Privacy Maturity Models

Maybe you have noticed it. Privacy is an issue. A bit strange since there are only 5 days left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union.

So before end of May 2018 all organizations that process data of EU citizens must comply with this General Data Protection Regulation. Determining how to design and improve your systems to meet the GDPR is not straightforward. Since security and privacy should be approached as a process you should use some kind of maturity model. This to e.g. benchmark the quality and effectiveness of your privacy and security organisation. But using a good maturity model for security and privacy has also the benefit to make sure you meet important GDPR requirements.

Common levels you will find in every maturity models are:

  1. Ad hoc: You have some procedures or processes. But these are mostly informal, incomplete and not consistently applied.
  2. Repeatable: You have procedures and processes documented. However not all procedures and processes are not fully documented and do not cover all security and privacy aspects needed.
  3. Defined: Procedures and processes are fully documented and cover all relevant aspects.
  4. Managed: Reviews are conducted to assess the effectiveness of the controls for security and privacy in place.
  5. Optimized:  Regular reviews and feedback are used for continuous improvements and optimization of all security and privacy processes.

A good maturity model can provide:

  • Insights in the status of privacy & security initiatives
  • A comparison with comparable companies.
  • Insight for analysis for management and external auditors

Most of the time security maturity models are not combined with privacy maturity models.  But security and privacy are interrelated. Without security there is no privacy! Never. Privacy has many relations with security. Many problems are similar. From an architecture perspective solution building blocks for security and privacy have a large overlap or are similar.

But security is a bit more mature than privacy. Outlining security views for an architecture document is for serious organisations always a must have. But privacy aspects are seldom seriously integrated into architectures and designs. It took decades and a billion dollars (or euros) campaigns before security aspects were taken more seriously into account. And yet security is still difficult due the fact that doing it right gives no direct business value. Doing it wrong always means a true disaster for your business. And he same goes for privacy.

So a valid question is:

Will the new GDPR help to raise the awareness to incorporate privacy aspects into solution architectures?

Mature open maturity models for privacy are rare. With open we mean that the maturity model is published using e.g. a Creative Commons License to share it, so it can be used and improved by everyone. Maturity models with security and privacy aspects combined are even more rare.

Some good open privacy maturity frameworks and tools to use directly or adjust are:


This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us!