Full reference for the 7-level CNIL/IAPP CMMI-aligned scale used in TPSC: source frameworks, per-level descriptions, suitability guidance, key GDPR concepts (DPA, SCCs, adequacy, BCRs, Art.9), assignment decision tree, and authoritative references. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
8.7 KiB
title
| title |
|---|
| GDPR Maturity Model |
GDPR Maturity Model
The Custodian TPSC uses a seven-level maturity scale to rate the GDPR compliance posture of third-party services. It is adapted from the CNIL / IAPP CMMI Privacy Maturity Model for the specific purpose of assessing external service providers rather than internal programmes.
Foundations
Source frameworks
| Framework | Authority | Levels |
|---|---|---|
| CNIL Data Protection Maturity Model | French data protection authority (CNIL) | 5 (Initial → Optimized) |
| IAPP Privacy Program Maturity Model | International Association of Privacy Professionals | 5 (Ad Hoc → Optimized) |
| ISO/IEC 27701:2025 | ISO / IEC | Implementation tiers |
| CMMI (Capability Maturity Model Integration) | CMMI Institute | 5 (Initial → Optimizing) |
Both CNIL and IAPP align on the same semantic progression: Initial →
Repeatable → Defined → Managed → Optimized, directly mapping to CMMI levels
1–5. The Custodian scale extends this with two pre-maturity states
(unknown, non_compliant) that have no CMMI equivalent but are essential
when assessing third parties with no published compliance posture.
The Scale
Level 0 — unknown
No information is available about the service's GDPR compliance posture.
- No privacy policy, no ToS that addresses data processing, or the service has not been assessed yet.
- Dashboard: 🔴 Warning
- Implication: Cannot be used for any processing of personal data in a regulated environment. Treat as non-compliant until assessed.
- CMMI equivalent: None (pre-maturity)
Level 1 — non_compliant
The service has known GDPR compliance deficiencies with no indication of remediation.
- May include: data transfers to non-adequate third countries without safeguards, no privacy policy, confirmed regulatory findings, or explicit statements that GDPR does not apply.
- Dashboard: 🔴 Warning
- Implication: Must not be used for personal data processing in any EU/EEA context. Legal risk exists even for development use if real personal data is involved.
- CMMI equivalent: Below Level 1
Level 2 — initial
A basic privacy policy exists. Compliance approach is ad hoc and reactive.
- Some documentation exists but it is incomplete or generic. No formal Data Processing Agreement (DPA) is offered. Data processing practices may not be clearly defined.
- Dashboard: 🟠 Warning
- Implication: Suitable for development and prototyping with synthetic or anonymised data only. Not suitable for production processing of personal data without additional controls.
- CMMI equivalent: Level 1 — Initial
Level 3 — developing
DPA is available. Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms are in place for EU→non-EU transfers.
- The service acknowledges GDPR obligations. A DPA can be signed (even if not mandatory for all tiers). Data processing regions are documented. Some controls exist but the compliance programme is not fully formalised.
- Dashboard: 🟡 Caution
- Implication: Acceptable for routine processing of personal data when a DPA has been signed. Verify transfer mechanisms and data residency before use with sensitive categories. Suitable for most B2B use cases.
- CMMI equivalent: Level 2 — Managed / Repeatable
Level 4 — defined
Formal DPA, documented SCCs or adequacy decision, clearly published data retention policy, and defined data processing practices.
- The compliance programme is documented and consistent. Data subjects' rights are implemented. Sub-processor lists are published. Processing purposes are limited and documented.
- Dashboard: 🟢 Compliant
- Implication: Suitable for general production use including personal data. Appropriate for most corporate and SME environments. Review sub-processor list for any domain-specific restrictions.
- CMMI equivalent: Level 3 — Defined
Level 5 — managed
Independently audited compliance. Quantified metrics, continuous improvement processes, and regular attestation published.
- Third-party audits (e.g. SOC 2 Type II with privacy controls, penetration testing reports, annual compliance attestations) are available. Privacy metrics are tracked and acted upon. Incident response procedures are tested.
- Dashboard: 🟢 Compliant
- Implication: Suitable for processing sensitive categories of personal data (Art. 9 GDPR). Suitable for regulated industries (healthcare, finance) subject to additional sectoral review.
- CMMI equivalent: Level 4 — Quantitatively Managed
Level 6 — certified
Formal independent certification against a recognised privacy standard.
- Examples: ISO/IEC 27701 (Privacy Information Management System), BSI C5 (for cloud services), SOC 2 Type II with GDPR-specific controls. Certification is current and scope covers the relevant services.
- Dashboard: 🟢 Compliant
- Implication: Highest available assurance. Suitable for processing of sensitive personal data at scale, public-sector use, and regulated environments with strict vendor requirements (DSGVO-compliant procurement, NHS DSPT, etc.).
- CMMI equivalent: Level 5 — Optimizing
Summary Table
| Level | Code | Label | GDPR Warning | CMMI | Suitable for personal data? |
|---|---|---|---|---|---|
| 0 | unknown |
Unknown | ✅ Yes | — | ❌ No |
| 1 | non_compliant |
Non-Compliant | ✅ Yes | — | ❌ No |
| 2 | initial |
Initial | ✅ Yes | L1 | ⚠ Synthetic/anonymised only |
| 3 | developing |
Developing | — | L2 | ✅ With signed DPA |
| 4 | defined |
Defined | — | L3 | ✅ General use |
| 5 | managed |
Managed | — | L4 | ✅ Sensitive categories |
| 6 | certified |
Certified | — | L5 | ✅ Regulated environments |
GDPR warnings are raised by the dashboard and get_gdpr_report() for any service at level 0–2 (unknown, non_compliant, initial).
Key GDPR Concepts Referenced
DPA (Data Processing Agreement) — A contract required by GDPR Art. 28 when a controller engages a processor. The DPA defines the subject-matter, duration, nature and purpose of processing, and the obligations of both parties.
SCCs (Standard Contractual Clauses) — Commission-approved contract clauses enabling lawful transfer of personal data from the EU/EEA to third countries without an adequacy decision. Updated SCCs published June 2021 (implementing decisions 2021/914 and 2021/915).
Adequacy Decision — A European Commission finding that a third country provides an essentially equivalent level of data protection (e.g. UK GDPR, Japan, Canada PIPEDA). Transfers to adequate countries do not require additional safeguards.
BCRs (Binding Corporate Rules) — Internal rules allowing multinationals to transfer personal data within their group across borders. Approved by a lead supervisory authority.
Sensitive Categories (Art. 9) — Health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation. Require explicit consent or other specific legal basis.
Assigning a Maturity Level
When adding a new service to canon/tpsc/, follow this decision process:
Is a privacy policy published?
No → unknown or non_compliant
Is a DPA available (even on request)?
No → initial
Yes → developing (minimum)
Are SCCs or adequacy mechanisms documented?
No → developing
Yes, and retention policy published → defined
Are independent audit reports published (SOC 2 Type II, etc.)?
Yes → managed
Is an ISO 27701 or equivalent certification current?
Yes → certified
When uncertain between two levels, assign the lower level. Err on the side of caution.
References
- CNIL: Le modèle de maturité de la protection des données
- IAPP: Achieving privacy excellence — understanding the privacy maturity model
- ISO/IEC 27701:2025: Privacy information management — Requirements and guidelines
- European Commission SCCs (2021): Implementing Decision 2021/914
- EDPB Guidelines on SCCs: Guidelines 04/2021
- CMMI Institute: CMMI Model Overview