Files
the-custodian/state-hub/dashboard/src/docs/gdpr-maturity.md
tegwick 0f9266cd91 docs(tpsc): add GDPR Maturity Model reference page
Full reference for the 7-level CNIL/IAPP CMMI-aligned scale used in TPSC:
source frameworks, per-level descriptions, suitability guidance, key GDPR
concepts (DPA, SCCs, adequacy, BCRs, Art.9), assignment decision tree,
and authoritative references.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
2026-03-20 00:19:07 +01:00

177 lines
8.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: GDPR Maturity Model
---
# GDPR Maturity Model
The Custodian TPSC uses a seven-level maturity scale to rate the GDPR
compliance posture of third-party services. It is adapted from the
**CNIL / IAPP CMMI Privacy Maturity Model** for the specific purpose of
assessing external service providers rather than internal programmes.
---
## Foundations
### Source frameworks
| Framework | Authority | Levels |
|---|---|---|
| [CNIL Data Protection Maturity Model](https://iapp.org/news/b/cnil-publishes-data-protection-management-maturity-model) | French data protection authority (CNIL) | 5 (Initial → Optimized) |
| [IAPP Privacy Program Maturity Model](https://iapp.org/news/a/achieving-privacy-excellence-understanding-the-privacy-maturity-model) | International Association of Privacy Professionals | 5 (Ad Hoc → Optimized) |
| [ISO/IEC 27701:2025](https://www.iso.org/standard/27701) | ISO / IEC | Implementation tiers |
| [CMMI (Capability Maturity Model Integration)](https://cmmiinstitute.com) | CMMI Institute | 5 (Initial → Optimizing) |
Both CNIL and IAPP align on the same semantic progression: **Initial →
Repeatable → Defined → Managed → Optimized**, directly mapping to CMMI levels
15. The Custodian scale extends this with two pre-maturity states
(`unknown`, `non_compliant`) that have no CMMI equivalent but are essential
when assessing third parties with no published compliance posture.
---
## The Scale
### Level 0 — `unknown`
> No information is available about the service's GDPR compliance posture.
- No privacy policy, no ToS that addresses data processing, or the service has not been assessed yet.
- **Dashboard:** 🔴 Warning
- **Implication:** Cannot be used for any processing of personal data in a regulated environment. Treat as non-compliant until assessed.
- **CMMI equivalent:** None (pre-maturity)
---
### Level 1 — `non_compliant`
> The service has known GDPR compliance deficiencies with no indication of remediation.
- May include: data transfers to non-adequate third countries without safeguards, no privacy policy, confirmed regulatory findings, or explicit statements that GDPR does not apply.
- **Dashboard:** 🔴 Warning
- **Implication:** Must not be used for personal data processing in any EU/EEA context. Legal risk exists even for development use if real personal data is involved.
- **CMMI equivalent:** Below Level 1
---
### Level 2 — `initial`
> A basic privacy policy exists. Compliance approach is ad hoc and reactive.
- Some documentation exists but it is incomplete or generic. No formal Data Processing Agreement (DPA) is offered. Data processing practices may not be clearly defined.
- **Dashboard:** 🟠 Warning
- **Implication:** Suitable for development and prototyping with synthetic or anonymised data only. Not suitable for production processing of personal data without additional controls.
- **CMMI equivalent:** Level 1 — Initial
---
### Level 3 — `developing`
> DPA is available. Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms are in place for EU→non-EU transfers.
- The service acknowledges GDPR obligations. A DPA can be signed (even if not mandatory for all tiers). Data processing regions are documented. Some controls exist but the compliance programme is not fully formalised.
- **Dashboard:** 🟡 Caution
- **Implication:** Acceptable for routine processing of personal data when a DPA has been signed. Verify transfer mechanisms and data residency before use with sensitive categories. Suitable for most B2B use cases.
- **CMMI equivalent:** Level 2 — Managed / Repeatable
---
### Level 4 — `defined`
> Formal DPA, documented SCCs or adequacy decision, clearly published data retention policy, and defined data processing practices.
- The compliance programme is documented and consistent. Data subjects' rights are implemented. Sub-processor lists are published. Processing purposes are limited and documented.
- **Dashboard:** 🟢 Compliant
- **Implication:** Suitable for general production use including personal data. Appropriate for most corporate and SME environments. Review sub-processor list for any domain-specific restrictions.
