PRIVACY MATURITY IN SWEDISH MUNICIPALITIES: A Quantitative Survey Based on a Privacy Maturity Framework

Abstract

Municipalities of Sweden are facing challenges complying with the GDPR. New and changed management processes need to be implemented. We used an inductive quantitative approach applying a privacy maturity framework in a survey in May 2019 where 454 controllers in Swedish municipalities answered. Twenty-three measurable criteria are adopted from the technology-neutral international best-practice standard Generally accepted privacy principles (GAPP) and objective descriptions in the Privacy maturity model (PMM). The results are maturity estimates from level 1 to 5 on the 23 criteria, which we grouped in six attributes. Of the controllers, 52 percent are on level 1, 44 percent on level 2, and only 4 percent are above level 3. The survey also includes four significant findings: (1) Controllers in medium-large municipalities are estimating maturity higher than others. (2) Less than a third of the controllers have defined roles and responsibilities for privacy, except for the data protection officer (DPO). DPOs are estimating maturity even lower. (3) There is a risk for not detecting privacy breaches, due to lack of protection, monitoring and testing of safeguards, lack of controls on third-parties security practices, and treating privacy matters as IT-security queries. Controllers working with sensitive data are rating maturity higher in these areas. (4) Municipalities have prioritised visible processes like a privacy notice, meeting requests from registered and retention practices. There are two strategies found – one ambitious and one cautious. Several of these findings imply further research.