From 9155d13887799d02f97c32ffb69392c478ac3daa Mon Sep 17 00:00:00 2001 From: tegwick Date: Fri, 20 Mar 2026 00:19:07 +0100 Subject: [PATCH] docs(tpsc): add GDPR Maturity Model reference page Full reference for the 7-level CNIL/IAPP CMMI-aligned scale used in TPSC: source frameworks, per-level descriptions, suitability guidance, key GDPR concepts (DPA, SCCs, adequacy, BCRs, Art.9), assignment decision tree, and authoritative references. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- dashboard/observablehq.config.js | 1 + dashboard/src/docs/gdpr-maturity.md | 176 ++++++++++++++++++++++++++++ 2 files changed, 177 insertions(+) create mode 100644 dashboard/src/docs/gdpr-maturity.md diff --git a/dashboard/observablehq.config.js b/dashboard/observablehq.config.js index c24dba8..3024fb6 100644 --- a/dashboard/observablehq.config.js +++ b/dashboard/observablehq.config.js @@ -90,6 +90,7 @@ export default { { name: "SCOPE.md", path: "/docs/scope" }, { name: "Tasks", path: "/docs/tasks" }, { name: "TPSC", path: "/docs/tpsc" }, + { name: "TPSC — GDPR Maturity", path: "/docs/gdpr-maturity" }, { name: "Technical Debt", path: "/docs/debt" }, { name: "Todo", path: "/docs/todo" }, { name: "Workstream Health", path: "/docs/workstream-health-index" }, diff --git a/dashboard/src/docs/gdpr-maturity.md b/dashboard/src/docs/gdpr-maturity.md new file mode 100644 index 0000000..4c88fdf --- /dev/null +++ b/dashboard/src/docs/gdpr-maturity.md @@ -0,0 +1,176 @@ +--- +title: GDPR Maturity Model +--- + +# GDPR Maturity Model + +The Custodian TPSC uses a seven-level maturity scale to rate the GDPR +compliance posture of third-party services. It is adapted from the +**CNIL / IAPP CMMI Privacy Maturity Model** for the specific purpose of +assessing external service providers rather than internal programmes. + +--- + +## Foundations + +### Source frameworks + +| Framework | Authority | Levels | +|---|---|---| +| [CNIL Data Protection Maturity Model](https://iapp.org/news/b/cnil-publishes-data-protection-management-maturity-model) | French data protection authority (CNIL) | 5 (Initial → Optimized) | +| [IAPP Privacy Program Maturity Model](https://iapp.org/news/a/achieving-privacy-excellence-understanding-the-privacy-maturity-model) | International Association of Privacy Professionals | 5 (Ad Hoc → Optimized) | +| [ISO/IEC 27701:2025](https://www.iso.org/standard/27701) | ISO / IEC | Implementation tiers | +| [CMMI (Capability Maturity Model Integration)](https://cmmiinstitute.com) | CMMI Institute | 5 (Initial → Optimizing) | + +Both CNIL and IAPP align on the same semantic progression: **Initial → +Repeatable → Defined → Managed → Optimized**, directly mapping to CMMI levels +1–5. The Custodian scale extends this with two pre-maturity states +(`unknown`, `non_compliant`) that have no CMMI equivalent but are essential +when assessing third parties with no published compliance posture. + +--- + +## The Scale + +### Level 0 — `unknown` + +> No information is available about the service's GDPR compliance posture. + +- No privacy policy, no ToS that addresses data processing, or the service has not been assessed yet. +- **Dashboard:** 🔴 Warning +- **Implication:** Cannot be used for any processing of personal data in a regulated environment. Treat as non-compliant until assessed. +- **CMMI equivalent:** None (pre-maturity) + +--- + +### Level 1 — `non_compliant` + +> The service has known GDPR compliance deficiencies with no indication of remediation. + +- May include: data transfers to non-adequate third countries without safeguards, no privacy policy, confirmed regulatory findings, or explicit statements that GDPR does not apply. +- **Dashboard:** 🔴 Warning +- **Implication:** Must not be used for personal data processing in any EU/EEA context. Legal risk exists even for development use if real personal data is involved. +- **CMMI equivalent:** Below Level 1 + +--- + +### Level 2 — `initial` + +> A basic privacy policy exists. Compliance approach is ad hoc and reactive. + +- Some documentation exists but it is incomplete or generic. No formal Data Processing Agreement (DPA) is offered. Data processing practices may not be clearly defined. +- **Dashboard:** 🟠 Warning +- **Implication:** Suitable for development and prototyping with synthetic or anonymised data only. Not suitable for production processing of personal data without additional controls. +- **CMMI equivalent:** Level 1 — Initial + +--- + +### Level 3 — `developing` + +> DPA is available. Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms are in place for EU→non-EU transfers. + +- The service acknowledges GDPR obligations. A DPA can be signed (even if not mandatory for all tiers). Data processing regions are documented. Some controls exist but the compliance programme is not fully formalised. +- **Dashboard:** 🟡 Caution +- **Implication:** Acceptable for routine processing of personal data when a DPA has been signed. Verify transfer mechanisms and data residency before use with sensitive categories. Suitable for most B2B use cases. +- **CMMI equivalent:** Level 2 — Managed / Repeatable + +--- + +### Level 4 — `defined` + +> Formal DPA, documented SCCs or adequacy decision, clearly published data retention policy, and defined data processing practices. + +- The compliance programme is documented and consistent. Data subjects' rights are implemented. Sub-processor lists are published. Processing purposes are limited and documented. +- **Dashboard:** 🟢 Compliant +- **Implication:** Suitable for general production use including personal data. Appropriate for most corporate and SME environments. Review sub-processor list for any domain-specific restrictions. +- **CMMI equivalent:** Level 3 — Defined + +--- + +### Level 5 — `managed` + +> Independently audited compliance. Quantified metrics, continuous improvement processes, and regular attestation published. + +- Third-party audits (e.g. SOC 2 Type II with privacy controls, penetration testing reports, annual compliance attestations) are available. Privacy metrics are tracked and acted upon. Incident response procedures are tested. +- **Dashboard:** 🟢 Compliant +- **Implication:** Suitable for processing sensitive categories of personal data (Art. 9 GDPR). Suitable for regulated industries (healthcare, finance) subject to additional sectoral review. +- **CMMI equivalent:** Level 4 — Quantitatively Managed + +--- + +### Level 6 — `certified` + +> Formal independent certification against a recognised privacy standard. + +- Examples: ISO/IEC 27701 (Privacy Information Management System), BSI C5 (for cloud services), SOC 2 Type II with GDPR-specific controls. Certification is current and scope covers the relevant services. +- **Dashboard:** 🟢 Compliant +- **Implication:** Highest available assurance. Suitable for processing of sensitive personal data at scale, public-sector use, and regulated environments with strict vendor requirements (DSGVO-compliant procurement, NHS DSPT, etc.). +- **CMMI equivalent:** Level 5 — Optimizing + +--- + +## Summary Table + +| Level | Code | Label | GDPR Warning | CMMI | Suitable for personal data? | +|---|---|---|---|---|---| +| 0 | `unknown` | Unknown | ✅ Yes | — | ❌ No | +| 1 | `non_compliant` | Non-Compliant | ✅ Yes | — | ❌ No | +| 2 | `initial` | Initial | ✅ Yes | L1 | ⚠ Synthetic/anonymised only | +| 3 | `developing` | Developing | — | L2 | ✅ With signed DPA | +| 4 | `defined` | Defined | — | L3 | ✅ General use | +| 5 | `managed` | Managed | — | L4 | ✅ Sensitive categories | +| 6 | `certified` | Certified | — | L5 | ✅ Regulated environments | + +**GDPR warnings** are raised by the dashboard and `get_gdpr_report()` for any service at level 0–2 (`unknown`, `non_compliant`, `initial`). + +--- + +## Key GDPR Concepts Referenced + +**DPA (Data Processing Agreement)** — A contract required by GDPR Art. 28 when a controller engages a processor. The DPA defines the subject-matter, duration, nature and purpose of processing, and the obligations of both parties. + +**SCCs (Standard Contractual Clauses)** — Commission-approved contract clauses enabling lawful transfer of personal data from the EU/EEA to third countries without an adequacy decision. Updated SCCs published June 2021 (implementing decisions 2021/914 and 2021/915). + +**Adequacy Decision** — A European Commission finding that a third country provides an essentially equivalent level of data protection (e.g. UK GDPR, Japan, Canada PIPEDA). Transfers to adequate countries do not require additional safeguards. + +**BCRs (Binding Corporate Rules)** — Internal rules allowing multinationals to transfer personal data within their group across borders. Approved by a lead supervisory authority. + +**Sensitive Categories (Art. 9)** — Health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation. Require explicit consent or other specific legal basis. + +--- + +## Assigning a Maturity Level + +When adding a new service to `canon/tpsc/`, follow this decision process: + +``` +Is a privacy policy published? + No → unknown or non_compliant + +Is a DPA available (even on request)? + No → initial + Yes → developing (minimum) + +Are SCCs or adequacy mechanisms documented? + No → developing + Yes, and retention policy published → defined + +Are independent audit reports published (SOC 2 Type II, etc.)? + Yes → managed + +Is an ISO 27701 or equivalent certification current? + Yes → certified +``` + +When uncertain between two levels, assign the **lower** level. Err on the side of caution. + +--- + +## References + +- CNIL: [Le modèle de maturité de la protection des données](https://www.cnil.fr/fr/le-modele-de-maturite-de-la-protection-des-donnees) +- IAPP: [Achieving privacy excellence — understanding the privacy maturity model](https://iapp.org/news/a/achieving-privacy-excellence-understanding-the-privacy-maturity-model) +- ISO/IEC 27701:2025: [Privacy information management — Requirements and guidelines](https://www.iso.org/standard/27701) +- European Commission SCCs (2021): [Implementing Decision 2021/914](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914) +- EDPB Guidelines on SCCs: [Guidelines 04/2021](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042021-standard-contractual-clauses_en) +- CMMI Institute: [CMMI Model Overview](https://cmmiinstitute.com/cmmi)