A privacy maturity level indicates how capable an organisation is at handling everything related to privacy legislation such as POPIA. This includes processes, procedures, policies, awareness training, continuous improvement, reporting etc.
The most known maturity model is the Capability Maturity Model Integration (or, CMMI). It’s been applied to several different sectors like marketing, sales, finance, human resources… with organisations ending up at one of five maturity levels:
5.
Maturity level 5 – Optimising:Stable and flexible. Organisation is focused on continuous improvement and is built to pivot and respond to opportunity and change. The organisation’s stability provides a platform for agility and innovation.
4.
Maturity level 4 – Quantitatively managed: Measured and controlled. Organisation is data-driven with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders.
3.
Maturity level 3 – Defined: Proactive, rather than reactive. Organisation-wide standards provide guidance across projects, programs and portfolios.
2.
Maturity level 2 – Managed: Measured and controlled. Projects are planned, performed, measured , and controlled.
1.
Maturity level 1 – Initial: Unpredictable and reactive. Work gets completed but is often delayed and over budget.
The maturity level is the aggregate of several subdomains’ maturity levels. Privacy is no exception. We based our privacy maturity assessment on the model suggested by the Commission Nationale Informatique & Libertés (CNIL).
They have defined eight subdomains within privacy with each of them having a maturity level of 1 – 5:
Once you know the maturity level for each of those, the aggregate score becomes your organisation’s POPIA maturity level.
