THE GDPR

MATURITY
FRAMEWORK
A proven methodology for unlocking
the power of personal data in order
to build deeper digital trust in
accordance with the GDPR

PriPacy
Culture
Data Privacy & Cyber Security: Covered
© 2019 All rights reserved. Privacy Culture Ltd.
 INTRODUCTION
In May 2018 we saw the go-live of the most These developments have seen the role of
significant change to data protection laws the Data Protection Officer (DPO) suddenly
in twenty years. Nearly every business and thrust into the lime light and having to answer
organisation that has personal data relating tricky questions like “how and when we will be
to living individuals within the European Union compliant with GDPR?”.
(that’s 32 countries or 0.5 billion people), has
had to ensure compliance with this new General This white paper provides an overview of the
Data Protection Regulation, or ’GDPR’. GDPR Maturity Framework that helps a DPO, as
well as the organisation, navigate through the
This new law has also ramped up the power of the complexities of data protection, privacy and
individual and in doing, has placed a significant security on a global basis.
data administration burden on every business
and organisation that processes personal data.

Steve
Steve Wright
Privacy Culture

CONTENTS
2 EXECUTIVE SUMMARY

3 INTRODUCTION
EXECU TI V E S U M MARY
4 WHAT’S AT STAKE

T
he major challenge with designing, This GDPR Maturity Framework is a result 6 FIVE STEPS TO MATURITY ABOUT THE AU T H OR
implementing and complying with GDPR of a collaboration between a team of highly THE GDPR MATURITY FRAMEWORK: Steve Wright, Privacy Culture CEO,
legislation is knowing what good looks like; experienced privacy and security professionals, has over 25 years’ experience in
how do you know when you’ve got there? What lawyers and regulators. Directly stemming from 8 Accountability privacy and cyber security and
is best practice? And how do you know when this work comes a level of functionality that means has a wealth of pragmatic
you have reached the point of appropriate and any organisation–regardless of shape or size–can 10 Rights
and real-life experience of
proportionate risk-based controls, especially given calculate what ‘good’ actually looks like. implementing GDPR.
12 Cyber Security
competing business demands and ever-increasing
privacy-expectant customers and clients. You can now judge if you have arrived at that point, He has been DPO for two major
14 Culture, Training & Awareness
make meaningful comparisons against similarly organisations and recently held
© 2019 All rights reserved. Privacy Culture Ltd.

Each organisation needs to know when good- sized companies, how you rank against your peers, 16 Demonstrating Compliance the position of interim DPO at
enough or best practice is achieved and, crucially, and, critically, you can work out how to achieve the Bank of England.
where to draw the line and where to continue and maintain a strong defensible position following 18 MEASURING MATURITY
focusing effort or how to maintain compliance the five easy steps contained within the following
once they have implemented GDPR requirements. GDPR Maturity Framework. 20 PRIVACY CULTURE

2 GDPR Maturity Framework GDPR Maturity Framework 3

 General Data Protection Regulation (GDPR)
This Regulation was adopted in April 2016 and the two year
transition period ended on 25 May 2018. It regulates the the way
in which all organisations can process personal data, how this
can be used, the rights that customers, clients, supporters and
employees now have in this new data protection landscape
as well as how such personal data must be protected and
secured. Underpinning the Regulation are three important
principles - transparency, accountability and control.

There are broadly three risks that we now recognise

as the driving force for GDPR compliance...

01 02 03
THE IMMENSE Risk of Reputational Risk of Prosecution, Risk of Damage to
BENEFITS OFFERED BY Damage Fines, Litigation and Businesses & Individuals
THE COLLECTION & The Talk-Talk mobile phone
Class Action
Fines of between 2 and 4 Under the GDPR, every EU
UTILISATION OF DATA ARE operator breach in 2015 is
reported to have cost £60m
percent of global turnover or citizen now has a deeper
degree of control over their
€20m–whichever is the greater–
MATCHED ONLY BY THE to fix and the share price
dropped 20% at the time of the
can now be applied by any of
the EU Regulators on the basis
personal data, with a plethora
of beefed-up personal data
DANGERS OF BREACH, announcement. of being found non-compliant
with GDPR or following a
rights. Should an organisation
fail to uphold these rights, or
THEFT & ABUSE Conservative estimates put
the cost of the personal data
significant data breach / loss. should it fail in its responsibility
to safeguard the personal data,
breach in excess of £120m in Every organisation that then the individual can now
lost revenue and the amount processes personal data must take legal action.
of money it cost to re-acquire demonstrate and verify that it
lost customers who needed has complied with these higher The Morrisons Supermarket
significant discounts in order to standards. This can’t be left to data loss was the first such case,
be enticed back. luck or chance, so implementing where 5,500 staff brought a
a maturity framework will claim for compensation.
© 2019 All rights reserved. Privacy Culture Ltd.

