Privacy Program Maturity Model

Building a Privacy Program

Building a privacy program can be hard. But, maintaining and maturing one to meet evolving regulations, support operational challenges, and withstand external events can make it feel impossible. To make this task more approachable, it’s essential to understand where you stand today and what you need to accomplish tomorrow to take your program to the next level.

We developed the Osano Privacy Program Maturity Model to serve as a framework and guide for privacy professionals seeking to better understand and benchmark their privacy program and its growth trajectory. We consulted with privacy experts, reviewed the current state of privacy program literature, and analyzed the regulatory and operational landscape that privacy programs exist within. As a result, this model formalizes a spectrum of knowledge and insight into what makes a privacy program effective. In the ensuing sections, you'll learn:

  • How to use this model to guide your privacy program's operations
  • What the different levels of privacy program maturity are
  • Which elements are essential for a holistic privacy program and
  • How you can make the most use of your time and resources as a privacy professional in the endeavor of maturing a privacy program.

How to Use This Maturity Model

You do not have to be mature to be compliant:

This maturity model is meant to help you understand how effective your organization is at operationalizing compliance It does not measure compliance per se; what actually constitutes “compliance” will vary depending on your governing law, industry, unique organizational factors, and jurisdiction. It’s possible that you could be perfectly compliant with a given law but score quite low on this model. That would indicate that you’re operating inefficiently and are at risk of expending too many resources and potentially falling out of compliance in the future. Scoring high on this model indicates that your privacy program is sustainable, flexible, and using its resources effectively—not that it is compliant with this or that law.

Growing and scaling your privacy program is a journey:

While privacy maturity models can be used to help identify potential compliance gaps, they primarily highlight operational challenges that limit efficiency or reduce effectiveness. Quick wins like moving from a spreadsheet maintained by a single person to a centralized tool can help scale, streamline, and automate—and lessen the risk of a single point of failure.

You do not have to obtain the highest level of maturity to be successful:

Depending on your risk, you may choose to prioritize specific criteria to make incremental progress as time and resourcing permit You may choose to accept a lower level of maturity in some areas that generate less risk for your organization and strive for a higher level of maturity in areas that present increased risk or operational challenges Your privacy program should be tailored to meet your needs.

Structure

By using this maturity model, you can generate an overall privacy score for your privacy program that represents its maturity. This model identifies 16 key elements of a privacy program that represent discrete aspects of a privacy program, such as governance and accountability, privacy incident and breach response, subject rights request management, and more By scoring these elements on a scale from one (least mature) to five (most mature), you’ll attain an overall score that represents your privacy program maturity.

For example, your organization may not have any kind of data inventory in place. In that case, you would evaluate the privacy element, Data Inventory and/or Record of Processing Activities as reactive (or Maturity Level One).

With effort, perhaps you establish your first data inventory but have no real plan for when you’ll conduct this exercise again or how to improve the process. In that case, you might re-score the privacy element Data Inventory and/or Record of Processing Activities as provisional (or Maturity Level Two).

Want something to share? Download this guide as a PDF.

Scoring Methodology

By working through the 16 privacy program elements listed in this model and considering which of the five levels best represents the given element’s maturity level, you can calculate an overall privacy program maturity score Each maturity level is assigned a corresponding number of points—e.g., Level One, or reactive maturity, is worth one point, while Level Five, or proactive maturity, is worth five.

In the example on the previous page, you may have scored the Data Inventory and/or Record of Processing Activities element with either one or two points depending on whether you considered it to be at Maturity Level One or Maturity Level Two, respectively. Then, you would proceed to the next element in this eBook (Privacy Impact Assessments), assign it the maturity level that is appropriate to your organization, and score it accordingly. At the end of the exercise, you’ll have a score between 16 and 80, which can be used to assess your overall privacy program’s maturity.

The score totals correspond to different levels of overall maturity, as follows:

  • Level One: Reactive Maturity (16 - 31 points)
  • Level Two: Provisional Maturity (32 - 47 points)
  • Level Three: Formalized Maturity (48 - 63 points)
  • Level Four: Monitored Maturity (64 - 79 points)
  • Level Five: Proactive Maturity (80 points)

You’ll notice that the highest level of privacy program maturity is only achievable through a perfect score in this model; this is intentional. Privacy programs, by their very nature, are never “finished”—compliance and privacy protection are ongoing activities, and there is almost always room for improvement. This scoring methodology reflects that reality.

