From Privacy in Design: A Practical Guide to Corporate Compliance, by Waël Hassan, PhD
The concept of “privacy maturity” can guide you to better understand the strengths and weaknesses of your data protection practices, and develop them into a more complex and secure system. By assessing how your Privacy Program meets specific benchmarks within a ranked model, you can determine your company’s maturity in respect of three general privacy elements:
- adequate business tools,
- risk management and control efforts, and
- deliberate implementation measures.
(In the model, more complex and thorough privacy practices are indicators of a more mature system.)
A Privacy Audit is the initial step of a Privacy Maturity Assessment. Maturity Assessment adds a second phase: comparing these practices with the model. Ranked benchmarks help you identify your company’s current maturity level, determine what level it should be at, and set targets accordingly.
Each element contributing to your overall privacy practices may have various maturity levels; for example, you may have a consistent process for tracking and reporting security breaches but weak implementation amongst staff and senior management.
The risk-management-based Privacy Maturity Model below will help you identify your next targets so as to make continuous improvement towards PI management best practices. Once you have identified your current privacy maturity level, the model will help guide you to the next benchmark. These benchmarks are specific enough to give a strong sense of direction without restricting you to a single privacy solution.
The ability to track and report your incremental progress towards privacy maturity through the model will be helpful both for planning and auditing purposes. Benchmarks with detailed criteria and a specific deadline will usher you towards improving your privacy practices; they can also help identify when your practices might be falling behind, and what corrective measures can get you back on track.
| Maturity Level | Business Tools Risk | Measurement & Control | Implementation |
|---|---|---|---|
| 0 | Forms Documents and forms related to privacy |
Feedback General feedback or complaints from public |
Chaotic No process for implementing practices |
| 1 | Procedures Some privacy knowledge and procedures exist throughout the organization |
Checklists Checklists developed to ensure that measures recommended by privacy regulators (e.g., FTC reports) are in place |
Initial Responsibility for privacy is held by a staff member with minimal privacy training. Some information on company privacy practices is available to the public |
| 2 | Policy Several privacy documents exist, but may not be consistent with each other Breach reporting and notification process Privacy FAQ |
Issue Management System Tracking system for privacy incidents, complaints, and updates to personal information |
Active A Privacy Officer has been appointed Assessments are carried out, but recommendations are not implemented Contracts with data recipients/service providers include privacy requirements Regular internal communications (e.g., privacy newsletters) Privacy policy available to the public |
| 3 | Process A consistent, defined process to document, track, and report on incidents/breaches. A knowledge base of privacy resources, laws, and standards (Privacy Framework) |
Mitigation Planning An action plan to mitigate issues identified in assessments or audits |
Performance Management Privacy training used to improve performance. Performance measurement related to data releases. Follow-up and reporting on implementation of risk mitigation plans. Executive reporting using privacy performance indicators |
| 4 | Business Architecture This creates the ability to see how company processes, guidelines, and functions all work together. Needs can then be determined from the overarching perspective that business architecture provides. |
Risk-based Objective risk metrics are used to quantify, evaluate, and report on privacy risks. All data use, retention, and disclosure is subject to risk validation |
Governance A developed Privacy Program is appropriately staffed to create or deliver business tools, implement risk control and measurement, and follow up on implementation. A Privacy Governance Committee oversees privacy activities and ensures implementation across all lines of business. |