Reputational damage can remove the guesswork from

sometimes be so severe that it the equation. Morrisons were found to be
can kill a business. Not only that, ‘vicariously responsible’ by the
businesses now face the wrath To date, there have been a High Court and Court of Appeal;
of the Regulators, who can make dozen such cases, with fines although the UK’s fourth largest
their data mishandling and data totalling £55m; albeit £50m was grocery chain was given leave to
loss mistakes very costly. CNIL fining Google. appeal to the Supreme Court.

4 GDPR Maturity Framework GDPR Maturity Framework 5

 Accountability, Rights, Cyber Security, Demonstrating Compliance, and Culture, Training and Awareness

The guiding principle, and the first place we addressed in priority order, at the same time as
start on the road towards being in a ‘defensible keeping the good guys safe and the bad guys out?
THE 5 STEPS TO CREATING position’, is of course Accountability. What does
it mean, how can you ensure that your staff feel Above all, if we are going to move towards a

YOUR MATURITY FRAMEWORK accountable and know how to be responsible?

What instructions should we provide, or should we
‘satisfactory position’ or be able to Demonstrate
Compliance with all these new procedures and
simply tell people to follow orders? Also, how can new GDPR requirements, then it’s got to start
AS S I M P L E AS 1 - 2 - 3? governance be effective without overloading an with Training, Awareness and Cultural Change
already busy agenda? applied across your organisation. In other words,
GDPR is only truly effective when you’ve changed
If Accountability is our collective responsibility, the mindset and behaviour of your organisation.
then how can we ensure that the Rights of Your people need to think about personal data
individuals are upheld, especially when we have differently, act differently and, of course, continue
complex legacy data-holding systems that are old to be your first line of defence.
and unsupported?

T
Being ‘good enough’ is about adhering to best
o answer this question, I have been working with a Cyber Security is, and will continue to be, hard- practices and our GDPR Maturity Framework is
small team of privacy and legal experts to deliver the work and a constant battle. So how do we ensure a practical tool that allows you to be measured
GDPR Maturity Framework you see before you. that the most important red-line items are against these these five guiding principles; read
more about them in the following chapters.
Such a framework should be used to ensure you know when you’ve
done enough; when you have achieved ‘good-enough’. It can also
be used to measure your organisation against other similar-sized
I DON’T BELIEVE organisations or similar industries.
GDPR COMPLIANCE This whitepaper will walk you through the five easy steps that
IS ALL ABOUT HAVING make up the GDPR Maturity Framework. It’s based on 25 years of
pragmatic and practical experience in designing and implementing
KNEE-DEEP LEGAL cyber security and privacy control frameworks. It takes inputs from
DOCUMENTATION WITH fellow in-house privacy professionals, DPOs, lawyers & CISOs and it
gives what I think is a realistic approach on how to ensure you have
ALL THE i’S DOTTED done enough to remain compliant with GDPR.
AND t’S CROSSED... Moving from a Defensible Position to a Satisfactory Position
(or a Good Enough Position)
...IT’S A WHOLE LOT
I first heard the term ‘Defensible Position’ from a well-known
MORE THAN THAT, BUT barrister a couple of years ago. He was explaining to me that in
HOW AND WHEN DO order to prepare for GDPR compliance, you have to think like the
prosecution or a judge. They look for gaps in your story and try to
WE KNOW WHAT expose any weaknesses–rather like a hacker would seek to break
‘GOOD’ LOOKS LIKE? through your defences.
Over the last two years we have been busy documenting and testing
WHAT IS GOOD ENOUGH? the 12 domains that make up a defensible position, and, in doing so,
© 2019 All rights reserved. Privacy Culture Ltd.

have created best practice, also known as a ‘satisfactory position’.

The GDPR Maturity Framework encapsulates both the ‘defensible’
and ‘satisfactory positions’, it’s been tested across more than 30
complex environments, and more are being added all the time. It © 2019 All rights reserved. Privacy Culture Ltd.
has proven to be broad enough for your Board to understand, yet
comprehensive enough to test the very best auditors, professional The House that GDPR Built: It is possible to think of the Maturity Framework as a house built on
service firms, law firms and, of course, the Regulator; although this is foundations of Culture, Training and Awareness, and supported by the pillars of Rights, Security and
still yet to be fully tested. Compliance; all under the protective roof of Accountability.

