Q1. What is GDPR?
A1. General Data Protection Regulation (GDPR) is an addition to the data protection policy which existed in several countries across the world. Any company that we take services from has our personal data which includes phone numbers, address, etc. As per GDPR the companies cannot use our personal data for any purpose other than the one it is being requested for. Which simply means that they cannot use our data for marketing and other purposes without our consent. This Regulation is made compulsory in Europe as of now and every company including social media websites like Facebook, Twitter, etc. require your permission to use your data for any purpose other than the reason you have permitted its use for.
Q2. How does it affect us?
A2. GDPR affects every organization that requires an individual’s personal data. Even if you feel that your company does not require personal data, in a way it does since even employees provide their personal data to companies they work in. So GDPR is one such regulation that affects every organization and every individual.
Q3. What is personal data with reference to GDPR?
A3. Any information relating to an identified or identifiable natural person (‘data subject’), an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:
- Identification number,
- Location data,
- Online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Q4. Who is a controller of data and who is a processor? Is there a difference?
A4. Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor: A natural or legal person, public authority, agency or
other body which processes personal data on behalf of the controller
Q5. GDPR applies to controller or processor?
A5. GDPR obligations apply to a Controller or Processor
- if the company is located in EU, even if processing takes place outside EU/EEA
- if it is located outside EU and involved in processing related to individuals physically located in EU (the offering of goods and services to, or monitoring of behavior of, such individuals, regardless if they are European citizens or not)
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behavior as far as their behavior takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Q6. How will GDPR be monitored?
A6. GDPR is monitored as per the model as shown below:
Q7. What are the rights of the Data subject i.e. the person who the personal data belongs to?
A7. As per GDPR, the rights of the Data subject are as follows:
- Communications with a Data Subject must be concise, transparent, intelligible
- Controller must be transparent in providing information about itself and the purposes of the collection of Personal Data from the Data Subject
- Info to be provided where Personal Data have not been obtained from Data Subject
- Controller must provide Data Subject with information about their rights
- Right to rectification
- Right to erasure (‘right to be forgotten’)
- Right to restriction of processing
- Notification obligation regarding rectification or erasure of Personal Data or restriction of processing
- Right to data portability
- Right to object
- Automated individual decision-making, including profiling
Q8. What happens in case of a breach?
A8. These measures would be effective immediately in case of any breach:
- Communication of PD breach to the DS without undue delay
- The communication to the DS referred to in paragraph 1 of this Article shall describe clearly the nature of the PD breach and contain at least the details of the breach and measures to be taken.
- The communication to the DS referred to in paragraph 1 shall not be required if any of the following conditions are met:
- The controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the PD associated with the breach, in particular those that render the PD unintelligible to any person who is not authorized to access it, such as encryption.
- The controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of DS referred to in paragraph 1 is no longer likely to materialize.
- This would involve disproportionate effort. In this case, there shall be a public communication or similar measure whereby the DS are informed in an equally effective manner.
- If the controller has not already communicated the PD breach to the DS, the supervisory authority, having considered the likelihood of the PD breach resulting in high risk, may require it to do so simultaneously or may decide that any of the conditions referred in paragraph 3 are met.
Q9. What is DPIA? When is it required?
A9. Where a type of processing in particular using new technologies, and taking into account nature, scope, context and purposes of processing, is likely to result in high risk to right and freedom of natural people. Controller shall, prior to processing, carry out an assessment of the impact to the envisaged processing operations on protection of PD. A single assessment may address a set of similar processing operations that present similar high risks. Controller shall seek advice of DPO, where designated, when carrying out Data Protection Impact Assessment (DPIA).
DPIA is required in case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data referred to in Article 9(1), or of PD relating to criminal convictions and offences referred to in Article 10; or
- a systematic monitoring of a publicly accessible area on a large scale.
