coulomb/state-hub
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(tpsc): add GDPR Maturity Model reference page

Browse Source 
Full reference for the 7-level CNIL/IAPP CMMI-aligned scale used in TPSC:
source frameworks, per-level descriptions, suitability guidance, key GDPR
concepts (DPA, SCCs, adequacy, BCRs, Art.9), assignment decision tree,
and authoritative references.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-03-20 00:19:07 +01:00
parent 60beb1ff35
commit 9155d13887
2 changed files with 177 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
dashboard/observablehq.config.js
View File

@@ -90,6 +90,7 @@ export default {
{ name: "SCOPE.md", path: "/docs/scope" },
{ name: "Tasks", path: "/docs/tasks" },
{ name: "TPSC", path: "/docs/tpsc" },
{ name: "TPSC — GDPR Maturity", path: "/docs/gdpr-maturity" },
{ name: "Technical Debt", path: "/docs/debt" },
{ name: "Todo", path: "/docs/todo" },
{ name: "Workstream Health", path: "/docs/workstream-health-index" },

176
dashboard/src/docs/gdpr-maturity.md Normal file
View File

@@ -0,0 +1,176 @@
---
title: GDPR Maturity Model
---
# GDPR Maturity Model
The Custodian TPSC uses a seven-level maturity scale to rate the GDPR
compliance posture of third-party services. It is adapted from the
**CNIL / IAPP CMMI Privacy Maturity Model** for the specific purpose of
assessing external service providers rather than internal programmes.
---
## Foundations
### Source frameworks
| Framework | Authority | Levels |
|---|---|---|
| [CNIL Data Protection Maturity Model](https://iapp.org/news/b/cnil-publishes-data-protection-management-maturity-model) | French data protection authority (CNIL) | 5 (Initial → Optimized) |
| [IAPP Privacy Program Maturity Model](https://iapp.org/news/a/achieving-privacy-excellence-understanding-the-privacy-maturity-model) | International Association of Privacy Professionals | 5 (Ad Hoc → Optimized) |
| [ISO/IEC 27701:2025](https://www.iso.org/standard/27701) | ISO / IEC | Implementation tiers |
| [CMMI (Capability Maturity Model Integration)](https://cmmiinstitute.com) | CMMI Institute | 5 (Initial → Optimizing) |
Both CNIL and IAPP align on the same semantic progression: **Initial →
Repeatable → Defined → Managed → Optimized**, directly mapping to CMMI levels
15. The Custodian scale extends this with two pre-maturity states
(`unknown`, `non_compliant`) that have no CMMI equivalent but are essential
when assessing third parties with no published compliance posture.
---
## The Scale
### Level 0 — `unknown`
> No information is available about the service's GDPR compliance posture.
- No privacy policy, no ToS that addresses data processing, or the service has not been assessed yet.
- **Dashboard:** 🔴 Warning
- **Implication:** Cannot be used for any processing of personal data in a regulated environment. Treat as non-compliant until assessed.
- **CMMI equivalent:** None (pre-maturity)
---
### Level 1 — `non_compliant`
> The service has known GDPR compliance deficiencies with no indication of remediation.
- May include: data transfers to non-adequate third countries without safeguards, no privacy policy, confirmed regulatory findings, or explicit statements that GDPR does not apply.
- **Dashboard:** 🔴 Warning
- **Implication:** Must not be used for personal data processing in any EU/EEA context. Legal risk exists even for development use if real personal data is involved.
- **CMMI equivalent:** Below Level 1
---
### Level 2 — `initial`
> A basic privacy policy exists. Compliance approach is ad hoc and reactive.
- Some documentation exists but it is incomplete or generic. No formal Data Processing Agreement (DPA) is offered. Data processing practices may not be clearly defined.
- **Dashboard:** 🟠 Warning
- **Implication:** Suitable for development and prototyping with synthetic or anonymised data only. Not suitable for production processing of personal data without additional controls.
- **CMMI equivalent:** Level 1 — Initial
---
### Level 3 — `developing`
> DPA is available. Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms are in place for EU→non-EU transfers.
- The service acknowledges GDPR obligations. A DPA can be signed (even if not mandatory for all tiers). Data processing regions are documented. Some controls exist but the compliance programme is not fully formalised.
- **Dashboard:** 🟡 Caution
- **Implication:** Acceptable for routine processing of personal data when a DPA has been signed. Verify transfer mechanisms and data residency before use with sensitive categories. Suitable for most B2B use cases.
- **CMMI equivalent:** Level 2 — Managed / Repeatable
---
### Level 4 — `defined`
> Formal DPA, documented SCCs or adequacy decision, clearly published data retention policy, and defined data processing practices.