6 GDPR Maturity Framework GDPR Maturity Framework 7

#01 ACCOUNTABILITY ACCOUNTABILITY CHECKLIST
Desired State Documents
þþ A documented governance structure with clear data þþ Data Protection Officer job
ownership, and business owners named against every description and contract.
business process and data set in the organisation þþ Operational Procedures
þþ Detailed accountability, ownership, with roles and Including ‘Nominated Data
responsibilities for the different data owners, including Owners’ and ‘Allocated
data management and which processes utilise the data Business Owners’

A
þþ Formal evidence of where key decisions are made, þþ RACI Matrix
CCOUNTABILITY ISN’T ALWAYS the first word we think of when it comes to data especially where harm to an individual may be applicable
þþ Transparency & Privacy
privacy or data protection. We tend to think about accountability as being or feeling or change to the level of privacy risk is unacceptable
Notice(s)
responsible for something or someone, say a process, people or even a system. þþ Ability to track actions and changes to the data landscape þþ Privacy Network–day to day
via the DPIA process and updated ROPA
responsibility for data within
In relation to GDPR, specifically, we tend to frame accountable. This is often captured in privacy notices þþ Data Privacy included on the organisation’s risk register their Business Area
‘accountability’ in terms of protecting our data–e.g. under the heading ‘Transparency’, but it does not end
þþ GDPR compliance (control) framework, including how
cloud or data centres–and ensuring it remains there. Instead, every organisation–be they two men
each control is being monitored and adhered to
confidential. This is not wrong, but accountability and a dog, or a multi-international firm–should know
is broader than that; it’s about having a good who the data owners are, where and how the data þþ Data Protection Officer is in place, with appropriate support
understanding and knowledge of who is responsible traverses their network, who has access to it and why,
for data, irrespective of whether it sits on systems, what controls are in place that are appropriate and
data storage or in the cloud. Accountability is all about proportionate to the risks, how long they intend to use
ownership, responsibility and having strong the data, and of course, what they do with the data
governance in place. when it becomes redundant.

For sure, we feel very strongly about certain things Accountability can be straightforward, however, in
remaining private and we will defend the privacy of our large complex organisations this takes significant work
home against invasion and yet accountability GDPR and commitment; as each department or business will
came into being for exactly these reasons. It wasn’t have different data needs, they will also have differing
a dark cabal of Brussels bureaucrats who decided to ideas about what is ‘good enough’. This is where you
wrap Europe in red tape. It was created to promote need to work hard to demonstrate why having better,
and provide protection for the fundamental human more informed metadata, and the legal basis for
rights and is enshrined in the 1948 Human Rights Act. processing, enables you to deliver greater returns on
the data collected in the first place.
Being accountable means that named individuals need
to either assign responsibility to someone else and Being able to understand this argument is one of the
at the very least, be able to justify why they have the keys to unlocking difficult conversations with reluctant
data (Purpose), on what legal basis (e.g. Public Task, data owners who don’t like being held accountable.
Legitimate Interest, Consent) they process the data, In these cases, an RACI matrix can help to ensure
where it is all stored (end-to-end lifecycle), and how people understand who and what they are responsible
long the data will be retained for (Retention & Deletion). for and why.

Accountability should be very clearly laid out: not The RACI can also help focus thinking about
© 2019 All rights reserved. Privacy Culture Ltd.

just to the individuals whose data is held, but also operationalising the tasks of privacy–which, again,
the public and members of staff should be able to is misunderstood or ill-defined–and tends to cause
access information about who is responsible for the problems for organisations that are solely focused on
data, how to make changes or exercise their rights to the implementation of GPDR and not necessarily how
it and understand if they themselves are in some way to manage data privacy and data protection.