It’s important to note that using this scoring system might yield a relatively high maturity level while your privacy program still has significant gaps. For example, if you score highly on most privacy program elements but very low on one or two elements, the scores could balance out to a relatively mature level. This can cause you to mistakenly believe your privacy program is acceptably mature when it, in fact, has some serious gaps that must be addressed.

That’s why it’s best to think of this scoring methodology as a general framework to guide your privacy program’s development. The specific gaps and weaknesses you identify during the evaluation process should be considered weightier than the ultimate score.

Keep track of your program's score using our scorecard template.

This video will show you how to use the model and scorecard.

 

Benefits of the Model and Scoring Methodology

With this model and scoring methodology, organizations can:

  • Benchmark their existing privacy program.
  • Determine priorities when building a new program or developing an existing one.
  • Identify high-risk gaps.
  • Track privacy maturity over time.
  • Identify areas of investment.
  • Communicate priorities across teams and stakeholders.
  • Assess readiness to respond to evolving compliance needs.
  • And more.

One excellent use of this model is as part of departmental or company objectives and key results (OKRs). It could become an objective to improve the privacy program’s maturity and a key result to increase the program’s overall maturity from one level to the next over the course of a year or quarter, for example.

Finally, while this document was designed with privacy professionals in mind, it can also serve as a guide for non-privacy experts who need to learn what activities they should pursue to develop more mature data privacy practices at their organization. However, it is unlikely that an organization can attain the more mature levels in this model without a privacy professional, dedicated privacy solutions to support compliance needs, and/or trusted external partners.

In the ensuing sections, we’ll describe the overall privacy program maturity levels, the 16 key privacy program elements, as well as more targeted guidance on how to use these specific components of the model.

 

Privacy Program Maturity Levels

The following maturity levels can be applied to either the privacy program as a whole or to the individual privacy elements described later on in this document. Review these different levels and consider where your own privacy program and associated elements fall.

Privacy Maturity Model - Model Itself

Level 1: Reactive

At this level, privacy-related activities are conducted in a reactive, one-off manner, perhaps in response to a breach, major headline, notice of noncompliance from authorities, or as a “band-aid” effort to comply with a new regulation.

Consistency and Standardization

There is no consistency or standardization in how privacy issues are addressed at this level; policies and procedures do not exist, so any repeatable processes are merely coincidental.

Resources, Roles, and Responsibilities

There are no dedicated resources or budget for privacy activities. Whenever the organization decides to pursue data privacy compliance, other departments—such as IT, Operations, Legal, and the like—carry out any requisite tasks.

Monitoring and Improvement

Compliance activities are only measured in terms of whether or not they’ve been completed, if at all. Their actual impact on the organization’s compliance posture is not considered; instead, they are treated as boxes to be checked off.

Compliance activities are often underprioritized, and other business initiatives take up the bandwidth needed to manage data privacy concerns. It’s difficult to gain the time and focus to attend to compliance; thus, improving compliance processes receives even less time and focus.

Understanding of Data Privacy

Compliance is thought of as something that can be solved, rather than a continuous process. The organization treats data privacy as an obstacle to be overcome or circumvented and then quickly forgotten.

Level 2: Provisional

At this level, there still isn’t a privacy program or formal privacy element, per se. However, some basic mechanisms for managing data privacy and compliance needs are in place.

Consistency and Standardization

A privacy program or element at the provisional level has some standardization and consistency, though it may not be formalized or defined in a detailed fashion. Procedures for managing data privacy exist but are not fully documented, comprehensive, or integrated into the organization’s operations.

Resources, Roles, and Responsibilities

There may not be a dedicated privacy professional at this maturity level. More likely, privacy and compliance are semi-permanent, ancillary responsibilities held by Legal, Operations, or other team members. If there is a privacy professional working on compliance, they do not or are unable to collaborate much with other stakeholders, which limits their efficacy.

Monitoring and Improvement

Program monitoring and measurement only occur in response to an issue or sudden development that brings privacy to the fore. Proactive monitoring does not take place. There may be plans to improve the privacy program or element, but it is unlikely such plans will be put into action. The program or element may be understood to be imperfect, but developing it further is perpetually unprioritized. A major privacy incident or new regulatory requirement may prompt change, however.

Understanding of Data Privacy

The privacy program or element is understood to be an important function in the organization, but it is still perceived as a blocker. Stakeholders accept compliance’s importance but do not understand it or why it’s important.

