A Focus Area Maturity Model for Privacy-by-Design

Abstract

The privacy-by-design (PbD) paradigm was formulated to embed privacy throughout the entire lifecycle of systems, processing activities, and data. However, existing research describes vagueness, a lack of guidance, and a lack of structure resulting in this field being stuck in high-level principles and guidelines, fostering an environment where organisations are adopting their own interpretation of PbD which leads to inconsistent practices and potentially suboptimal solutions. The aim of this research is twofold: (1) structure the privacy-by-design domain by identifying key factors and formulating greater themes and categories to gain an understanding of the functional composition, and (2) create a concrete guiding artifact for the application of PbD in the form of a focus area maturity model to aid practitioners in closing the gap between principles and real design. This research used design science as the overarching paradigm guiding the creation of the maturity model artifact. A concrete maturity model design method was constructed based on method fragments from existing methods that target maturity models. Two multivocal literature reviews were conducted to find PbD factors which were aggregated through a coding approach and subsequently used for the formulation of maturity model elements that populate the maturity matrix. The validation consisted of a focus group interview and the evaluation consisted of a survey presented to participants who had performed an assessment using the created assessment instrument. The main result of this research is a focus area maturity model for privacy-by-design. The proposed model allows organisations to assess their PbD maturity and it suggests improvement actions for maturity development. The accompanying assessment instrument consists of a web-based tool that provides an automated assessment experience and can generate a shareable maturity report. The overall PbD maturity of organisations who performed an assessment was found to be low with all but one not reaching the first maturity level. Practitioner attitude towards the proposed model was neutral to moderately positive. Additional research should address the limitations of this work by aiming to increase the generalisability of the proposed model for different legal systems and organisation types, and by investigating practitioner attitude on a greater scale.