Data privacy maturity model in organisations
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
January 11, 20211.9K views0 comments
As a stakeholder, do you know your organisation’s privacy maturity model? If not, this article is for you. In simple terms, I explain what an organisation’s privacy maturity model stands for, the various features, and how it can help any organisation with their data privacy management schemes.
Whether they know it or not, various companies are at different points in their data protection schemes as highlighted in the American Institute of Certified Public Accountants (AICPA) privacy maturity model. Privacy Maturity Models (PMM) help companies measure their privacy programmes against established benchmarks.
For example, a Nigerian bank would want to know if their privacy approaches meet the European General Data Protection Regulation standards and if their payment models meet the Payment Card Industry Data Security Standard (PCI DSS). Measuring their processes against these benchmarks helps engender customer trust, protect the bank’s reputation and boost their brand name.
The PMM requires that companies pay attention to some key elements. That they consistently place their company’s privacy compliance journey and progress in a fashion that strengthens their organisation. That they pay particular attention to those important areas that further strengthen the security of their information assets for example, encryption, multi-factor-authentication, Role-Based Access Controls (RBAC), just to mention those three.
Your organisation’s personal information privacy practices will fall into various levels, due to legislative requirements, corporate policies or the position of the organisation privacy goals. AICPA argues that not all privacy goals need to reach the highest level of the maturity model. However, your company must know their current position and measure if they would need to advance their privacy goal or leave it as-is.
There are five privacy maturity models any organisation can fall into. First is the ad hoc privacy maturity model which presents informal, incomplete procedures and processes, most likely inconsistently applied in the organisation. I dare say that many Nigerian institutions’ privacy model falls within this bracket, which is mainly due to the lackadaisical approach of stakeholders towards data protection.
The second privacy maturity model is what is called the repeatable maturity model. With this type of model, procedures and processes exist; however, they are not fully documented and do not cover the benchmarks’ relevant aspects. Usually, most companies that have already carried out the first step in their data privacy journeys fall within this spectrum.
The third model is the defined model where the company documents and implements its processes and covers all relevant aspects. It is safe to say that these kinds of companies prioritise data protection and do many things to ensure that their processes match the company’s policies and the required benchmarks. Such companies have policies, people and technology in place at the minimum.
There is the managed privacy maturity model where reviews are connected to assess the effectiveness of the controls in place. After creating a data privacy framework, the managed privacy maturity model creates a consistent audit mechanism to guarantee that the existing data privacy schemes help detect, avoid and prevent data breaches.
The fifth model is the optimised maturity model where regular review and feedback methodologies enable continuous improvement towards optimising the given data protection schemes in the business process. Most big institutions—
that understand the bigger picture of data protection and the return on investment it brings to their company—use the optimised privacy model.
To get started in the privacy maturity model, ensure that your organisation has an existing privacy function or some privacy programme components. Without this in place, to locate the appropriate privacy maturity model for your organisation becomes futile.
With these maturity models, company stakeholders can have a clear picture of their company’s privacy strategy and locate whether their current position meets the benchmarks they are trying to portray to their customers and shareholders or whether it meets its overall privacy initiative. Every Nigerian institution—large, medium or small— must define their current privacy maturity model to know where they stand and