This paper discusses the maturity of data protection and privacy measures in order to develop a better understanding of the importance and impacts of this domain. The practical relevance of this topic is that the General Data Protection Regulation provides that data controllers in EU Member States shall comply with uniform data protection rules. Even though European legislation sets detailed requirements for data controllers, the implementation of appropriate technical and organisational measures can be realised at different levels of maturity. Based on the analysis of the pertinent literature, various maturity models are available to assess privacy policies, but GDPR requirements are addressed just partially. The exploration of the issue of maturity offers a new relevant research opportunity to assist data controllers in finding the appropriate methodology for the assessment and further development of their data protection measures. This paper has three main objectives. First, to systematically review the relevant literature on the issue of maturity. Second, to analyse the relevant maturity models and their main methodological elements. Third, to make suggestions for a new specific model focusing on GDPR requirements.