From Privacy in Design: A Practical Guide to Corporate Compliance, by Waël Hassan, PhD
The concept of “privacy maturity” can guide you to better understand the strengths and weaknesses of your data protection practices, and develop them into a more complex and secure system. By assessing how your Privacy Program meets specific benchmarks within a ranked model, you can determine your company’s maturity in respect of three general privacy elements:
- adequate business tools,
- risk management and control efforts, and
- deliberate implementation measures.
(In the model, more complex and thorough privacy practices are indicators of a more mature system.)
A Privacy Audit is the initial step of a Privacy Maturity Assessment. Maturity Assessment adds a second phase: comparing these practices with the model. Ranked benchmarks help you identify your company’s current maturity level, determine what level it should be at, and set targets accordingly.
Each element contributing to your overall privacy practices may have various maturity levels; for example, you may have a consistent process for tracking and reporting security breaches but weak implementation amongst staff and senior management.
The risk-management-based Privacy Maturity Model below will help you identify your next targets so as to make continuous improvement towards PI management best practices. Once you have identified your current privacy maturity level, the model will help guide you to the next benchmark. These benchmarks are specific enough to give a strong sense of direction without restricting you to a single privacy solution.
The ability to track and report your incremental progress towards privacy maturity through the model will be helpful both for planning and auditing purposes. Benchmarks with detailed criteria and a specific deadline will usher you towards improving your privacy practices; they can also help identify when your practices might be falling behind, and what corrective measures can get you back on track.
|Maturity Level||Business Tools Risk||Measurement & Control||Implementation|
Documents and forms
related to privacy
General feedback or
complaints from public
No process for
Some privacy knowledge
and procedures exist throughout
Checklists developed to ensure
that measures recommended
by privacy regulators
(e.g., FTC reports) are in place
Responsibility for privacy is held
by a staff member with minimal
on company privacy
practices is available to the
Several privacy documents exist,
but may not be consistent with
Breach reporting and notification
Tracking system for privacy
incidents, complaints, and
updates to personal
A Privacy Officer has been
Assessments are carried out,
but recommendations are
Contracts with data recipients/service
providers include privacy requirements
Regular internal communications
(e.g., privacy newsletters)
A consistent, defined process to
document, track, and report on
A knowledge base of privacy resources,
laws, and standards (Privacy
An action plan to
mitigate issues identified
in assessments or audits
Privacy training used to improve
Performance measurement related
to data releases.
Follow-up and reporting on
implementation of risk mitigation
Executive reporting using privacy
This creates the ability to see
how company processes, guidelines,
and functions all work together.
Needs can then be determined
from the overarching perspective
that business architecture provides.
Objective risk metrics are
used to quantify, evaluate,
and report on privacy risks.
All data use, retention, and
disclosure is subject to
A developed Privacy Program
is appropriately staffed to create
or deliver business tools, implement
risk control and measurement,
and follow up on implementation.
A Privacy Governance Committee
oversees privacy activities and
ensures implementation across all
lines of business.