- The compliance programme is documented and consistent. Data subjects' rights are implemented. Sub-processor lists are published. Processing purposes are limited and documented.
- **Dashboard:** 🟢 Compliant
- **Implication:** Suitable for general production use including personal data. Appropriate for most corporate and SME environments. Review sub-processor list for any domain-specific restrictions.
- **CMMI equivalent:** Level 3 — Defined
---
### Level 5 — `managed`
> Independently audited compliance. Quantified metrics, continuous improvement processes, and regular attestation published.
- Third-party audits (e.g. SOC 2 Type II with privacy controls, penetration testing reports, annual compliance attestations) are available. Privacy metrics are tracked and acted upon. Incident response procedures are tested.
- **Dashboard:** 🟢 Compliant
- **Implication:** Suitable for processing sensitive categories of personal data (Art. 9 GDPR). Suitable for regulated industries (healthcare, finance) subject to additional sectoral review.
- **CMMI equivalent:** Level 4 — Quantitatively Managed
---
### Level 6 — `certified`
> Formal independent certification against a recognised privacy standard.
- Examples: ISO/IEC 27701 (Privacy Information Management System), BSI C5 (for cloud services), SOC 2 Type II with GDPR-specific controls. Certification is current and scope covers the relevant services.
- **Dashboard:** 🟢 Compliant
- **Implication:** Highest available assurance. Suitable for processing of sensitive personal data at scale, public-sector use, and regulated environments with strict vendor requirements (DSGVO-compliant procurement, NHS DSPT, etc.).
- **CMMI equivalent:** Level 5 — Optimizing
---
## Summary Table
| Level | Code | Label | GDPR Warning | CMMI | Suitable for personal data? |
|---|---|---|---|---|---|
| 0 | `unknown` | Unknown | ✅ Yes | — | ❌ No |
| 1 | `non_compliant` | Non-Compliant | ✅ Yes | — | ❌ No |
| 2 | `initial` | Initial | ✅ Yes | L1 | ⚠ Synthetic/anonymised only |
| 3 | `developing` | Developing | — | L2 | ✅ With signed DPA |
| 4 | `defined` | Defined | — | L3 | ✅ General use |
| 5 | `managed` | Managed | — | L4 | ✅ Sensitive categories |
| 6 | `certified` | Certified | — | L5 | ✅ Regulated environments |
**GDPR warnings** are raised by the dashboard and `get_gdpr_report()` for any service at level 02 (`unknown`, `non_compliant`, `initial`).
---
## Key GDPR Concepts Referenced
**DPA (Data Processing Agreement)** — A contract required by GDPR Art. 28 when a controller engages a processor. The DPA defines the subject-matter, duration, nature and purpose of processing, and the obligations of both parties.
**SCCs (Standard Contractual Clauses)** — Commission-approved contract clauses enabling lawful transfer of personal data from the EU/EEA to third countries without an adequacy decision. Updated SCCs published June 2021 (implementing decisions 2021/914 and 2021/915).
**Adequacy Decision** — A European Commission finding that a third country provides an essentially equivalent level of data protection (e.g. UK GDPR, Japan, Canada PIPEDA). Transfers to adequate countries do not require additional safeguards.
**BCRs (Binding Corporate Rules)** — Internal rules allowing multinationals to transfer personal data within their group across borders. Approved by a lead supervisory authority.
**Sensitive Categories (Art. 9)** — Health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation. Require explicit consent or other specific legal basis.
---
## Assigning a Maturity Level
When adding a new service to `canon/tpsc/`, follow this decision process:
```
Is a privacy policy published?
No → unknown or non_compliant
Is a DPA available (even on request)?
No → initial
Yes → developing (minimum)
Are SCCs or adequacy mechanisms documented?
No → developing
Yes, and retention policy published → defined
Are independent audit reports published (SOC 2 Type II, etc.)?
Yes → managed
Is an ISO 27701 or equivalent certification current?
Yes → certified
```
When uncertain between two levels, assign the **lower** level. Err on the side of caution.
---
## References
- CNIL: [Le modèle de maturité de la protection des données](https://www.cnil.fr/fr/le-modele-de-maturite-de-la-protection-des-donnees)
- IAPP: [Achieving privacy excellence — understanding the privacy maturity model](https://iapp.org/news/a/achieving-privacy-excellence-understanding-the-privacy-maturity-model)
- ISO/IEC 27701:2025: [Privacy information management — Requirements and guidelines](https://www.iso.org/standard/27701)
- European Commission SCCs (2021): [Implementing Decision 2021/914](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914)
- EDPB Guidelines on SCCs: [Guidelines 04/2021](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042021-standard-contractual-clauses_en)
- CMMI Institute: [CMMI Model Overview](https://cmmiinstitute.com/cmmi)