PRM or Risk-Based Privacy Maturity Model has been designed to provide a clear, simple, and comprehensive framework for evaluating enterprise privacy and security. Rather than focusing exclusively on legal and regulatory requirements, which vary between organizations, it assesses organizational maturity according to three dimensions: Business Tools, Risk Measurement and Control, and Implementation.
Among major healthcare organizations, the most popular approach to ensuring compliance with privacy laws and regulations is the use of checklists. Checklists have several important benefits: they are usually clear, simple, and economical. They are also often provided by regulators, implying that they can be trusted to align with privacy law and standards. Most organizations assume that using legal compliance checklists will ensure that their privacy and security obligations are met.
Unfortunately, this is not the case. Implementing checklists cannot be assumed to ensure legal compliance, let alone privacy and security best practices. In an environment of increased institutional complexity, each organization’s unique context and structure is relevant in determining legal and policy requirements, designing privacy and security architecture and processes, and mitigating risk.
A maturity approach provides an alternative means of assessing enterprise privacy and security. While checklists simply list policies and practices needed to protect privacy, a maturity assessment evaluates how well these are actually implemented through business processes and workflows. A maturity approach, rather than listing standard criteria, helps organizations to develop comprehensive processes for identifying legal and regulatory requirements, setting goals based on industry best practices and organizational needs, and evaluating the effectiveness of privacy implementation. A maturity approach to privacy moves organizations from a pass-fail paradigm of verifying compliance to a growth paradigm of implementing industry best practices in line with their own needs and goals.
A key feature of a maturity approach is risk-based decision-making. A risk-based approach to privacy, rather than defining standard privacy and security practices regardless of context, measures how effective an organization’s practices are in reducing quantifiable privacy risk to an acceptable level. Basing policy and business decisions on objective measures of privacy risk generally leads to more effective and defensible practices. In addition, risk metrics enable performance management, making it possible to allocate resources to the most efficient privacy and security solutions.
Our Risk-based Privacy Maturity Model has been designed to provide a clear, simple, and comprehensive framework for evaluating enterprise privacy and security. Rather than focusing exclusively on legal and regulatory requirements, which vary between organizations, it assesses organizational maturity according to three dimensions: Business Tools, Risk Measurement and Control, and Implementation.
A Risk-Based Privacy Maturity Roadmap
An assessment using the Risk-Based Privacy Maturity Model will clarify an organization’s strengths and gaps with regard to privacy. To move from their current state to a desired future state, organizations will advance through several stages, depending on progress speed and other priorities. We recommend that roadmaps for the further development of privacy programs follow two principles:
- Maturity levels on the three dimensions of Business Tools, Risk Measurement & Control, and Implementation should be increased through a staged implementation of new practices. For instance, an organization at a maturity level of B1-R1-I2, where Business Tools are at the Procedures level, Risk Management and Control are at the Checklist level, and Implementation is at the Active level, would be best served by first developing policy (to move to B2-R1-I2), then creating an issue management system (to move to B2-R2-I2), and only afterward implementing performance management practices to move to a level of B2-R2-I3. Because business tools support risk management and implementation, it is not possible, for instance, to implement performance management until clear policies are in place.
- Before implementing privacy changes across the organization, a pilot rollout should be implemented in specific departments. This will help to increase awareness of the new, higher-maturity practices and establish internal champions who can later provide advice and guidance to others in the organization. A gradual rollout of new practices will generally be better organized, allow time for troubleshooting, and be more acceptable to staff.
Defining and implementing mature, risk-based privacy structures, as guided by the Risk-Based Privacy Maturity Model, helps organizations to move from verifying compliance to promoting privacy best practices. A maturity approach to privacy guides the development and implementation of well-defined policies and processes appropriate to each organization’s structure and context. The specific risk-based component of this approach helps organizations to monitor the effectiveness of their practices and to use feedback to improve them. Ultimately, the use of risk metrics can enable decision-making based not only on standard guidelines, but also on objective data from an organization’s own context. We hope that this model will help organizations to move from following standard privacy checklists and guidelines to defining their own privacy solutions based on a contextualized understanding of their regulatory obligations, privacy risks, organizational needs, and opportunities for growth.