--- title: GDPR Maturity Model --- # GDPR Maturity Model The Custodian TPSC uses a seven-level maturity scale to rate the GDPR compliance posture of third-party services. It is adapted from the **CNIL / IAPP CMMI Privacy Maturity Model** for the specific purpose of assessing external service providers rather than internal programmes. --- ## Foundations ### Source frameworks | Framework | Authority | Levels | |---|---|---| | [CNIL Data Protection Maturity Model](https://iapp.org/news/b/cnil-publishes-data-protection-management-maturity-model) | French data protection authority (CNIL) | 5 (Initial → Optimized) | | [IAPP Privacy Program Maturity Model](https://iapp.org/news/a/achieving-privacy-excellence-understanding-the-privacy-maturity-model) | International Association of Privacy Professionals | 5 (Ad Hoc → Optimized) | | [ISO/IEC 27701:2025](https://www.iso.org/standard/27701) | ISO / IEC | Implementation tiers | | [CMMI (Capability Maturity Model Integration)](https://cmmiinstitute.com) | CMMI Institute | 5 (Initial → Optimizing) | Both CNIL and IAPP align on the same semantic progression: **Initial → Repeatable → Defined → Managed → Optimized**, directly mapping to CMMI levels 1–5. The Custodian scale extends this with two pre-maturity states (`unknown`, `non_compliant`) that have no CMMI equivalent but are essential when assessing third parties with no published compliance posture. --- ## The Scale ### Level 0 — `unknown` > No information is available about the service's GDPR compliance posture. - No privacy policy, no ToS that addresses data processing, or the service has not been assessed yet. - **Dashboard:** 🔴 Warning - **Implication:** Cannot be used for any processing of personal data in a regulated environment. Treat as non-compliant until assessed. - **CMMI equivalent:** None (pre-maturity) --- ### Level 1 — `non_compliant` > The service has known GDPR compliance deficiencies with no indication of remediation. - May include: data transfers to non-adequate third countries without safeguards, no privacy policy, confirmed regulatory findings, or explicit statements that GDPR does not apply. - **Dashboard:** 🔴 Warning - **Implication:** Must not be used for personal data processing in any EU/EEA context. Legal risk exists even for development use if real personal data is involved. - **CMMI equivalent:** Below Level 1 --- ### Level 2 — `initial` > A basic privacy policy exists. Compliance approach is ad hoc and reactive. - Some documentation exists but it is incomplete or generic. No formal Data Processing Agreement (DPA) is offered. Data processing practices may not be clearly defined. - **Dashboard:** 🟠 Warning - **Implication:** Suitable for development and prototyping with synthetic or anonymised data only. Not suitable for production processing of personal data without additional controls. - **CMMI equivalent:** Level 1 — Initial --- ### Level 3 — `developing` > DPA is available. Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms are in place for EU→non-EU transfers. - The service acknowledges GDPR obligations. A DPA can be signed (even if not mandatory for all tiers). Data processing regions are documented. Some controls exist but the compliance programme is not fully formalised. - **Dashboard:** 🟡 Caution - **Implication:** Acceptable for routine processing of personal data when a DPA has been signed. Verify transfer mechanisms and data residency before use with sensitive categories. Suitable for most B2B use cases. - **CMMI equivalent:** Level 2 — Managed / Repeatable --- ### Level 4 — `defined` > Formal DPA, documented SCCs or adequacy decision, clearly published data retention policy, and defined data processing practices. - The compliance programme is documented and consistent. Data subjects' rights are implemented. Sub-processor lists are published. Processing purposes are limited and documented. - **Dashboard:** 🟢 Compliant - **Implication:** Suitable for general production use including personal data. Appropriate for most corporate and SME environments. Review sub-processor list for any domain-specific restrictions. - **CMMI equivalent:** Level 3 — Defined --- ### Level 5 — `managed` > Independently audited compliance. Quantified metrics, continuous improvement processes, and regular attestation