply for a data privacy seal or certification; and/or
have data privacy professionals and leaders apply for relevant professional
certifications.
newly identified threats/risks not assessed in terms of severity and impact, and not
included in risk registers;
identified risks with implemented actions, yet incident or breach occurred because
of ineffective controls;
DP-R3.2.01 Adapt existing priorities and plans to accommodate additions to the data
privacy capability.