8 GDPR Maturity Framework GDPR Maturity Framework 9

#02 RIGHTS

RIGHTS CHECKLIST
Desired State

A
þþ Data subject rights at the
S ‘DATA SUBJECTS’ within the EU, we are all entitled to eight fundamental GDPR Organisation are supported by
Rights. However, only some of these rights are new. The new rules include the right processes, procedures and the
to be informed, rights to access and rectification, rights regarding data portability, necessary technology to manage
both personal data and data subject
the right to object and–the really tricky one–rights in relation to automated decision
right requests. [Articles 15 - 23, 34
making and profiling, where the potential for misuse or error is formidable. DPA 2018 15, Schedule 2,1 (9)]
Interestingly, many of the rights that What does this mean for our organisations? Why should we In summary, we have 30 days in which to respond to þþ The organisation has remediated
appear new, were already enshrined care? I support several schools on GDPR matters, and as these requests, and to ensure we uphold individuals’ identified high risk items and
in our local data protection laws, but it a parent governor, I can tell you these rights are very useful data subject rights. But don’t forget, this includes insured that transparent easy to
took GDPR to realise and bolster them. to parents or carers that need access to previously unseen keeping an accurate record of when the request was access policies are available to both
In other words, the risk of flaunting older data about their little ones. Unfortunately, this level of access made, by whom, what amendment was changed customers and staff
laws was potentially worth it to some can have the negative side effect of teachers and carers not (e.g. still like to receive marketing preferences on one
organisations, as the Regulator was writing down crucial information for fear of litigation or blow- specific brand but not the others), and of course, þþ The Organisation relies on
pre-occupied with larger cases and back. This is not exactly helpful to the school office team who we all have to keep a record of when and how we automated decision making or
any transgressions would have been work tirelessly and now have to cope with these legitimate managed the data subject request–so, ironically, no profiling only when appropriate
punished with relatively minor fines. requests. But rules are rules, and although this may seem one is ever truly ‘forgotten’! þþ Organisation staff are trained, and
cumbersome for a school, can you imagine what it feels like know how to recognise a subject
Thankfully, it was only a small for a small, family-run business with 2-3 employees. It can This process isn’t rocket science but can be tricky to
access request and what to do with it.
percentage of organisations that sometimes feel like the good guys get penalised whilst the real implement and will cause you untold trouble if you
blatantly ignored the rules–most small outlaws continue to get away with it. The new rules mean that do not have clear, easy-to-understand instructions þþ Organisation staff who process data
businesses were simply unaware that any organisation that collects and uses data about us–or our for your customers (or parents) on how to request subject rights requests have policy,
they had such obligations. To be fair children, our staff or third parties–have an obligation to ensure their ‘right’. If you’re unsure, the ICO has some great processes and procedures in place
to them, all they knew was that when they can enable the eight rights under GDPR. reference material. to ensure processing without delay.
it came to the collection, storage and
þþ Organisation systems are easily
access to personal data, the main Of these rights, the two that businesses should fear the most
searchable, to identify where
problems they faced were losing are the rights to erasure and those related to automated
information is held.
the data to the competition when decision making and profiling. A legitimate request under these
their sales managers moved on, or if provisions could cripple a business that is operating within the þþ Organisation has policies in place to
someone accidentally attached the law but whose database wasn’t designed with these additional manage the creation and storage of
wrong Excel file to an email. But, as commands in mind. Let’s also be honest here, the main information, so that it can identified
we now know, that all changed under problem is not the design of the database, but the sheer size and retrieved.
GDPR, the days of the Wild West data and complexity of it all; after all, we’ve been harvesting data for
frontier were over. As we all wait, with 20 years unabated. Documents
© 2019 All rights reserved. Privacy Culture Ltd.

bated breadth for the first organisation

to be dragged over the coals, we’re all Now we face a plethora of rules and changes that require us þþ Documented Complaints
busy (or should be) ensuring that we to firstly authenticate the requestor (a new process for some), Procedures
can prove we have done everything apply no charges for the request (apparently this was used as þþ Documented DSARs
in our power to protect the rights of a way to deter those customers who were making ‘nuisance’
Subject Access Requests) and still fulfil all these requests þþ Documented Authentication
our data subjects, and to sufficiently
within a strict timeframe or face the wrath of the ICO. >>> Process and Compliance Monitoring
protect the integrity and accuracy of
that data whilst it’s in our care.

