No process for managing regulatory change.
(Score = 0)

Ad-hoc, reactive, triggered by consumer request or recent regulatory enforcement action
(Score = 1)

Proactive change management for upcoming regulations
(Score = 2)

Standards defined to anticipate future regulation
(Score = 3)

Privacy best practices embedded in organization, with higher standards than those required by regulation
(Score = 4)

Not clear
(Score = 0)

Mid-level owner part-time on privacy program
(Score = 1)

Dedicated privacy leader such as a Chief Privacy Officer (CPO)
(Score = 2)

In addition to CPO, individuals with functional accountability for privacy now also in IT, Marketing, and product teams
(Score = 3)

Accountability at C-level in every functional group – privacy is viewed as everyone’s job
(Score = 4)

None
(Score = 0)

All operations run by legal with minimal involvement from technology team
(Score = 1)

Access to enough technology resources and budget to effectively deploy privacy software and support programs
(Score = 2)

Strong technology partnership with dedicated technical resources for deployment and running ongoing privacy operations
(Score = 3)

Privacy controls embedded into the technology architecture of the company
(Score = 4)

Do not manage
(Score = 0)

Website cookie compliance for “do not sell/share” deployed but not actively managed
(Score = 1)

Ongoing management of cookie compliance, with expansion to mobile apps or other connected devices.
(Score = 2)

Localized consent user experience by region. Extensive testing to optimize consent user experience. Management of non-cookie tracking technologies
(Score = 3)

Consent for a given user synchronized across all digital experiences, including websites, mobile apps, and other connected devices.
(Score = 4)

Do not collect or manage preferences
(Score = 0)

Single preference: One contact method for one purpose (e.g., collect email address for newsletter)
(Score = 1)

Multiple direct marketing preferences in an online preference center, offering granularity and choice for consumer.
(Score = 2)

Customer preferences expanded beyond direct marketing to product and service preferences with incremental opt-out options for all.
(Score = 3)

First-party data and customer preferences seen by marketing and product teams as foundational for strategy. Preference center regularly tested and optimized. Customer data is now used exactly the way each customer wants.
(Score = 4)

No process
(Score = 0)

Email-based intake with manual fulfillment
(Score = 1)

Web-based intake with partially automated fulfillment
(Score = 2)

Web-based intake with fully automated fulfillment (data retrieval, deletion, update, redaction, and secure communication back to user)
(Score = 3)

Single-day response for majority of requests.
(Score = 4)

Minimal tracking
(Score = 0)

Static and incomplete spreadsheet-based mapping of activities
(Score = 1)

Increasingly comprehensive and up-to-date (evergreen) data and activity map used primarily for record-keeping
(Score = 2)

Evergreen data and activity map, including process for identifying personal data that has drifted to unexpected applications, data sources, or tables (data drift)
(Score = 3)

Controls based on data and activity map to enforce that personal data is only used for consented and authorized purposes.
(Score = 4)

None or very limited risk assessment.
(Score = 0)

Ad-hoc risk assessment with limited consistency and cross-functional collaboration
(Score = 1)

Structured process and frameworks for risk assessment, with cross-functional and third-party collaboration
(Score = 2)

Line-of-business engagement to integrates results of risk assessment into business decision-making
(Score = 3)

Risk-informed decision-making moved to beginning ("shift-left") of any project or product development process that uses personal data.
(Score = 4)

No visibility into where personal data is stored
(Score = 0)

Limited visibility into where personal data is stored and how it is transferred across geographic borders.
(Score = 1)

Good visibility into where personal data is stored, including cross-border transfers.
(Score = 2)

Data controls to remediate violations such as personal data that is stored or accessed inappropriately, has passed its retention period, or is protected inadequately.
(Score = 3)

Purpose-based access control to ensure that personal data is only used for the purpose for which it was collected.
(Score = 4)

No visibility into AI usage in the organization
(Score = 0)

Limited visibility on AI usage, with ad-hoc risk assessment
(Score = 1)

Accurate, relatively complete inventory of AI projects, models, and datasets, including structured risk assessment
(Score = 2)

Complete internal inventory, with risk assessment also extended to most third-party uses of AI
(Score = 3)

AI risk assessed and issues surfaced for remediation at the very beginning of the development or procurement process (“shift-left” governance)
(Score = 4)

No visibility into model training data
(Score = 0)

Ad-hoc visibility into model training data
(Score = 1)

Visibility into model training data for several internal uses of AI, including identification of personal data
(Score = 2)

Visibility into model training data for all major internal uses of AI, including some de-risking of personal data
(Score = 3)

Data future-proofing across organization to ensure personal data is identified and de-risked before being used for model training
(Score = 4)