1. Does your organization have a designated privacy officer or privacy lead with defined responsibilities?

1 – Emerging: No privacy lead exists; privacy is handled by whoever is available.
2 – Developing: Someone handles privacy informally but has no official role or defined responsibilities.
3 – Defined: A privacy officer or lead is officially designated with documented responsibilities.
4 – Optimized: A qualified privacy lead with cross-functional authority, budget, and executive access is in place.

2. Is there an executive-level sponsor or steering committee overseeing your privacy program?

1 – Emerging: No executive involvement in privacy decisions.
2 – Developing: Privacy is occasionally discussed at executive level but not formally sponsored.
3 – Defined: An executive sponsor is identified and receives regular privacy program updates.
4 – Optimized: A privacy steering committee with executive members meets regularly to set direction and review metrics.

3. Does your organization have a documented privacy policy that is reviewed and updated regularly?

1 – Emerging: No privacy policy exists, or it was created once and never revisited.
2 – Developing: A privacy policy exists but reviews are irregular or driven by incidents.
3 – Defined: A privacy policy is documented and reviewed on a defined schedule (at least annually).
4 – Optimized: The privacy policy is regularly updated, version-controlled, and linked to operational procedures across departments.

4. Are privacy roles and responsibilities clearly defined across business units?

1 – Emerging: Privacy responsibilities are undefined; teams operate independently with no coordination.
2 – Developing: Some teams have informal privacy champions, but responsibilities are not documented.
3 – Defined: Privacy roles are documented in job descriptions and privacy-specific responsibility matrices (RACI).
4 – Optimized: Privacy accountability is embedded in performance reviews, and a network of trained privacy champions spans all business units.

5. Do you conduct formal privacy program reviews or audits at least annually?

1 – Emerging: No formal audits or reviews are conducted.
2 – Developing: Occasional reviews happen but are reactive (post-incident or pre-audit only).
3 – Defined: Annual privacy reviews are scheduled and findings are documented with action plans.
4 – Optimized: Continuous monitoring supplements formal annual audits; findings feed into a documented improvement cycle.

6. Have you completed a formal inventory of all personal data your organization collects and processes?

1 – Emerging: No inventory exists; nobody knows exactly what data is collected or where it lives.
2 – Developing: A partial inventory exists for some systems or departments, but it is incomplete.
3 – Defined: A complete data inventory exists, covering all major data categories and systems.
4 – Optimized: The inventory is maintained in a dedicated system, automatically updated when new processing activities begin.

7. Is your data inventory kept current when new systems or processes are introduced?

1 – Emerging: No process exists to update the inventory when changes occur.
2 – Developing: Updates happen inconsistently, often only when someone remembers.
3 – Defined: A defined change management process requires inventory updates for new systems or major changes.
4 – Optimized: Inventory updates are automated or integrated into the software development lifecycle (SDLC) and vendor onboarding.

8. Do you document the legal basis for processing personal data for each data category?

1 – Emerging: Legal bases for processing have never been formally identified.
2 – Developing: Legal bases are identified for some processing activities but not systematically documented.
3 – Defined: Legal bases are documented for all data categories in a records of processing activities (RoPA).
4 – Optimized: Legal bases are reviewed regularly and linked to privacy notices, ensuring ongoing alignment with regulatory requirements.

9. Have you mapped data flows — including third-party transfers — across your systems?

1 – Emerging: No data flow mapping has been done.
2 – Developing: Some data flows are informally understood but not visually mapped or documented.
3 – Defined: Data flow diagrams exist covering internal systems and key third-party transfers.
4 – Optimized: Comprehensive, current data flow maps are maintained, including cross-border transfers and sub-processors, with regular validation.

10. Do you track data retention periods and enforce deletion schedules?

1 – Emerging: No retention schedule exists; data is kept indefinitely by default.
2 – Developing: Retention periods are partially defined for some data types but deletion is not consistently enforced.
3 – Defined: A retention schedule covers all key data categories and deletion is routinely executed.
4 – Optimized: Automated retention enforcement is in place with audit trails, and the schedule is reviewed against regulatory requirements annually.

