The CNIL offers a self-assessment on data protection

Data protection management remains a sensitive subject for companies. Sometimes poorly supported and often poorly informed on the subject, companies must rely on what already exists. To this end, the CNIL is publishing its first thoughts on the creation of a “maturity model” in data protection management. This project transposes the maturity levels defined in international standards to data protection management and aims to describe all the possibilities. The draft model describes “8 typical data protection activities in 5 maturity levels”.

Through this model, the CNIL wishes to provide organizations with all the answers to data protection management. Examples of actions or outputs illustrate each level of maturity for each typical activity in tabular form. In the field of data protection, the different maturity levels correspond to those defined in ISO / IEC 21827 and the ANSSI “SSI maturity” guide. The following table therefore describes the five maturity levels in a generic way. Each level represents how an organization designs, implements, controls, maintains and monitors an activity, regardless of that activity. Reaching a level obviously supposes having already reached the previous level. The different maturity levels – ranging from 0 to 5 – make it possible to assess the way in which the processes related to data protection are managed.

Numbered from 0 to 5, the different maturity levels allow the company to self-assess. (Credit: Cnil)

The different activities around data protection

In order to be more concrete, the supervisory body presents eight typical activities related to data protection (which can theoretically be found in any organization, whether or not they are actually implemented). Here is an exhaustive list of these activities: define and implement data protection procedures, pilot data protection governance, identify and update the list of personal data processing operations, ensure legal compliance of processing, train and raise awareness, process internal and external user requests, manage security risks and manage data breaches.

The CNIL presents typical general activities present within companies. (Credit: Cnil)

By applying the different levels of maturity to typical activities, the CNIL gives some examples of good and bad practices within companies. The typical model of good conduct in data protection management would therefore consist of having “a continuously optimized process, with updated policies and procedures as soon as a possible improvement is identified”. With regard to awareness, it is advisable to offer “regular training or information sessions on new technologies or issues relating to data protection”.

In addition, the processing register must serve as an instrument for steering actions relating to the processing of personal data (eg: it serves as a census, but also as an instrument for comparative risk management and monitoring of action plans). Finally, “a report of violations must be carried out regularly in order to identify and implement measures to improve data security. The “management of data breaches will feed into risk studies” (eg: AIPD) and “automatic management of traces will make it possible to detect data breaches as quickly as possible”. This guide to good conduct for companies and organizations will provide some answers on the way forward.