France’s data protection authority, the Commission nationale de l'informatique et des libertés released its “first reflections” on a privacy maturity self-assessment model Sept. 9, thus becoming the first European DPA to propose a privacy maturity model. This offers an occasion to introduce the concept of a maturity model to those who are not already familiar with it while taking a closer look at the CNIL’s release.

What is a maturity model?

Maturity models are assessment systems that allow organizations to evaluate their current state of progress in a given area. They originated a few decades ago in the field of quality management but are now used in a wide variety of domains such as software development, human resources, learning, marketing and cybersecurity.

This is usually done in the form of a matrix that provides, for a number of subject-specific criteria related to processes, products or people, a description of what they look like when they reach predefined maturity levels (often five, sometimes more). Simply put, they help organizations to benchmark where they stand and where they want to go. As a former law practitioner, I heard about privacy maturity models for the first time when I became a privacy consultant.

Maturity models and privacy

The most famous transposition of maturity models to privacy is the one issued by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants in 2011, based on the AICPA’s Generally Accepted Privacy Principles. The model provides a description of each of the 73 GAPP criteria at their ad hoc, repeatable, defined, managed and optimized stage. Other privacy maturity models have emerged in recent years, developed by consulting firms or regulators, based on soft or hard law. Some organizations even develop their own in-house system.

When I first found out about maturity models, I was skeptical to say the least. They seemed needlessly complex and likely to induce excessive bureaucracy. To me, privacy compliance was something you simply did or did not have. I weirdly had not registered that legal memos did not make privacy magically happen on their own and that compliance was the result of a collection of processes and know-hows — in other words, a management matter.

Growing as a consultant, I became aware of all the activities that take place backstage of privacy compliance. Privacy teams (when they exist) cannot and should not be accountable for the countless data processing activities implemented by other business units. For organizations past a certain size or a certain degree of sensitivity, privacy compliance requires the support of defined, tailored privacy management principles infused at all levels and embedded in processes. Otherwise, moving beyond a reactive approach to privacy issues will turn out to be difficult, and we all know privacy is harder to implement after the fact than at an early stage. A 2018 study from Cisco showed higher levels of privacy maturity are strongly correlated with shorter sales delays and lower likelihood and impact of data breaches.

Embedding privacy into the organization’s DNA is also how, in the longer run, tensions between privacy requirements and other business needs will be alleviated. In that sense, privacy maturity models are an instruction manual on how to build a privacy culture within an organization.

Using privacy maturity models

Not all organizations need to reach a level 5 maturity if they want to achieve compliance. That is the beauty of it: privacy maturity models are scalable. First, maturity models can be used not only as an assessment mechanism, but as guidance and a way to cast light on specific issues. Moreover, based on their privacy risk tolerance and the resources they are willing to dedicate to privacy, organizations will determine their target level of maturity. Organization A might have different needs than organization B. Factors such as size, nature and volume of processed personal data, types of customers, or localization will obviously play a strong part in that determination. The targeted maturity profile can also vary for each criterion or group of criteria. For instance, an organization that processes very sensitive personal data but never receives any data subject requests might want to reach a security maturity level of 5 but an access maturity level of 2.

This also should not be interpreted as meaning compliance cannot be achieved without relying on a maturity model. An organization can unintentionally reach a high privacy maturity level, or even freestyle its way to compliance, with a purely legal approach that ignores management aspects of privacy and its nuanced needs. But absorbing changes will be harder, actions will tend to be corrective rather than preemptive, and unneeded efforts might be deployed in comparison with the organization’s risk profile.

It also should not be assumed that a high level of maturity necessarily equates a high level of compliance. An organization’s processes might be perfectly defined and implemented, but final decisions on data processing activities might still favor business benefits over data protection and therefore present important privacy laws violations. European DPAs’ jurisprudence provides multiple striking examples of such situations.

The CNIL's maturity model

Maturity models are often issued by professional organizations, but DPAs are not unfamiliar with this approach. The government of New Zealand published a Privacy Maturity Assessment Framework. The Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioners of Alberta and British Columbia also took a similar approach in their “Getting Accountability Right with a Privacy Management Program” which, even though it does not call itself a maturity model, focuses on processes that enable an organization to build a “demonstrable capacity to comply, at a minimum, with applicable law.”

Although more condensed than its AICPA counterpart or the Canadian “Getting accountability right,” the CNIL maturity self-assessment will provide useful guidance to those looking for an introduction to privacy maturity models, and those who are already accustomed to this approach will be happy to see it endorsed by a prominent data protection authority.

The CNIL self-assessment provides a description of the five levels of maturity (ad hoc, repeatable, defined, managed and optimized) for the eight following items: define and implement privacy procedures; pilot privacy governance; maintain a data inventory; ensure legal compliance; training and awareness; handle data subjects requests; manage security risks; and manage data breaches. For instance, a maturity level of 5 is reached when data inventories are used as a steering tool for privacy activities.

The CNIL explains that its maturity model can be used as a basis to build an action plan to reach the desired level of maturity but reminds that this methodology does not aim at ensuring compliance. Instead, it is meant to create conditions favorable to the implementation of lasting privacy activities, in keeping with the EU General Data Protection Regulation accountability principle. Let’s hope these first reflections will expand into more detailed guidance (and that an English translation will be provided soon!).

Photo by Jason Dent on Unsplash