10 GDPR Maturity Framework GDPR Maturity Framework 11

#03 CYBER SECURITY CYBER SECURITY
CHECKLIST
Desired State
þþ The organisation and its
processors have implemented
appropriate technical and
organisational measures to
ensure a level of cyber security
appropriate to the risk to data

T
subjects’ fundamental rights and
HE MARRIOTT DATA BREACH is yet another example of poor data security where in- freedoms. [Article 5 (1f), Article 32]
sufficient time and money has been spent on the most critical areas of data security þþ The organisation has assurance
and protection; so where does Cyber Security sit in the GDPR Maturity Framework? that appropriate cyber cecurity
measures are in place to protect
Throughout my career, and like most CISOs and deploy their cyber security experts, but it takes around risks such as phishing, tailgating, and forced personal data
DPOs, I have always encouraged organisations to time, experience and knowledge about how wearing of badges. However, whilst we are busy working þþ The organisation protects
understand where their most critical data assets systems and processes work, the people involved on the legacy data, don’t forget to mandate that all new personal data when it is
lie, how they flow from point A to B. Furthermore, and the organisation’s culture. This has to be projects, changes and upgrades to existing systems, transferred internationally
I’ve always ensured that, depending upon the complemented by an awareness as to how these process, channels and data collection points are all
risk and vulnerability level, appropriate and exploits are carried out, how likely they are to subject to the Data Protection by Design review. The þþ The organisation has remediated
proportionate risk-based controls are applied. happen and how likely they are to materialise. DPIA should look at the project or solution and specify identified organisation-wide/
the ‘harm’ or ‘risk’ facing the individual or business business area high risk or
This includes ensuring that every point of ingress, Article 32 does mention CIA but it’s also one of the should the appropriate privacy controls not be applied. prioritised medium risk regarding
every device and, ideally, every person has the shortest Articles and, inevitably, it leaves room for cyber security, third parties and
suitable level of access control relevant to the role interpretation; and consider that the majority of In many organisations, this relatively new process is still breach management
they perform. Of course, it’s easy to blame the cyber security breaches, litigation actions and fines bedding down, so my advice is to at least ensure that you
systems administrator, or the unsuspecting user are prosecuted under Article 32. When looking at have defined your minimum red lines when it comes to þþ Appropriate measures are in
who innocently clicked on the phishing link, but the this Article in particular, we should always bear in data security and push your business and data owners place to manage access groups to
tough questions need to challenge how they were mind the potential for reputational damage, a drop to demand from Cyber Security how they are achieving organisation information.
using the data: where was the data stored and who in share price and losing the confidence of your these minimum best practices. On that note, please þþ Business areas are aware of the
had access to it? Why was the data needed in the stakeholders, staff and customers. do not only rely on ISO27001 or other best practices to robustness of the systems they
first place and when was it used? And, of course, seek assurance that cyber security is working, instead rely on.
how do you keep checking that only the right So why such little detail for such a fundamental challenge your team to prove to you how they are
people have access? issue? I suspect that the EU looked at the size of the demonstrating compliance with your minimum rules. þþ Business areas are running regular
$150 billion cyber security industry and assumed that checks to ensure that personal
Only through answering these basic questions there is sufficient expertise in the market; why would In summary, the DPO and his/her team should be data that they are responsible
can you fully begin to appreciate how the data we hang our hat on one particular model? After all, working hand-in-glove with Cyber Security (including for, is captured in an appropriate
under your protection is being used: what one size does not fit all and there is no silver bullet. Legal, Compliance, Risk and Internal Audit) to ensure system with appropriate access
technology or application is being used to deliver that all the most appropriate risks and vulnerabilities controls.
the functionality or services, what procedures Setting your red lines are being adequately addressed, documented and
sit behind the use, who needs access (and why) When it comes to the security of personal data, managed. Whilst it might be tempting to leave Article 32 Documents
and critically, where and when is the data is most my personal approach is to ensure that the CISO to the cyber security experts, I’m afraid you’ll be leaving
or Cyber Security function have a set of minimum þþ Documented Information Security
vulnerable? Remember that these vulnerabilities yourself and the organisation potentially exposed Management System (ISO27001)
© 2019 All rights reserved. Privacy Culture Ltd.

change throughout the data’s lifecycle. ‘red lines’. These red lines come in many forms, but unless you sit down with them and agree
experience tells me that if you ask for too much on those red lines. þþ Penetration Test including
Any decent risk assessment methodology you get very little, so I make sure that minimum red remediation results
will reveal what controls are needed and lines are achievable and–essentially–measurable
which controls will add the most value, but and risk-based.
it doesn’t end there. A risk assessment and
subsequent penetration tests will inform the And that’s not forgetting every organisation’s
senior management where to focus efforts and biggest weakness–people training and awareness

