Previous article in series – Data Privacy: Standard Requirements
Maturity models are a recognized means by which organizations can measure their progress against established benchmarks. As such, they recognize that:
- Becoming compliant is a journey and progress along the way strengthens the organization, whether the organization has achieved all of the requirements or not
- In certain cases, such as security-focused maturity models, not every organization, or every security application, needs to be at the maximum for the organization to achieve an acceptable level of security
- Creation of values or benefits may be possible if they achieve a higher maturity level
The AICPA/CICA Privacy Maturity Model is based on GAPP and the Capability Maturity Model (CMM). The PMM uses five maturity levels as follows:
- Ad hoc: Procedures or processes are generally informal, incomplete, and inconsistently applied
- Repeatable: Procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects
- Defined: Procedures and processes are fully documented and implemented and cover all relevant aspects
- Managed: Reviews are conducted to assess the effectiveness of the controls in place
- Optimized: Regular review and feedback are used to ensure continuous improvement towards optimization of the given process
In developing the PMM, it was recognized that each organization’s personal information privacy practices may be at various levels, whether due to legislative requirements, corporate policies, or the status of the organization’s privacy initiatives. It was also recognized that, based on an organization’s approach to risk, not all privacy initiatives would need to reach the highest level on the maturity model.
Reference: https://iapp.org/media/pdf/resource_center/aicpa_cica_privacy_maturity_model_final-2011.pdf
Privacy-Level Agreements (PLAs)
The Cloud Security Alliance (CSA) has a document that provides a baseline for complying with various frameworks and legislative mandates concerning data privacy. The PLA provides a basis for communication between service provider and consumer where documentation exists related to how the provider protects the data. With clear and concise communication, the proper level of protection is understood and known, compliance with legislative requirements is maintained, and legal pitfalls related to lack of compliance can be avoided.
Next article in series – Data Privacy: Difference Between Data Owner/Controller and Data Custodian/Processor