- Supervisory authority shall establish and make public a list of kind of processing operations which are subject to the requirement for a DIPA. Supervisory authority shall communicate those lists to the Board
- Supervisory authority may also establish and make public a list of kind of processing operations for which no DIPA is required. Supervisory authority shall communicate those lists to the Board.
- Prior to adoption of the lists , the competent supervisory authority shall apply the consistency mechanism referred, where such lists involve processing activities which are related to the offering of goods or services to DS or to the monitoring of their behavior in several Member States, or may substantially affect free movement of PD within the Union.
Q10. What does DPI Assessment consist of?
A10. The assessment shall contain at least:
- A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, legitimate interest pursued by controller;
- An assessment of necessity and proportionality of processing operations in relation to purposes;
- An assessment of risks to the rights and freedoms of DS referred to in paragraph 1; and
- Measures envisaged to address risks, including safeguards, security measures and mechanisms to ensure the protection of PD and to demonstrate compliance with this Regulation taking into account rights and legitimate interests of DS and other persons concerned.
P-CMM® Frequently Asked Questions
Q1. What is PCMM®?
A1. People Capability Maturity Model (P-CMM®) is a tool that helps you successfully address the critical people issues in organizations. The People CMM® employs the process maturity framework of the highly successful Capability Maturity Model® as a foundation. Based on the best current practices in fields such as human resources, knowledge management, and organizational development, People CMM® guides organizations in improving their processes for managing and developing their workforce.
Q2. What are the benefits of PCMM®?
A2. The People CMM helps organizations
- characterize the maturity of their employee practices
- establish a program of continuous employee development
- set priorities for improvement actions
- integrate employee development with process improvement
- establish a culture of excellence
The People CMM consists of five maturity levels that establish successive foundations for continuously improving individual competencies, developing effective teams, motivating improved performance, and shaping the workforce the organization needs to accomplish its future business plans. Each maturity level is a well-defined evolutionary plateau that institutionalizes new capabilities for developing the organization’s workforce.
Q3. What is the process of assessment for P-CMM®?
A3. The process of assessment is as follows:
Preparing Phase – preparing for assessment
Surveying Phase – conducting survey People-CMM
Assessment Phase – conducting onsite assessment
Reporting Phase – reporting the assessment results.
Q4. How is the maturity level determined?
A4. The Maturity Level shall be determined as per the mapping exercise. The following table is the basis for level determination;
|2||6||24||130||The company shall be declared as Maturity Level 2 Once these are satisfied. If any one of the Goals are not satisfied the organization is declared as ML 1|
|3||7||28||161||The company shall be declared as Maturity Level 3 Once these are satisfied including ML 2|
|4||6||23||139||The company shall be declared as Maturity Level 4 Once these are satisfied including ML 3 and 2|
|5||3||12||69||The company shall be declared as Maturity Level 5 Once these are satisfied including ML 4, 3 and 2|
* is a must to satisfy ** is desirable to satisfy
Q5. How much time is required to implement the next level of P-CMM® as per the level at which my firm is?
A5. The approximate timeline as per the level at which the firm is determined as per the table below:
|Determined ML||Proposed Recommendation||Suggested Timelines|
|Initial (ML1)||The company implement the Goals that are not satisfied in Maturity Level 2||3 Months|
|Managed (ML 2)||The Company implement the Goals that are not satisfied in Maturity Level 3||6 Months (Cumulative 9)|
|Defined (ML3)||The Company implement the Goals that are not satisfied in Maturity Level 4||12 Months (Cumulative 18 in case of ML 2 or 21 in case of ML 1)|
|Predictable (ML4)||The Company implement the Goals that are not satisfied in Maturity Level 5||6 Months (Cumulative 18 in case of ML 3 or 24 in case of ML 2 or 27 in case of ML 1)|
|Optimizing (ML 5)||Make Process Robust to ensure Stability and Consistency. Regular Measurement and Verification.||NA|
Q6. What the recommended actions are in improve People CMM practices?
