NIS Webinar Website Header Banner 1920 x 500

Mature vs Effective Data Privacy Programmes: Which is Better?

Published 10 July 2023

When discussing if a data privacy programme is fit for purpose, you may have heard the terms ‘mature’ and ‘effective’ being used. While these are both important considerations in assessing your programme, they shouldn’t be used interchangeably.   

In this blog, we’ll cover what the difference is between these two terms, and how you should apply them when reviewing your own programme. We’ll also be looking at: 

  • What defines an effective data privacy programme 

  • How to determine your target maturity level and goals  

  • Common data privacy frameworks and how to choose between them 

For more on each of these points, as well as guidance on scaling your programme to a global scope, building data privacy culture in your organisation, and avoiding ‘the tick box mentality’, you can watch our latest webinar. 

Watch Webinar 

What is an ‘Effective’ Data Privacy Programme? 

What constitutes an effective data privacy programme varies on a case-by-case basis; it will entirely depend on your organisation’s specific data privacy goals and how well your programme meets relevant legislative and regulatory requirements. 

In some cases, meeting and maintaining compliance with regulations may be enough to be considered effective. In others, ‘effective’ may mean leveraging best-in-class privacy practices to build a competitive advantage. If your goal is the latter – to be best-in-class – you will inevitably need to hold your data privacy programme to a higher standard.  

Define Your Data Privacy Goals and Target Maturity Level 

To understand what ‘effective’ means for your organisation, you first need to define your data privacy objectives. These should be informed by the overall goals and objectives of your organisation, considering how your privacy programme can help achieve them. 

For example, if you are a small B2B organisation that is simply collecting the business contact details of people you’re working with, your focus will likely be on how to remain compliant. By contrast, if you’re a heavily regulated financial services organisation processing high volumes of personal data, you are likely looking beyond compliance to show data privacy can create a competitive advantage. 

In these two examples, setting the same data privacy goals would not be appropriate. We always recommend a pragmatic approach, focusing on areas that pose a real risk to your organisation. Returning to the example of a smaller B2B business, their primary concerns may be their Record of Processing Activity (ROPA) and ensuring they have robust controls in place to avoid being non-compliant. It is unlikely to be a good use of their time to invest in automated data subject rights requests when they may only be receiving a handful of them every year. For the larger financial services organisation, optimising processes and controls is not only desirable but necessary for compliance and, therefore, they must set more ambitious goals.  

For your own organisation, you should work with your senior stakeholders to define your goals appropriately. When setting these goals, you will want to be realistic while considering the highest level that your organisation could realistically achieve given its size, resources, and the industry you’re in. You may also want to consider what a regulator would expect of your organisation given these factors. 

What is the Difference Between Compliance and Maturity? 

It’s worth noting that we shouldn’t conflate ‘effective’ with ‘mature’. An organisation can have an effective programme that isn’t considered mature by most data privacy frameworks, and vice versa. 

As highlighted with our two examples in the previous section, a less mature programme may be more appropriate for businesses that have a lower level of target maturity and process limited volumes of personal data. Their concern is likely to be achieving baseline compliance, but achieving that goal doesn’t mean they have a mature privacy programme. 

How to Choose a Data Privacy Framework 

Now that your goals are defined, you’re able to assess your maturity. However, to do so, you will need to choose a framework to assess against. 

There are several publicly available privacy control frameworks that you may choose to use. Some of these frameworks may be more useful to you than others. Each framework will have differing levels of detail, and some will be better suited to more mature organisations while others are more applicable to less mature ones. 

When choosing, you should ensure you’re assessing yourself against an appropriate framework given the context of your organisation and your appetite for privacy maturity. Returning to our example organisations in the previous section, a more mature framework would not be appropriate for the smaller B2B business as they may be scored as ‘inadequate’ despite meeting all their compliance requirements. Likewise, a less mature framework may not have requirements that meet the high standards a financial services organisation should have in place. 

Below, we’ve covered some common data privacy control frameworks. 

Example Data Privacy Frameworks 

  • The ICO Accountability Framework provides a good baseline for UK organisations looking to align themselves with regulator’s expectations. As free resources go, this provides a good baseline but is lacking on higher maturity controls. 

  • NIST’s Privacy Risk Assessment Methodology is a tool intended to help organisations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. 

  • The Data Privacy Maturity Framework (DPMF) is a proprietary framework developed by Bridewell that provides a more robust assessment, considering legislative requirements in the UK and GDPR, as well as globally recognised standards such as ISO27001 and NIST’s privacy risk assessment methodology. 

Assessing Your Data Privacy Maturity 

Below, we’ve provided the assessment criteria for Bridewell’s DPMF. If you aren’t sure where your organisation falls on this scale, we’ve provided some reference examples in our webinar to help you benchmark your maturity.  

How to assess the maturity of your data privacy framework is outside the scope of this blog. However, by being able to define your target maturity level and recognise the differences between maturity and effectiveness, you should be in a better place to make that assessment. This is also covered in more depth in our webinar. 

For help in assessing your data privacy maturity, get in touch with one of our team or head over to our  DPMF page for more information.