Level 3: Formalized

At this level, a privacy program and/or the privacy element exists in the organization, and basic practices and procedures are well documented. This level is characterized by a greater degree of standardization than the previous levels.

Consistency and Standardization

The organization has a formal privacy program or element in place with defined policies, procedures, and standards that are integrated into the organization’s operations.

Resources, Roles, and Responsibilities

There are clear roles and responsibilities for privacy management. However, this is primarily restricted to privacy-dedicated personnel; other functions’ privacy responsibilities are not well understood.

Monitoring and Improvement

The privacy program or element is semi-regularly reviewed to ensure the organization is meeting compliance objectives. However, monitoring is not treated as a priority, the chosen metrics may be somewhat arbitrary, and reviews are not conducted frequently. The findings of reviews are typically not translated into improvement and adaptation. Improvements are typically triggered by new laws and developments in the organization’s privacy posture.

Understanding of Data Privacy

Data privacy is considered at the outset of new initiatives but only at the prompting of any data privacy personnel. Outside of the privacy function, privacy concerns are poorly understood. The organization’s privacy expert has the authority to request changes to secure the organization’s compliance.

Level 4: Monitored

An organization with a monitored privacy program or element is actively managing and assessing its privacy program or element. This level of maturity requires a degree of prioritization for privacy that is not present in the earlier levels.

Consistency and Standardization

Program policies and procedures are documented and applied consistently for the most part. When non-privacy personnel carry out compliance-related activities, however, they may do so in an inconsistent fashion. Generally, deviations from the standard procedure are intentional experiments meant to identify and plug gaps.

Resources, Roles, and Responsibilities

The program is adequately resourced, and there is enough privacy personnel to address the bulk of the organization’s compliance needs. Privacy management has a dedicated budget within the organization, and this budget is regularly reviewed to ensure the program has the resources it needs to be effective. Non privacy personnel understands that they may need to consider compliance factors in the course of their work but are not fully consistent in doing so.

Monitoring and Improvement

Processes and procedures are reviewed to assess their efficacy and identify gaps. These reviews occur on a regular cadence, and their results are analyzed to determine how the program can achieve a multitude of outcomes, such as greater efficiency, compliance, speed, cost-effectiveness, and more.

Understanding of Data Privacy

The broader organization is regularly kept informed of and involved in data privacy issues. Senior management is particularly kept abreast of privacy-related activities, and data privacy may be a formal factor that contributes to the organization’s objectives and goals.

Level 5: Proactive

At the proactive level, the privacy program is a central part of the organization’s operations and strategic roadmap. Furthermore, the privacy program itself is highly strategic in how it contends with current and anticipated privacy compliance challenges.

Consistency and Standardization

The privacy program is fully integrated into the organization. Different teams understand compliance procedures and carry them out correspondingly, rarely, if ever, deviating from best practices.

Resources, Roles, and Responsibilities

The privacy program is resourced with adequate budget, staffing, and authority to carry out compliance activities and provide education and training on the broader organization’s compliance responsibilities.

Monitoring and Improvement

The program is continuously monitored to anticipate gaps and needs before they arise. The privacy program itself, regulatory landscape, and the organization’s operations are all carefully monitored to ensure optimal compliance. The privacy program has a strategic roadmap that predicts future needs and challenges while remaining flexible enough to adapt to unexpected developments.

Understanding of Data Privacy

Privacy may be considered a key differentiator for the organization in the marketplace, and senior leadership is aware of and involved in the organization’s compliance posture. Privacy is prioritized in every department involved in the processing of personal data.

The 16 Privacy Program Elements

The following 16 elements constitute the major aspects of a mature data privacy program. In highly regulated or highly unique industries or spaces, there may be additional requirements not covered by this list, but the average business should find most aspects of compliance operations well represented by this list.

In the following chapters, this guide will break down each of the 16 elements listed above. 

In the Notes section, you’ll find brief descriptions of the given privacy element in its more immature or more mature stages as well as any important unique factors to consider.

In the section titled Recommended Next Steps, you’ll find specific actions you can take to increase the maturity of the given element.

As you review each element, you can mark down your estimated maturity level for the given element and track the points associated with each maturity level (e.g., Level 1 yields one point, Level 2 yields two points, and so on). You can also follow along using the Osano Privacy Maturity Model Scorecard, which allows you to mark down your score for each element and determine your overall maturity score.

Schedule a demo of Osano today
Next Chapter

Notices