12 GDPR Maturity Framework GDPR Maturity Framework 13

#04 CULTURE, TRAINING & AWARENESS

CULTURE, TRAINING &

AWARENESS CHECKLIST

N
OW THAT YOU KNOW who owns the data, and you’ve put mechanisms in place to Desired State
capture rights requests and report data breaches, surely ensuring that the work- TOP TIP þþ The organisation has appropriate
force know what to do should be as easy as ‘one, two, three, eLearning’, right? Everyone loves free stuff.
data protection policies in place,
So, keep those vital awareness
and staff are adequately trained
messages in constant view
Wrong. Changing culture takes considerable time who have access to personal and company on them (and data protection in
by putting them on pens and
and effort, and the significance of this change proprietary data–really know what is required of general), appropriate to their role.
stationery, reusable coffee cups,
should not be underestimated. Anyone who has them. The only way to do this is to regularly test [Article 24 ]
or even mouse mats if people
spent time in the world of Cyber Security will know what you want them to know, make it very clear like them. Just not USB sticks– þþ Appropriate data protection,
that persuading senior leaders to take the topic to the accountable owners what any shortfalls in you need your CISO to records management and cyber
seriously is one thing, but, convincing them to lead knowledge will cost them and the business, and support you too! security policies are in place.
by example and drive secure behaviour through keep building on this. We’ll talk more about this in
their business operations whilst focusing on next week’s article on Demonstrating Compliance. þþ Senior Business Owner is
making a profit is quite another–but fundamentally responsible for the drafting and
this is what needs to be done. Empowering GDPR Champions approval and communication
Ideally, once you have your accountable owners of the policies, standards and
After all, you are asking everyone who works for, on board and on message, you will identify local guidance.
and on behalf of, the organisation to be able to data champions working across all areas of the
identify and report a data breach, and potentially business, focusing in particular on your high-risk þþ Mandatory data protection training
signpost customers, suppliers, and employees to areas to keep driving the messages home and programmes established for all
a rights request process. Both processes are time- testing that they work at the point of disruption. It organisation staff/contractors/
bound, and, in the case of the data breach is always advisable to regularly check-in with those consultants/secondees.
in particular, could have a significant impact on working at the heart of the business; do they fully þþ Mandatory records management
your organisation. understand exactly what it is they need to do? How training programmes established
would they best remember this information? Just for all organisation staff/
Getting The Message Across bear in mind that the answers may vary, depending
I’ve seen some fantastic, hard-hitting awareness contractors/consultants/
on where and how they work. secondees.
campaigns that have missed the mark because
middle management simply didn’t have the time Finally, don’t be afraid to ask for help from þþ Specialist data protection training
or, more importantly, were not tasked with making your internal communications and change for senior management, or those
privacy or cyber security a priority. Unfortunately, this management experts–these teams can be the accountable for data protection in
only becomes clear when an employee fails to spot a key to ensuring that your training and awareness the organisation.
data breach or simply doesn’t know what to do with it. programme aligns to, rather than conflicts with,
other company priorities; your programme should þþ The organisation runs regular
© 2019 All rights reserved. Privacy Culture Ltd.

I’m not saying that you shouldn’t introduce therefore be seen as an ongoing requirement, awareness campaigns.
company-wide eLearning, or run awareness rather than a one-off project. Documents
activities across every available channel to explain
rights, breaches, and cyber security essentials. Victoria Guilloit has over 20 years’ cross-sector þþ Records of training
But what is absolutely essential is that you use experience in the cyber security and privacy sectors. þþ Awareness campaign material
all channels in your organisation relevant to each She designs and operationalises processes and is an
audience and you make sure that the people expert in the field of Cultural Change. þþ Role-based training material
at the heart of the business–as well as those Vickie is our Awareness and Training Guru.

