From law and controls to practical capability

Most organisations already speak the language of laws (DPDPA, GDPR), controls (ISO 27001/27701) and audits. PRIVUS adds a fourth lens: practical capability. It focuses on whether your people, processes, systems and telemetry can actually back up your policy statements when something goes wrong.

The model is intentionally simple enough to explain to non-technical leaders, but detailed enough to guide concrete improvement work.

The eight PRIVUS domains

Each domain asks: “Can we prove this with evidence when challenged?”

• Governance & accountability – roles, RACI, oversight, reporting and decision-making.
• RoPA & data mapping – data inventories, lawful basis, purposes and cross-border flows.
• Consent & preferences – how consent is captured, updated, withdrawn and evidenced.
• Individual rights – DSAR/rights request intake, triage, fulfilment and tracking.
• Security & telemetry – logs, alerts, incidents and forensics linked back to data uses.
• Vendor oversight – processors, sub-processors, DPAs, monitoring and exit plans.
• Retention & deletion – retention rules, implementation in systems, and real deletion proofs.
• Privacy-by-design – how privacy is embedded into product, change and procurement workflows.

How organisations use PRIVUS

• To create a shared maturity view between privacy, legal, security and business stakeholders.
• To prioritise privacy improvements, not just check-box control implementation.
• To brief Boards and leadership teams on privacy risk and readiness in simple language.
• To prepare for DPDPA readiness, cross-border data transfer assessments and regulator questions.

The quick self-assessment is an entry point. Elytra can help you deepen the assessment into concrete roadmaps, control mappings and evidence plans.

Move from theory to evidence

If you have not already done so, you can take the PRIVUS self-assessment for your organisation and see a radar view across these domains.