A6. Recommendations for addressing key findings at;
- Process area wise Goals level
- Process area wise Implementation Practices
- Process area wise Institutionalization Practices
Recommendations would include policies, procedures, practices, guidelines for Implementation and institutionalization of HR Practices.
A roadmap and action plan for up-gradation to next level along with the specific timelines ref. date wise action plan shall be developed with the organizational authorities.
Other description of the approach & explanation to the methodology to be adopted for carrying out the study has been explained in above paras of;
- Undertake Gap Analysis of HR practices at HPCL
- Establish the level of PCMM® at which HPCL’s HR Practices are.
- Recommendation whether to go for up-gradation & suggesting timelines etc.
Q7. What are the timelines for assessment of PCMM® practices?
|2||Briefing to the team members||1|
|3||Making the day wise action plan||1|
|4||Preparatory Phase tasks||2||3|
|8||Determination of Maturity||11|
|10||Suggested time line||12|
- Chandra Sekhar M. – First batch Indian People CMM Lead Assessor from hard core background of HR practicing and teaching experience. First Lead Assessor from Manufacturing and Service Sector.
- Successfully completed People CMM Lead Assessor workshop under Bill Curtis, Chief Architect and co-author of P-CMM®, Software Engineering Institute (SEI), CMU, USA.
- Has been conducting Trainings and Assessments since 2002. Participants in his Programs were from GAIL, BPCL, HPCL, EIL, BHEL, DRDO, Ericsson, Thirdware, DRDL, BDL, Sleepwell, ACME, Apothecaries, C&S group, Gateway Distriparks, HCL.,
- Life member of National Institute of Personnel Management (NIPM) and NHRD Network.
- M. Ravindran – Former Director- HR Gail (India) and MD & Chairman IGL) Principal Advisor- Diligentia Advisors. He is former Director (HR) with additional responsibility of business development at Gail India. He was the Chairman of Gail’s USA subsidiary Gail Global (USA) LNG LLC for the same period. Apart from serving as Chairman of the Board of IGL, he also served as Chairman of Green Gas Limited. He has distinction of being the first CEO of GAIL’s wholly owned subsidiary. During his tenure as CEO of the wholly owned GAIL subsidiary, GAIL Gas Limited, he steered the formulation of the company’s People policies, business policies, particularly in the regulatory regime of PNGRB. Trainer to Assessing People CMM workshop.
- V Nalini Kanth – former Vice president HR Samtel India. Master of Social Work with 30 years’ experience in Organizational Development. Implemented People Capability Maturity Model Practices in Samtel, Tata Chemicals, Reddy Labs and Vijay Electricals Etc., Worked closely with Prof. Somnath Chattopadyay, former Prof. IIM Ahmedabad for 5 years.
- S C Sharma – former Addl. Director General Aviation Quality Assurance. Instrumental in developing Assessment Model and Tool for assessment. He is the key contributor for development of PCMM® assessment Tool. Total Work experience of 30+ years’ experience. Worked closely with Prof. Chandra Sekhar P-CMM® Lead Assessor. Tutor in training People CMM for NFL, GAIL, HPCL, EIL and BPCL etc.
- Ratna Rao –An HR professional with 30+ years’ experience. Previous position with organizations is Group GM Strategic HR. Worked closely with Prof. Chandra Sekhar P-CMM® Lead Assessor. Tutor in training People CMM for NFL, GAIL, HPCL, EIL and BPCL etc., Group GM Strategic HR for the then largest provider of Healthcare with exposure to manufacturing, hospitality, IT, Healthcare sectors
- Shri Praveen Bejjenki – Has been closely associated with Prof. Chandra Sekhar in conduction of P-CMM® Lead Assessor workshops and assessments. He is post graduate in HRM with 15 years of experience. An assessment and implementation team member in Ericsson, Sleepwell, ACME, C&S group, Gateway Distriparks, HCL etc.