- **CMMI equivalent:** Level 3 — Defined
---
### Level 5 — `managed`
> Independently audited compliance. Quantified metrics, continuous improvement processes, and regular attestation published.
- Third-party audits (e.g. SOC 2 Type II with privacy controls, penetration testing reports, annual compliance attestations) are available. Privacy metrics are tracked and acted upon. Incident response procedures are tested.
- **Dashboard:** 🟢 Compliant
- **Implication:** Suitable for processing sensitive categories of personal data (Art. 9 GDPR). Suitable for regulated industries (healthcare, finance) subject to additional sectoral review.
- **CMMI equivalent:** Level 4 — Quantitatively Managed
---
### Level 6 — `certified`
> Formal independent certification against a recognised privacy standard.
- Examples: ISO/IEC 27701 (Privacy Information Management System), BSI C5 (for cloud services), SOC 2 Type II with GDPR-specific controls. Certification is current and scope covers the relevant services.
- **Dashboard:** 🟢 Compliant
- **Implication:** Highest available assurance. Suitable for processing of sensitive personal data at scale, public-sector use, and regulated environments with strict vendor requirements (DSGVO-compliant procurement, NHS DSPT, etc.).
- **CMMI equivalent:** Level 5 — Optimizing
---
## Summary Table
| Level | Code | Label | GDPR Warning | CMMI | Suitable for personal data? |
|---|---|---|---|---|---|
| 0 | `unknown` | Unknown | ✅ Yes | — | ❌ No |
| 1 | `non_compliant` | Non-Compliant | ✅ Yes | — | ❌ No |
| 2 | `initial` | Initial | ✅ Yes | L1 | ⚠ Synthetic/anonymised only |
| 3 | `developing` | Developing | — | L2 | ✅ With signed DPA |
| 4 | `defined` | Defined | — | L3 | ✅ General use |
| 5 | `managed` | Managed | — | L4 | ✅ Sensitive categories |
| 6 | `certified` | Certified | — | L5 | ✅ Regulated environments |
**GDPR warnings** are raised by the dashboard and `get_gdpr_report()` for any service at level 02 (`unknown`, `non_compliant`, `initial`).
---
## Key GDPR Concepts Referenced
**DPA (Data Processing Agreement)** — A contract required by GDPR Art. 28 when a controller engages a processor. The DPA defines the subject-matter, duration, nature and purpose of processing, and the obligations of both parties.
**SCCs (Standard Contractual Clauses)** — Commission-approved contract clauses enabling lawful transfer of personal data from the EU/EEA to third countries without an adequacy decision. Updated SCCs published June 2021 (implementing decisions 2021/914 and 2021/915).
**Adequacy Decision** — A European Commission finding that a third country provides an essentially equivalent level of data protection (e.g. UK GDPR, Japan, Canada PIPEDA). Transfers to adequate countries do not require additional safeguards.
**BCRs (Binding Corporate Rules)** — Internal rules allowing multinationals to transfer personal data within their group across borders. Approved by a lead supervisory authority.
**Sensitive Categories (Art. 9)** — Health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation. Require explicit consent or other specific legal basis.
---
## Assigning a Maturity Level
When adding a new service to `canon/tpsc/`, follow this decision process:
```
Is a privacy policy published?
No → unknown or non_compliant
Is a DPA available (even on request)?
No → initial
Yes → developing (minimum)
Are SCCs or adequacy mechanisms documented?
No → developing
Yes, and retention policy published → defined
Are independent audit reports published (SOC 2 Type II, etc.)?
Yes → managed
Is an ISO 27701 or equivalent certification current?
Yes → certified
```
When uncertain between two levels, assign the **lower** level. Err on the side of caution.
---
## References
- CNIL: [Le modèle de maturité de la protection des données](https://www.cnil.fr/fr/le-modele-de-maturite-de-la-protection-des-donnees)
- IAPP: [Achieving privacy excellence — understanding the privacy maturity model](https://iapp.org/news/a/achieving-privacy-excellence-understanding-the-privacy-maturity-model)
- ISO/IEC 27701:2025: [Privacy information management — Requirements and guidelines](https://www.iso.org/standard/27701)
- European Commission SCCs (2021): [Implementing Decision 2021/914](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914)
- EDPB Guidelines on SCCs: [Guidelines 04/2021](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042021-standard-contractual-clauses_en)
- CMMI Institute: [CMMI Model Overview](https://cmmiinstitute.com/cmmi)