published. - Third-party audits (e.g. SOC 2 Type II with privacy controls, penetration testing reports, annual compliance attestations) are available. Privacy metrics are tracked and acted upon. Incident response procedures are tested. - **Dashboard:** 🟢 Compliant - **Implication:** Suitable for processing sensitive categories of personal data (Art. 9 GDPR). Suitable for regulated industries (healthcare, finance) subject to additional sectoral review. - **CMMI equivalent:** Level 4 — Quantitatively Managed --- ### Level 6 — `certified` > Formal independent certification against a recognised privacy standard. - Examples: ISO/IEC 27701 (Privacy Information Management System), BSI C5 (for cloud services), SOC 2 Type II with GDPR-specific controls. Certification is current and scope covers the relevant services. - **Dashboard:** 🟢 Compliant - **Implication:** Highest available assurance. Suitable for processing of sensitive personal data at scale, public-sector use, and regulated environments with strict vendor requirements (DSGVO-compliant procurement, NHS DSPT, etc.). - **CMMI equivalent:** Level 5 — Optimizing --- ## Summary Table | Level | Code | Label | GDPR Warning | CMMI | Suitable for personal data? | |---|---|---|---|---|---| | 0 | `unknown` | Unknown | ✅ Yes | — | ❌ No | | 1 | `non_compliant` | Non-Compliant | ✅ Yes | — | ❌ No | | 2 | `initial` | Initial | ✅ Yes | L1 | ⚠ Synthetic/anonymised only | | 3 | `developing` | Developing | — | L2 | ✅ With signed DPA | | 4 | `defined` | Defined | — | L3 | ✅ General use | | 5 | `managed` | Managed | — | L4 | ✅ Sensitive categories | | 6 | `certified` | Certified | — | L5 | ✅ Regulated environments | **GDPR warnings** are raised by the dashboard and `get_gdpr_report()` for any service at level 0–2 (`unknown`, `non_compliant`, `initial`). --- ## Key GDPR Concepts Referenced **DPA (Data Processing Agreement)** — A contract required by GDPR Art. 28 when a controller engages a processor. The DPA defines the subject-matter, duration, nature and purpose of processing, and the obligations of both parties. **SCCs (Standard Contractual Clauses)** — Commission-approved contract clauses enabling lawful transfer of personal data from the EU/EEA to third countries without an adequacy decision. Updated SCCs published June 2021 (implementing decisions 2021/914 and 2021/915). **Adequacy Decision** — A European Commission finding that a third country provides an essentially equivalent level of data protection (e.g. UK GDPR, Japan, Canada PIPEDA). Transfers to adequate countries do not require additional safeguards. **BCRs (Binding Corporate Rules)** — Internal rules allowing multinationals to transfer personal data within their group across borders. Approved by a lead supervisory authority. **Sensitive Categories (Art. 9)** — Health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation. Require explicit consent or other specific legal basis. --- ## Assigning a Maturity Level When adding a new service to `canon/tpsc/`, follow this decision process: ``` Is a privacy policy published? No → unknown or non_compliant Is a DPA available (even on request)? No → initial Yes → developing (minimum) Are SCCs or adequacy mechanisms documented? No → developing Yes, and retention policy published → defined Are independent audit reports published (SOC 2 Type II, etc.)? Yes → managed Is an ISO 27701 or equivalent certification current? Yes → certified ``` When uncertain between two levels, assign the **lower** level. Err on the side of caution. --- ## References - CNIL: [Le modèle de maturité de la protection des données](https://www.cnil.fr/fr/le-modele-de-maturite-de-la-protection-des-donnees) - IAPP: [Achieving privacy excellence — understanding the privacy maturity model](https://iapp.org/news/a/achieving-privacy-excellence-understanding-the-privacy-maturity-model) - ISO/IEC 27701:2025: [Privacy information management — Requirements and guidelines](https://www.iso.org/standard/27701) - European Commission SCCs (2021): [Implementing Decision 2021/914](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914) - EDPB Guidelines on SCCs: [Guidelines 04/2021](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042021-standard-contractual-clauses_en) - CMMI Institute: [CMMI Model Overview](https://cmmiinstitute.com/cmmi)