Building a privacy program can be hard. But, maintaining and maturing one to meet evolving regulations, support operational challenges, and withstand external events can make it feel impossible. To make this task more approachable, it’s essential to understand where you stand today and what you need to accomplish tomorrow to take your program to the next level.
We developed the Osano Privacy Program Maturity Model to serve as a framework and guide for privacy professionals seeking to better understand and benchmark their privacy program and its growth trajectory. We consulted with privacy experts, reviewed the current state of privacy program literature, and analyzed the regulatory and operational landscape that privacy programs exist within. As a result, this model formalizes a spectrum of knowledge and insight into what makes a privacy program effective. In the ensuing sections, you'll learn:
This maturity model is meant to help you understand how effective your organization is at operationalizing compliance It does not measure compliance per se; what actually constitutes “compliance” will vary depending on your governing law, industry, unique organizational factors, and jurisdiction. It’s possible that you could be perfectly compliant with a given law but score quite low on this model. That would indicate that you’re operating inefficiently and are at risk of expending too many resources and potentially falling out of compliance in the future. Scoring high on this model indicates that your privacy program is sustainable, flexible, and using its resources effectively—not that it is compliant with this or that law.
While privacy maturity models can be used to help identify potential compliance gaps, they primarily highlight operational challenges that limit efficiency or reduce effectiveness. Quick wins like moving from a spreadsheet maintained by a single person to a centralized tool can help scale, streamline, and automate—and lessen the risk of a single point of failure.
Depending on your risk, you may choose to prioritize specific criteria to make incremental progress as time and resourcing permit You may choose to accept a lower level of maturity in some areas that generate less risk for your organization and strive for a higher level of maturity in areas that present increased risk or operational challenges Your privacy program should be tailored to meet your needs.
By using this maturity model, you can generate an overall privacy score for your privacy program that represents its maturity. This model identifies 16 key elements of a privacy program that represent discrete aspects of a privacy program, such as governance and accountability, privacy incident and breach response, subject rights request management, and more By scoring these elements on a scale from one (least mature) to five (most mature), you’ll attain an overall score that represents your privacy program maturity.
For example, your organization may not have any kind of data inventory in place. In that case, you would evaluate the privacy element, Data Inventory and/or Record of Processing Activities as reactive (or Maturity Level One).
With effort, perhaps you establish your first data inventory but have no real plan for when you’ll conduct this exercise again or how to improve the process. In that case, you might re-score the privacy element Data Inventory and/or Record of Processing Activities as provisional (or Maturity Level Two).
By working through the 16 privacy program elements listed in this model and considering which of the five levels best represents the given element’s maturity level, you can calculate an overall privacy program maturity score Each maturity level is assigned a corresponding number of points—e.g., Level One, or reactive maturity, is worth one point, while Level Five, or proactive maturity, is worth five.
In the example on the previous page, you may have scored the Data Inventory and/or Record of Processing Activities element with either one or two points depending on whether you considered it to be at Maturity Level One or Maturity Level Two, respectively. Then, you would proceed to the next element in this eBook (Privacy Impact Assessments), assign it the maturity level that is appropriate to your organization, and score it accordingly. At the end of the exercise, you’ll have a score between 16 and 80, which can be used to assess your overall privacy program’s maturity.
The score totals correspond to different levels of overall maturity, as follows:
You’ll notice that the highest level of privacy program maturity is only achievable through a perfect score in this model; this is intentional. Privacy programs, by their very nature, are never “finished”—compliance and privacy protection are ongoing activities, and there is almost always room for improvement. This scoring methodology reflects that reality.
It’s important to note that using this scoring system might yield a relatively high maturity level while your privacy program still has significant gaps. For example, if you score highly on most privacy program elements but very low on one or two elements, the scores could balance out to a relatively mature level. This can cause you to mistakenly believe your privacy program is acceptably mature when it, in fact, has some serious gaps that must be addressed.
That’s why it’s best to think of this scoring methodology as a general framework to guide your privacy program’s development. The specific gaps and weaknesses you identify during the evaluation process should be considered weightier than the ultimate score.
With this model and scoring methodology, organizations can:
One excellent use of this model is as part of departmental or company objectives and key results (OKRs). It could become an objective to improve the privacy program’s maturity and a key result to increase the program’s overall maturity from one level to the next over the course of a year or quarter, for example.
Finally, while this document was designed with privacy professionals in mind, it can also serve as a guide for non-privacy experts who need to learn what activities they should pursue to develop more mature data privacy practices at their organization. However, it is unlikely that an organization can attain the more mature levels in this model without a privacy professional, dedicated privacy solutions to support compliance needs, and/or trusted external partners.
In the ensuing sections, we’ll describe the overall privacy program maturity levels, the 16 key privacy program elements, as well as more targeted guidance on how to use these specific components of the model.
The following maturity levels can be applied to either the privacy program as a whole or to the individual privacy elements described later on in this document. Review these different levels and consider where your own privacy program and associated elements fall.
At this level, privacy-related activities are conducted in a reactive, one-off manner, perhaps in response to a breach, major headline, notice of noncompliance from authorities, or as a “band-aid” effort to comply with a new regulation.
There is no consistency or standardization in how privacy issues are addressed at this level; policies and procedures do not exist, so any repeatable processes are merely coincidental.
There are no dedicated resources or budget for privacy activities. Whenever the organization decides to pursue data privacy compliance, other departments—such as IT, Operations, Legal, and the like—carry out any requisite tasks.
