Privacy Maturity Assessment Framework (PMAF)
A free, structured framework for scoring an organisation's privacy maturity across four dimensions against three maturity levels — built by New Zealand's Government Chief Privacy Officer for public-sector agencies, but readily reusable anywhere.
- Published by
- Government Chief Privacy Officer (GCPO), New Zealand — hosted on the Digital Public Service site (digital.govt.nz)
- Type
- Maturity assessment framework + self-assessment tool
- Jurisdiction
- New Zealand (public-sector origin; the model is jurisdiction-neutral)
- Primary audience
- DPOs / privacy leads running a maturity baseline; public-sector privacy teams
- Topic tags
- privacy maturity · accountability · programme assessment · governance
- Availability
- Free; self-assessment framework and workbook; English
Why it matters
Boards and clients increasingly ask "how mature is our privacy programme?" — and most teams have no defensible way to answer. PMAF gives you one: four assessment sections (Core expectations, Leadership, Planning/policies/practice, and Privacy domains) scored against three maturity levels (informal, foundational, managed), producing a baseline you can evidence, repeat annually to show trajectory, and use to prioritise where to invest. It is free and lightweight, and although written for New Zealand public-sector agencies it maps cleanly onto UK GDPR Article 5(2) accountability and Article 24 governance obligations — a ready-made structure for a maturity baseline without building one from scratch. Easy to miss from a UK/EU vantage point.
