Files
the-custodian/state-hub/dashboard/src/docs/gdpr-maturity.md
tegwick 0f9266cd91 docs(tpsc): add GDPR Maturity Model reference page
Full reference for the 7-level CNIL/IAPP CMMI-aligned scale used in TPSC:
source frameworks, per-level descriptions, suitability guidance, key GDPR
concepts (DPA, SCCs, adequacy, BCRs, Art.9), assignment decision tree,
and authoritative references.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
2026-03-20 00:19:07 +01:00

8.7 KiB
Raw Blame History

title
title
GDPR Maturity Model

GDPR Maturity Model

The Custodian TPSC uses a seven-level maturity scale to rate the GDPR compliance posture of third-party services. It is adapted from the CNIL / IAPP CMMI Privacy Maturity Model for the specific purpose of assessing external service providers rather than internal programmes.


Foundations

Source frameworks

Framework Authority Levels
CNIL Data Protection Maturity Model French data protection authority (CNIL) 5 (Initial → Optimized)
IAPP Privacy Program Maturity Model International Association of Privacy Professionals 5 (Ad Hoc → Optimized)
ISO/IEC 27701:2025 ISO / IEC Implementation tiers
CMMI (Capability Maturity Model Integration) CMMI Institute 5 (Initial → Optimizing)

Both CNIL and IAPP align on the same semantic progression: Initial → Repeatable → Defined → Managed → Optimized, directly mapping to CMMI levels 15. The Custodian scale extends this with two pre-maturity states (unknown, non_compliant) that have no CMMI equivalent but are essential when assessing third parties with no published compliance posture.


The Scale

Level 0 — unknown

No information is available about the service's GDPR compliance posture.

  • No privacy policy, no ToS that addresses data processing, or the service has not been assessed yet.
  • Dashboard: 🔴 Warning
  • Implication: Cannot be used for any processing of personal data in a regulated environment. Treat as non-compliant until assessed.
  • CMMI equivalent: None (pre-maturity)

Level 1 — non_compliant

The service has known GDPR compliance deficiencies with no indication of remediation.

  • May include: data transfers to non-adequate third countries without safeguards, no privacy policy, confirmed regulatory findings, or explicit statements that GDPR does not apply.
  • Dashboard: 🔴 Warning
  • Implication: Must not be used for personal data processing in any EU/EEA context. Legal risk exists even for development use if real personal data is involved.
  • CMMI equivalent: Below Level 1

Level 2 — initial

A basic privacy policy exists. Compliance approach is ad hoc and reactive.

  • Some documentation exists but it is incomplete or generic. No formal Data Processing Agreement (DPA) is offered. Data processing practices may not be clearly defined.
  • Dashboard: 🟠 Warning
  • Implication: Suitable for development and prototyping with synthetic or anonymised data only. Not suitable for production processing of personal data without additional controls.
  • CMMI equivalent: Level 1 — Initial

Level 3 — developing

DPA is available. Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms are in place for EU→non-EU transfers.

  • The service acknowledges GDPR obligations. A DPA can be signed (even if not mandatory for all tiers). Data processing regions are documented. Some controls exist but the compliance programme is not fully formalised.
  • Dashboard: 🟡 Caution
  • Implication: Acceptable for routine processing of personal data when a DPA has been signed. Verify transfer mechanisms and data residency before use with sensitive categories. Suitable for most B2B use cases.
  • CMMI equivalent: Level 2 — Managed / Repeatable

Level 4 — defined

Formal DPA, documented SCCs or adequacy decision, clearly published data retention policy, and defined data processing practices.

  • The compliance programme is documented and consistent. Data subjects' rights are implemented. Sub-processor lists are published. Processing purposes are limited and documented.
  • Dashboard: 🟢 Compliant
  • Implication: Suitable for general production use including personal data. Appropriate for most corporate and SME environments. Review sub-processor list for any domain-specific restrictions.
  • CMMI equivalent: Level 3 — Defined

Level 5 — managed

Independently audited compliance. Quantified metrics, continuous improvement processes, and regular attestation published.

  • Third-party audits (e.g. SOC 2 Type II with privacy controls, penetration testing reports, annual compliance attestations) are available. Privacy metrics are tracked and acted upon. Incident response procedures are tested.
  • Dashboard: 🟢 Compliant
  • Implication: Suitable for processing sensitive categories of personal data (Art. 9 GDPR). Suitable for regulated industries (healthcare, finance) subject to additional sectoral review.
  • CMMI equivalent: Level 4 — Quantitatively Managed

Level 6 — certified

Formal independent certification against a recognised privacy standard.

  • Examples: ISO/IEC 27701 (Privacy Information Management System), BSI C5 (for cloud services), SOC 2 Type II with GDPR-specific controls. Certification is current and scope covers the relevant services.
  • Dashboard: 🟢 Compliant
  • Implication: Highest available assurance. Suitable for processing of sensitive personal data at scale, public-sector use, and regulated environments with strict vendor requirements (DSGVO-compliant procurement, NHS DSPT, etc.).
  • CMMI equivalent: Level 5 — Optimizing

Summary Table

Level Code Label GDPR Warning CMMI Suitable for personal data?
0 unknown Unknown Yes No
1 non_compliant Non-Compliant Yes No
2 initial Initial Yes L1 ⚠ Synthetic/anonymised only
3 developing Developing L2 With signed DPA
4 defined Defined L3 General use
5 managed Managed L4 Sensitive categories
6 certified Certified L5 Regulated environments

GDPR warnings are raised by the dashboard and get_gdpr_report() for any service at level 02 (unknown, non_compliant, initial).


Key GDPR Concepts Referenced

DPA (Data Processing Agreement) — A contract required by GDPR Art. 28 when a controller engages a processor. The DPA defines the subject-matter, duration, nature and purpose of processing, and the obligations of both parties.

SCCs (Standard Contractual Clauses) — Commission-approved contract clauses enabling lawful transfer of personal data from the EU/EEA to third countries without an adequacy decision. Updated SCCs published June 2021 (implementing decisions 2021/914 and 2021/915).

Adequacy Decision — A European Commission finding that a third country provides an essentially equivalent level of data protection (e.g. UK GDPR, Japan, Canada PIPEDA). Transfers to adequate countries do not require additional safeguards.

BCRs (Binding Corporate Rules) — Internal rules allowing multinationals to transfer personal data within their group across borders. Approved by a lead supervisory authority.

Sensitive Categories (Art. 9) — Health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation. Require explicit consent or other specific legal basis.


Assigning a Maturity Level

When adding a new service to canon/tpsc/, follow this decision process:

Is a privacy policy published?
  No → unknown or non_compliant

Is a DPA available (even on request)?
  No → initial
  Yes → developing (minimum)

Are SCCs or adequacy mechanisms documented?
  No → developing
  Yes, and retention policy published → defined

Are independent audit reports published (SOC 2 Type II, etc.)?
  Yes → managed

Is an ISO 27701 or equivalent certification current?
  Yes → certified

When uncertain between two levels, assign the lower level. Err on the side of caution.


References