Question: Has the organization appointed a Data Protection Officer (DPO) or designated privacy lead with defined accountability?
Why This Matters
Clear accountability is the cornerstone of compliance. A named DPO or privacy lead ensures ownership for interpreting laws, coordinating responses, and guiding privacy by design.
Maturity
0 — Unaware
No DPO or privacy contact identified.
No DPO or privacy contact identified.
1 — Ad Hoc
Responsibilities informally assigned within IT or Legal.
Responsibilities informally assigned within IT or Legal.
2 — Defined
DPO formally appointed; role documented and announced.
DPO formally appointed; role documented and announced.
3 — Managed
DPO maintains register, policies, and incident oversight.
DPO maintains register, policies, and incident oversight.
4 — Integrated
DPO involved in product / project reviews and risk boards.
DPO involved in product / project reviews and risk boards.
5 — Optimized
Privacy office drives enterprise-wide accountability metrics.
Privacy office drives enterprise-wide accountability metrics.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Identify privacy contact and define basic duties. |
| 1 → 2 | Formally appoint DPO; publish announcement internally. |
| 2 → 3 | Create privacy charter and annual plan. |
| 3 → 4 | Involve DPO in change-management and audits. |
| 4 → 5 | Track KPIs and maturity dashboards enterprise-wide. |
Enablers
- People: DPO / Privacy Lead / Legal Counsel
- Process: Charter approval → reporting → annual review
- Technology: GRC or policy portal, communication channels
Evidence
- Appointment letter / board resolution
- Privacy charter and role description
- DPO contact listed on website or notice
KPIs
- Time to respond to privacy queries
- Number of projects reviewed by DPO
- Percentage of policies approved by DPO
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Policy hosting | GitHub Wiki / MkDocs | Simple charter publishing |
| Tracking | Airtable / Odoo Community | Privacy register |
| Awareness | Google Forms / LMS | DPO intro training |
Common Pitfalls
- DPO appointed but no authority
- Role hidden within Legal or IT
- No visibility to data subjects
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27701 | 5.1.1 & 6.1 (DPO responsibility) |
| DPDP Act 2023 | Sec 10 (Accountability & DPO appointment) |
| GDPR | Art. 37–39 |
| NIST CSF 2.0 | GV.MA / GV.PO |
| NIRMATA Mapping | PD-Q01 anchors privacy accountability. |