KI Design Privacy Maturity Model

From Privacy in Design: A Practical Guide to Corporate Compliance

The concept of “privacy maturity” can guide you to better understand the strengths and weaknesses of your data protection practices, and develop them into a more complex and secure system. By assessing how your Privacy Program meets specific benchmarks within a ranked model, you can determine your company’s maturity in respect of three general privacy elements:

  • adequate business tools,
  • risk management and control efforts, and
  • deliberate implementation measures.

(In the model, more complex and thorough privacy practices are indicators of a more mature system.)

A Privacy Audit is the initial step of a Privacy Maturity Assessment. Maturity Assessment adds a second phase: comparing these practices with the model. Ranked benchmarks help you identify your company’s current maturity level, determine what level it should be at, and set targets accordingly.

Each element contributing to your overall privacy practices may have various maturity levels; for example, you may have a consistent process for tracking and reporting security breaches but weak implementation amongst staff and senior management.

The risk-management-based Privacy Maturity Model below will help you identify your next targets so as to make continuous improvement towards PI management best practices. Once you have identified your current privacy maturity level, the model will help guide you to the next benchmark. These benchmarks are specific enough to give a strong sense of direction without restricting you to a single privacy solution.

The ability to track and report your incremental progress towards privacy maturity through the model will be helpful both for planning and auditing purposes. Benchmarks with detailed criteria and a specific deadline will usher you towards improving your privacy practices; they can also help identify when your practices might be falling behind, and what corrective measures can get you back on track.

Maturity Level Business Tools Risk Measurement & Control Implementation
0 Forms

Documents and forms
related to privacy

General feedback or
complaints from public

No process for
implementing practices
1 Procedures

Some privacy knowledge
and procedures exist throughout
the organization

Checklists developed to ensure
that measures recommended
by privacy regulators
(e.g., FTC reports) are in place

Responsibility for privacy is held
by a staff member with minimal
privacy training.

Some information
on company privacy
practices is available to the
2 Policy

Several privacy documents exist,
but may not be consistent with
each other

Breach reporting and notification

Privacy FAQ
Issue Management

Tracking system for privacy
incidents, complaints, and
updates to personal

A Privacy Officer has been

Assessments are carried out,
but recommendations are
not implemented

Contracts with data recipients/service
providers include privacy requirements

Regular internal communications
(e.g., privacy newsletters)

Privacy policy available to the public
3 Process

A consistent, defined process to
document, track, and report on

A knowledge base of privacy resources,
laws, and standards (Privacy

An action plan to
mitigate issues identified
in assessments or audits

Privacy training used to improve

Performance measurement related
to data releases.

Follow-up and reporting on
implementation of risk mitigation

Executive reporting using privacy
performance indicators
4 Business Architecture

This creates the ability to see
how company processes, guidelines,
and functions all work together.
Needs can then be determined
from the overarching perspective
that business architecture provides.

Objective risk metrics are
used to quantify, evaluate,
and report on privacy risks.

All data use, retention, and
disclosure is subject to
risk validation

A developed Privacy Program
is appropriately staffed to create
or deliver business tools, implement
risk control and measurement,
and follow up on implementation.

A Privacy Governance Committee
oversees privacy activities and
ensures implementation across all
lines of business.