Privacy Maturity Audits: Turning Assessments into Actions

Privacy maturity audits are so helpful, yet many organisations hit a wall when it comes to turning the assessment into actions. It’s a massive challenge: your team creates an assessment that stretches to tens or even hundreds of pages, to then become passive virtual shelf-fillers. This failure turns your organisation’s carefully crafted list of opportunities and weaknesses into a tremendous waste of effort and resources.

Ready to stop the cycle? This post discusses how to take your privacy maturity audit and turn it into an executable roadmap.

What is a Privacy Maturity Audit?

A privacy maturity audit describes the benchmarking of privacy processes and metrics against maturity standards. It differs from a compliance audit in that it’s not a yes/no check of whether an organisation is compliant with existing regulations. Instead, it assesses the level of sophistication of its practices. Usually the goal is to move an organisation from reactive practices to proactive, repeatable, optimised practices that are embedded into the corporate culture.

Some well-known benchmarking frameworks are: 

• The NIST Privacy Framework
• ISO 29100 (you may wish to read our analysis of this framework)
• ISO 27701 Personal Information Management System Requirements
• IAPP’s privacy maturity framework, 
• The OAIC’s self-assessment tool (read our review of the tool), and 
• The NZ privacy maturity assessment framework. 

One Major Drawback of Privacy Maturity Audits

There are plenty of benefits to conducting a privacy maturity audit or assessment, such as identifying systemic risks, building consumer trust, promoting accountability, as well as supporting compliance. Having a privacy program and understanding organisational privacy risks and maturity is also a requirement under APP 1. The Australian regulator is increasingly directing organisations to the need to have a proactive privacy maturity plan in place.

Privacy maturity audits can also be used to develop a roadmap for improvement. 

But all too often, the audit turns into a list of deficits with no real roadmap to make improvements. This often leads to ‘audit-to-shelf- syndrome, which may provide leaders with some (generally false) assurance that risks are being managed. 

Unfortunately, these trends keep organisations from addressing possible opportunities and weaknesses identified by the privacy maturity audit. It can also reduce support for privacy initiatives in the longer term, since leaders and boards may come to view these tasks as a waste of resources and time if no measurable changes come from them. 

That’s why we’re proposing these key steps to turn your privacy maturity audit into actions. 

Key Steps to Turn a Privacy Maturity Assessment into Action

Following these steps can help your organisation avoid audit-to-shelf syndrome while also creating an actionable roadmap that aligns with broader organisational priorities. The ultimate goal is to build your privacy maturity to a point that it becomes part of the culture or, as IAPP puts it “part of an organization’s DNA” where “Processes are continuously refined; automated workflows are embedded; and privacy operations are seamlessly integrated into everyday functions.”

Step 1: Translate findings into priorities

A list of 50 findings from the audit doesn’t tell as compelling a story as identifying strategic priorities based on those findings, and outlining metrics that could show improvements. 

To start, group the findings into broader categories based on the privacy domain they impact. With those categories in mind, you can create a risk matrix that includes some mechanism for showing the maturity gap, or distance from desired state. It should also include, as with any matric, information about the likelihood of potential financial, legal, and reputational harm as well as the severity of the consequences if it were to occur.

Then, based on your organisation’s risk appetite and risk matrix presentation, you can create a list of privacy-related priorities. 

Step 2: Develop a roadmap

With these priorities in mind, it’s helpful to next create a roadmap to improvement. The roadmap should extend at least 12 months, though more mature operations often have 24-36 month roadmaps that include additional infrastructure and/or technology planning. 

This roadmap should include distinct phases, from quick wins to core changes required to improve maturity. But, more importantly, the roadmap should include a budget and phases that align with other major business initiatives. This helps to frame privacy as an integrated element of upcoming operational changes, as opposed to a standalone budget line item that’s competing with other priorities. 

Step 3: Assign ownership and accountability

One element of a successful implementation of any privacy initiative that’s often overlooked – is assigning accountability and ownership of tasks. When someone is accountable for organisational privacy, particularly someone senior, it tends to give momentum and teeth to the program and ensures that privacy is seen as an important strategic program. 

Your roadmap should assign a senior organisational leader responsibility for the adoption and implementation of the changes. From there, ownership of individual tasks should trickle down to the appropriate departments and individuals. We talk in more detail about this in our post covering the five core elements of a successful privacy program. 

Step 4: Embed privacy by design and default

If you’re like most organisations, your audit findings likely include issues related to data over-collection, inadequate provision of notice, insecure defaults in new products, or belated Privacy Impact Assessments (PIAs). These issues are symptoms of a program that views privacy as a post-launch legal checklist – which is very common.

Privacy by Design can help you change this. It is an approach to building privacy and data protection up front, into the very DNA of technologies, business practices, products and services and physical infrastructure.

The goal is to make it nearly impossible for a new product, system, or vendor relationship to enter your operations without privacy controls built-in from the earliest conceptual stage. This can help to improve efficiencies in your operations and compliance, since building in high privacy standards from the outset streamlines compliance with many regulations around the globe. 

We’ve covered Privacy by Design in past posts, which you might wish to review for more information: 

• 5 tips for successfully implementing Privacy by Design
• Baking in privacy early with Privacy by Design
• ISO 31700: A new ISO for Privacy by Design. 

Finally, you may also find our Privacy by Design downloadable helpful. This guide has been created for organisations and Privacy Officers looking to begin implementing PbD. The objective of this guide is to move beyond theory and provide actionable steps to integrate PbD into common day-to-day business scenarios.

Step 5: Measure progress and report on it

The final step in our framework is to transpose your privacy priorities into measurable metrics. One reason to do this is because mature privacy programs report on relevant metrics, so it’s a step towards a more mature privacy posture. Another more tangible benefit is that it allows you to report on it in a language that leaders and the board understand and value.

The type of metrics you choose will vary depending on your specific operations and priorities. However, more mature privacy programs tend to move away from binary yes/no completion metrics towards key performance indicators. This could include metrics such as percentage reduction in the volume of high-risk data stores, percentage of third-party vendors audited for privacy compliance, the time-to-deploy patches for application vulnerabilities, or average time to fulfill data subject requests. 

The outcomes should also be shareable or easily accessible. The person accountable for the implementation more broadly should remain up-to-date on current metrics, but they should also be easily accessible by leaders and boards – as well as by relevant team members, where appropriate. 

Improve Your Privacy Posture with Privacy 108 

Privacy 108’s privacy management programs empower organisations to champion privacy through policies and processes, education, awareness, and accountability. 

Our Privacy Management Program service will help you:

• Assess the maturity of your current program management program;
• Identify gaps between your current maturity and your target level of maturity;
• Design a strategic roadmap to create a privacy management program or improve the maturity of your existing program.

If you’re interested to learn more, reach out to hello@privacy108.com.au for an obligation-free consultation. Our team of privacy professionals would be happy to hear from you.