1. Does our organisation view privacy as a core risk to be managed?2. Who is in charge of privacy in our leadership structure?3. Does our privacy officer have enough authority?4. Does our organisational culture value privacy?5. Can we publicly show how our privacy goals are being met?6. Do our information systems use privacy by design?