14 GDPR Maturity Framework GDPR Maturity Framework 15

#05 DEMONSTRATING COMPLIANCE

W hat is compliance, why is it necessary

and how can you achieve it?
Throughout the GDPR Articles risk is mentioned yourself unable to explain why certain risk-based
over 100 times. This is important because decisions were made, and how they have been DEMONSTRATING COMPLIANCE CHECKLIST
whenever you rely on risk to justify and mitigate implemented or controlled (think audit) following a
or treat a risk, you then need to be able to law suit or litigation case brought against you (think Desired State
organisational measures to ensure a level
demonstrate that a control or safeguard specified disgruntled employee or customer). þþ The organisation has appropriate levels of of cyber security appropriate to the risk
is working and operational; in other words, that it accountability which are understood at all
is compliant. Additionally, whether you like it or Compliance is another way of gaining peace of to data subjects’ fundamental rights and
mind or providing assurance to your Board that appropriate staff levels. freedoms. [Article 5 (1f), Article 32]
not, demonstrating compliance is now a statutory
requirement for every DPO or organisation that the organisation is taking GDPR seriously and it is þþ Data processing meets the legislative þþ The organisation has appropriate data
processes personal data (Article 37). complying with the law. There is no simple way to standard of ‘purpose limitation’, ‘data protection policies and staff are adequately
achieve compliance, it is often manual, although minimisation’, and ‘accuracy’. [Article 5] trained on them appropriate to their role.
This also plays into the Accountability and there are many, many tools now available that can
Transparency principles (Article 5), where it is help you achieve your compliances goals. þþ Personal data is processed by the þþ The organisation has appropriate
critical to assign ownership and responsibilities, organisation for no longer than is necessary contracts in place with data processors
whilst communicating to your customers and The compliance goals or objectives is where you for the purposes for which it was collected. that guarantee to implement appropriate
staff why and how you are using their personal should start, don’t be tricked into buying a silver [Article 5, 1 (e)] technical measures and that sub-
data. This is typically contained within the Privacy bullet. First, create a simple inventory of all your
þþ Current, accurate, relevant and processors are not used without written
Notice, and usually hosted on an organisation’s policy statements and legal provisions so you
know what the differences are between ‘must’ and communicated privacy and/or cookie authorisation. [Article 28 and 29.]
website. Such a document has to explain in clear
‘should’ e.g. the control framework. Once you’ve notices for all business processes. þþ Data subject rights at the Organisation are
and unambiguous language what, where, why,
when and how contact can be made. This is crucial completed this you’ll have a better understanding þþ The organisation’s Record of Processing supported by processes and procedures
in demonstrating compliance and would be the of where the objectives will and can be met. Often, complies with GDPR regulations, and is put in place to manage both personal data
first area where a regulator would initiate any we tend to think only about IT related controls, comprehensive, accurate, current and and data subject right requests.
investigations following a data complaint (Rights) but there are many controls where people or
accessible. [Article 30, Article 5 (2)] þþ Data breach management shall be carried
or data breach (Cyber Security). process-oriented goals can be measured and
tested; it’s worth thinking about these and gaining þþ Data Protection by Design and Default is out in accordance with the GDPR and DPA
Accountability should promote and hold expert knowledge on them to see where they can embedded into all organisation systems 2018 legislation. [Articles 33-34]
accountable how the data or risk owner is feed into your control framework and be both and processes that could have an impact
demonstrating that they are responsible. It is measurable and demonstrable. on the fundamental rights and freedoms of Documents
therefore critical to ensure you can show a regulator data subjects. [Articles 25 and 35] þþ Data Protection Officer job description and
the internal ways of testing or validating that controls Compliance is a journey and, like any new
contract.
© 2019 All rights reserved. Privacy Culture Ltd.

are being deployed effectively, that they have been framework or process, it takes time before it þþ There should be a documented procedure
tested and remain compliant with the laws and becomes second nature within an organisation. for managing privacy risks that applies þþ Nominated Data Owners
policies prescribed by your risk appetite. As with other global regulations, certifications and across the organisation.
laws, the GDPR requires forms of testament that þþ Allocated Business Owners
Finally, compliance is necessary because we may or may not be applicable to your organisation, þþ The organisation and its processors have
þþ Privacy Network–day to day responsibility
all need to be in a position that is defensible, but you should have at least demonstrably implemented appropriate technical and
for data within their Business Area
should the regulator come in or should you find considered why a provision is or isn’t measured.

16 GDPR Maturity Framework GDPR Maturity Framework 17

MEASURING MATURITY
Now let’s look at what we mean by ‘maturity’ across the five areas of Accountability,
Rights, Cyber Security, Training & Awareness and Demonstrating Compliance.

Policy, Standards & Guidance Accountability Data Security & Integrity Third Parties Data Breach Management Consent
Privacy & information security policies, standards Defined and understood, Data Governance, IT Security providing basic controls across all Justification and plan to address identified gap Process updated to cater for 72 hours notification Re-permissioning, cookies known, new consent
& guidance are published & socialised, subject to determined with RACI & DPO appointed. systems in scope, with further data specific designed and underway, as well as plans to plan to improve defined with identified gaps. mechanisms in place - identification where
training & where required, to dispensation with improvements planned reduce impact to individuals. consent is required and plan to remediate gaps,
justification & plan to remediate. with justification for said gaps.