11. Do you have documented processes for responding to data subject access requests (DSARs)?

1 – Emerging: No process exists; DSARs would be handled informally if received.
2 – Developing: A rough process exists but is undocumented and relies on individuals knowing what to do.
3 – Defined: A documented DSAR process covers receipt, verification, fulfillment, and response within legal timeframes.
4 – Optimized: DSARs are managed through a dedicated workflow tool with automated tracking, escalation, and reporting capabilities.

12. Can your organization respond to privacy rights requests within legally required timeframes (e.g., 30 days under GDPR/CCPA)?

1 – Emerging: We have never been tested and are not confident we could meet legal timeframes.
2 – Developing: We believe we could respond in time but have not tested or documented our process.
3 – Defined: We have consistently met legal response timeframes on all received requests.
4 – Optimized: Automated tracking ensures no request misses a deadline; SLA metrics are reported to management regularly.

13. Are privacy rights requests (access, deletion, correction, portability) tracked and logged?

1 – Emerging: No logging or tracking of rights requests exists.
2 – Developing: Requests are informally tracked (e.g., in email or a spreadsheet) with no standardization.
3 – Defined: A log is maintained for all requests, capturing type, date received, deadline, status, and outcome.
4 – Optimized: Requests are tracked in a dedicated system providing real-time visibility, analytics, and audit-ready reporting.

14. Do you have a process for honoring opt-outs from data sales or targeted advertising?

1 – Emerging: No opt-out mechanism exists.
2 – Developing: An opt-out link exists but the downstream process for honoring it is unclear or manual.
3 – Defined: A documented opt-out process is in place and tested to ensure opt-outs are honored across systems.
4 – Optimized: Opt-outs are honored automatically in real-time across all data sharing and advertising platforms, with GPC signal support.

15. Have you tested your rights-fulfillment process in the past 12 months?

1 – Emerging: Process has never been tested.
2 – Developing: Testing has been discussed but not formally executed.
3 – Defined: The process has been tested in the past year; findings were documented and gaps addressed.
4 – Optimized: Regular testing (at least twice yearly) is scheduled; results feed into continuous process improvement.

16. Do you have a Consent Management Platform (CMP) or equivalent system managing user consent?

1 – Emerging: No CMP or consent mechanism is in place; cookies fire without consent.
2 – Developing: A basic cookie banner exists but doesn’t block non-essential cookies prior to consent.
3 – Defined: A CMP is deployed that blocks non-essential cookies before consent and stores consent records.
4 – Optimized: A CMP with granular consent controls, geo-targeting, consent versioning, and integration with all marketing tools is in place.

17. Are consent records (who consented, when, to what) captured and stored?

1 – Emerging: No consent records are captured or stored.
2 – Developing: Some consent records exist but are incomplete or inaccessible for audit purposes.
3 – Defined: Consent records are systematically captured, including timestamp, version, and scope of consent granted.
4 – Optimized: Full consent audit trails are maintained with the ability to demonstrate consent history to regulators on demand.

18. Are your privacy notices written in plain language that users can understand?

1 – Emerging: Privacy notices are absent, hidden, or written in dense legal language inaccessible to average users.
2 – Developing: Notices exist but use complex legal language without layered or simplified summaries.
3 – Defined: Privacy notices use plain language and are reviewed for readability and regulatory compliance.
4 – Optimized: Layered, user-tested privacy notices are contextually delivered at the point of data collection, available in multiple languages where needed.

19. Do you obtain valid, granular consent before setting non-essential cookies?

1 – Emerging: Non-essential cookies fire on page load without any consent.
2 – Developing: A consent banner appears but non-essential cookies may fire before users interact with it.
3 – Defined: Non-essential cookies are blocked until explicit, granular consent is given per category.
4 – Optimized: Consent controls are geo-customized per applicable law, regularly audited, and all cookies are inventoried and categorized.

20. Do you have a mechanism for users to withdraw consent as easily as they gave it?

1 – Emerging: No withdrawal mechanism exists once consent is given.
2 – Developing: Users can technically withdraw consent but the process is buried or requires significant effort.
3 – Defined: A clearly accessible re-consent widget or preference center allows users to update or withdraw consent at any time.
4 – Optimized: Withdrawal is as easy as granting consent; changes propagate automatically to all downstream systems in real time.