Compliance activities are only measured in terms of whether or not they’ve been completed, if at all. Their actual impact on the organization’s compliance posture is not considered; instead, they are treated as boxes to be checked off.
Compliance activities are often underprioritized, and other business initiatives take up the bandwidth needed to manage data privacy concerns. It’s difficult to gain the time and focus to attend to compliance; thus, improving compliance processes receives even less time and focus.
Compliance is thought of as something that can be solved, rather than a continuous process. The organization treats data privacy as an obstacle to be overcome or circumvented and then quickly forgotten.
At this level, there still isn’t a privacy program or formal privacy element, per se. However, some basic mechanisms for managing data privacy and compliance needs are in place.
A privacy program or element at the provisional level has some standardization and consistency, though it may not be formalized or defined in a detailed fashion. Procedures for managing data privacy exist but are not fully documented, comprehensive, or integrated into the organization’s operations.
There may not be a dedicated privacy professional at this maturity level. More likely, privacy and compliance are semi-permanent, ancillary responsibilities held by Legal, Operations, or other team members. If there is a privacy professional working on compliance, they do not or are unable to collaborate much with other stakeholders, which limits their efficacy.
Program monitoring and measurement only occur in response to an issue or sudden development that brings privacy to the fore. Proactive monitoring does not take place. There may be plans to improve the privacy program or element, but it is unlikely such plans will be put into action. The program or element may be understood to be imperfect, but developing it further is perpetually unprioritized. A major privacy incident or new regulatory requirement may prompt change, however.
The privacy program or element is understood to be an important function in the organization, but it is still perceived as a blocker. Stakeholders accept compliance’s importance but do not understand it or why it’s important.
At this level, a privacy program and/or the privacy element exists in the organization, and basic practices and procedures are well documented. This level is characterized by a greater degree of standardization than the previous levels.
The organization has a formal privacy program or element in place with defined policies, procedures, and standards that are integrated into the organization’s operations.
There are clear roles and responsibilities for privacy management. However, this is primarily restricted to privacy-dedicated personnel; other functions’ privacy responsibilities are not well understood.
The privacy program or element is semi-regularly reviewed to ensure the organization is meeting compliance objectives. However, monitoring is not treated as a priority, the chosen metrics may be somewhat arbitrary, and reviews are not conducted frequently. The findings of reviews are typically not translated into improvement and adaptation. Improvements are typically triggered by new laws and developments in the organization’s privacy posture.
Data privacy is considered at the outset of new initiatives but only at the prompting of any data privacy personnel. Outside of the privacy function, privacy concerns are poorly understood. The organization’s privacy expert has the authority to request changes to secure the organization’s compliance.
An organization with a monitored privacy program or element is actively managing and assessing its privacy program or element. This level of maturity requires a degree of prioritization for privacy that is not present in the earlier levels.
Program policies and procedures are documented and applied consistently for the most part. When non-privacy personnel carry out compliance-related activities, however, they may do so in an inconsistent fashion. Generally, deviations from the standard procedure are intentional experiments meant to identify and plug gaps.
The program is adequately resourced, and there is enough privacy personnel to address the bulk of the organization’s compliance needs. Privacy management has a dedicated budget within the organization, and this budget is regularly reviewed to ensure the program has the resources it needs to be effective. Non privacy personnel understands that they may need to consider compliance factors in the course of their work but are not fully consistent in doing so.
Processes and procedures are reviewed to assess their efficacy and identify gaps. These reviews occur on a regular cadence, and their results are analyzed to determine how the program can achieve a multitude of outcomes, such as greater efficiency, compliance, speed, cost-effectiveness, and more.
The broader organization is regularly kept informed of and involved in data privacy issues. Senior management is particularly kept abreast of privacy-related activities, and data privacy may be a formal factor that contributes to the organization’s objectives and goals.
At the proactive level, the privacy program is a central part of the organization’s operations and strategic roadmap. Furthermore, the privacy program itself is highly strategic in how it contends with current and anticipated privacy compliance challenges.
The privacy program is fully integrated into the organization. Different teams understand compliance procedures and carry them out correspondingly, rarely, if ever, deviating from best practices.
The privacy program is resourced with adequate budget, staffing, and authority to carry out compliance activities and provide education and training on the broader organization’s compliance responsibilities.
The program is continuously monitored to anticipate gaps and needs before they arise. The privacy program itself, regulatory landscape, and the organization’s operations are all carefully monitored to ensure optimal compliance. The privacy program has a strategic roadmap that predicts future needs and challenges while remaining flexible enough to adapt to unexpected developments.
Privacy may be considered a key differentiator for the organization in the marketplace, and senior leadership is aware of and involved in the organization’s compliance posture. Privacy is prioritized in every department involved in the processing of personal data.
The following 16 elements constitute the major aspects of a mature data privacy program. In highly regulated or highly unique industries or spaces, there may be additional requirements not covered by this list, but the average business should find most aspects of compliance operations well represented by this list.
In the following chapters, this guide will break down each of the 16 elements listed above.
In the Notes section, you’ll find brief descriptions of the given privacy element in its more immature or more mature stages as well as any important unique factors to consider.
In the section titled Recommended Next Steps, you’ll find specific actions you can take to increase the maturity of the given element.
As you review each element, you can mark down your estimated maturity level for the given element and track the points associated with each maturity level (e.g., Level 1 yields one point, Level 2 yields two points, and so on). You can also follow along using the Osano Privacy Maturity Model Scorecard, which allows you to mark down your score for each element and determine your overall maturity score.