Data Subject Rights Culture, Training & Awareness Privacy by Design Records of Processing Transparency Data Discovery
Data subject rights catered for either manually or Employees able to obtain information re-actively DPIA methodology identified and embedded in Records of data processing activities and Current, relevant, accurate and up-to-date Data risk mapping completed with plans to
automatically. Known gaps planned and justified and proactively about key data privacy issues. the business, improvements identified and inventory of all data types. Privacy notices uploaded and plans in place to identify critical data flows, including where and
and plan for remediation of unknowns and planned for. revisit and/or improvements planned. how vulnerabilities will be mitigated.
reduce individual impact. Tracked & Actioned.
© 2019 All rights reserved. Privacy Culture Ltd.

Each of these five areas incorporates aspects It is not an audit framework, as the questions were
of the twelve sub-domains that we have used developed in a way that would encourage the
SCORING MATURITY
The following scores are applied to a
to measure and compare ourselves against; interviewee to be open and transparent in respect
respondant’s answers to deliver an overall
all bench-marked using data collected across to their level of understanding, knowledge and
maturity score:
differing organisations and businesses. accountability and does not rely on substantive
evidence. Optimal and independently verified 4.5-5
Essentially, the GDPR Maturity Framework is a
Managed controls and benchmarked 4-4.5
set of GDPR questions, split across these twelve The maturity scoring (0-5) is also subjective and
Managed controls but not benchmarked 3-3.5
© 2019 All rights reserved. Privacy Culture Ltd.

critical domains, and they have been developed is based on the responses to the questions. It is
utilising the UK regulator’s ICO checklist, including however, a very good indicator as to how mature Defined controls and fully implemented 2.5-3
Article 29 Working Party guidance, and EU EDPB the procedures, documentation are that an Defined but not fully rolled-out 2-2.5
notices, and all of the GDPR Articles and Recitals. organisation has in place, and can be used as a Repeatable controls 1.5-2
measure of GDPR maturity. The maturity rating Ad hoc but some controls 1-1.5
It is a practical interpretation of the GDPR text that has been developed using the internationally
takes into account the ‘how’ and ‘why’ a particular Initial but ad hoc 0.5-1
recognised Capability Maturity Matrix Integration
implementation or risk mitigation was selected. Non existent 0
(CMMI) developed by Carnegie Mellon University.

GDPR
18 GDPR
Maturity
Maturity
Framework
Framework
18 GDPR Maturity Framework 19
 F
ully utilising 50 years’ of
GDPR
Maturity combined working experience
Quick and easy in implementing GDPR and
assessment of your level
delivering cyber security

PriPacy
of GDPR Maturity
programmes, we have defined,
refined and consolidated best
Introducing
Cultural Change
Bring your team up to
practice to help your organisation
ensure it is in a defensible position.
Culture
scratch with in-house or
classroom-based training
We have built a repeatable GDPR

P
Maturity Framework that allows an
organisation of any size or structure
Data Privacy &
rivacyCulture was created out of a desire to bring a
Operational to use the same five components to
Cyber Security:
real-world, human approach to the data privacy and
cyber security sector–an industry dominated by large,
Effectiveness
ensure a quality framework is in place
Covered.
Ensuring processes and
faceless legal entities and the Big Four consultancies. embedding efficient and that this ‘defensible position’ can
privacy practices
We pride ourselves on our ability to offer experienced, effective be measured in terms of its maturity. +44 (0)20 7112 9360
© 2019 All rights reserved. Privacy Culture Ltd.

and personal solutions to businesses, departments and boards,

regardless of size or sector.
Why not call us today and find [email protected]
Consultancy out more about this revolutionary
We offer advice that is jargon-free, impartial and born out of Services PrivacyCulture.com
decades of experience; we provide training that is based on We provide architecture process and how it can be quickly
hard-won knowledge; and we bring software solutions that are
and governance models and cost-effectively put to work in
to help expediate and
designed to be easy to use, comprehensive and measurable. operationalise privacy your business?
20 GDPR Maturity Framework GDPR Maturity Framework 21
 PriPacy
Culture
PrivacyCulture.com

All rights reserved.

No part of this publication may be reproduced in any form by any electronic or mechanical means
(including photocopying, recording or information storage or retrieval) without permission in writing from the author.
Illustration MJGRAPHICS Design & Photography MISTEREB.COM
The GDPR Maturity Framework © 2019 Steve Wright