21. Do you conduct Privacy Impact Assessments (PIAs) or DPIAs for high-risk processing activities?

1 – Emerging: PIAs/DPIAs have never been conducted.
2 – Developing: Occasional risk assessments happen but are not formalized as PIAs/DPIAs.
3 – Defined: PIAs/DPIAs are conducted for high-risk activities using a documented methodology and risk register.
4 – Optimized: PIAs/DPIAs are integrated into project and product development workflows, with automated triggers for required assessments.

22. Do you vet third-party vendors and processors for privacy compliance before engagement?

1 – Emerging: No vendor privacy vetting exists; vendors are onboarded without privacy review.
2 – Developing: Informal checks happen for some vendors but there is no consistent process.
3 – Defined: A privacy review is required for all vendors handling personal data before contracts are signed.
4 – Optimized: Vendor privacy risk is rated via a tiered scoring system, integrated into procurement workflows with ongoing monitoring.

23. Do you have Data Processing Agreements (DPAs) in place with all applicable vendors?

1 – Emerging: No DPAs are in place with any vendors.
2 – Developing: DPAs exist for some vendors but coverage is incomplete.
3 – Defined: DPAs are in place for all vendors that process personal data on your behalf.
4 – Optimized: DPAs are tracked in a contract management system, with automated renewals and compliance clauses aligned with current regulations.

24. Is there a formal process for reviewing vendor compliance on an ongoing basis?

1 – Emerging: Vendors are never reviewed after initial onboarding.
2 – Developing: Vendor reviews happen occasionally, typically triggered by a contract renewal or incident.
3 – Defined: Annual vendor privacy reviews are scheduled for high-risk vendors, with documented outcomes.
4 – Optimized: Continuous vendor monitoring includes automated alerts for certifications expiring, new sub-processors, or regulatory changes.

25. Do you have a breach notification procedure that meets regulatory timeframes (e.g., 72 hours under GDPR)?

1 – Emerging: No breach notification procedure exists.
2 – Developing: A procedure exists informally but has not been tested or formalized to meet regulatory timelines.
3 – Defined: A documented incident response and breach notification procedure covers detection, assessment, notification, and remediation steps.
4 – Optimized: The breach response plan is tested via tabletop exercises, integrated with cybersecurity IR plans, and updated after each incident.

26. Do all employees who handle personal data receive privacy training at least annually?

1 – Emerging: No privacy training is provided to employees.
2 – Developing: Training is provided occasionally but not on a consistent annual schedule.
3 – Defined: All relevant employees receive annual privacy training with documented completion rates.
4 – Optimized: Training is continuous, supplemented with regular awareness campaigns, simulations, and role-specific deep dives.

27. Is privacy training role-specific (e.g., HR, marketing, and engineering receive tailored content)?

1 – Emerging: No training exists, or all employees receive the same generic content regardless of role.
2 – Developing: Some roles receive different training but most content is generic.
3 – Defined: Role-based training modules exist for key functions like HR, legal, marketing, IT, and engineering.
4 – Optimized: Highly targeted, regularly updated role-specific training incorporates current regulatory changes and scenario-based learning.

28. Are privacy considerations included in new employee onboarding?

1 – Emerging: Privacy is not mentioned during employee onboarding.
2 – Developing: Privacy is briefly mentioned in onboarding but is not a formal module.
3 – Defined: A dedicated privacy onboarding module covers key policies, employee responsibilities, and how to handle personal data.
4 – Optimized: Privacy onboarding is role-tailored, completion is tracked, and employees attest to privacy policies before accessing personal data.

29. Does your organization treat privacy as a business value rather than just a compliance checkbox?

1 – Emerging: Privacy is seen purely as a legal burden; no cultural value is attached to it.
2 – Developing: Leadership acknowledges privacy importance but it is not embedded in business decisions or culture.
3 – Defined: Privacy is positioned as a business and customer trust value internally; leaders actively communicate this message.
4 – Optimized: Privacy is a competitive differentiator; it is marketed externally, embedded in product design, and championed at board level.

30. Do you track and report on privacy training completion rates?

1 – Emerging: Training completion is not tracked.
2 – Developing: Completion is tracked informally but not reported upwards.
3 – Defined: Completion rates are tracked in an LMS or equivalent system and reported to privacy leadership.
4 – Optimized: Completion rates, assessment scores, and knowledge gaps are reported to executives and drive future training investments.