This important guidance supports enterprises to embed privacy management in every aspect of their operations, including cybersecurity.
Privacy is a critically important consideration for organizations today. They are processing huge volumes of personal data while complying with a complex patchwork of regulations and responding to customers’ changing attitudes around how information is used. The scale of the privacy challenge they face has been brought into even sharper focus by the COVID-19 pandemic, which has made enterprises across the globe even more vulnerable to cyberattacks.
The best way that organizations can navigate this demanding environment is to take a robust, holistic and risk-based approach to the management of privacy risk. This involves the adoption of concrete steps to effectively operationalize privacy management within the organization – something that is easier said than done.
Fortunately, a couple of leading standard setters have identified the need for frameworks that help organizations to manage privacy risk as part of their overall enterprise risk management. The International Organization for Standardization (ISO) has developed ISO 27701 – guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System. Another framework has been devised by the US-based National Institute of Standards and Technology (NIST). It is known as the NIST Privacy Framework.
Introducing the NIST Privacy Framework
The NIST Privacy Framework provides a common language for understanding, managing and communicating privacy risk through business and mission drivers, organizational roles and responsibilities, and privacy protection activities. Organizations can use it to identify and prioritize actions, while aligning policy, business and technological approaches to managing privacy risk across the data lifecycle.
Given the central role played by data and systems within organizational life, it is impossible for privacy risk to be addressed in isolation. It has to be considered within the context of an organization’s broader risk management and cybersecurity strategies. In recognition of this, the NIST Privacy Framework is aligned to the NIST Cybersecurity Framework, and can be used in tandem with it. Effective risk mitigation requires an organization to embed privacy management in every aspect of its operations, including its engineering processes. New apps, systems, products and services must be designed from the outset to build in trust and protect the privacy of individuals.
Every organization is currently at a different point on the privacy management journey and every organization has a different ambition for where it wants to end up. So, the Privacy Framework recognizes that there is no such thing as a one-size-fits-all approach to privacy management. Instead, its risk and outcome-based approach means that it can be tailored to fit the specific context of individual organizations.
The Privacy Framework is composed of three elements:
- The Core provides a granular set of activities and outcomes that enable organizational dialogue about the management of privacy risk. These activities are divided into five functions: Identify; Govern; Control; Communicate; and Protect.
- Profiles are a set of specific functions, categories and subcategories from the Core that the organization can prioritize to manage privacy risk. They may represent an organization’s current privacy activities, or desired outcomes, and can be used to improve privacy posture, conduct self-assessments and communicate around how risks are being managed.
- Implementation Tiers help the organization to decide and communicate around the sufficiency of its processes and resources for managing privacy risk so that it can achieve its desired target state – known as its Profile. The target state is where an organization wants to be once it has effectively upgraded its privacy risk management.
To make effective use of the framework, an organization needs to assess both its current state and the Profile it wants to achieve. Then it can define which measures – such as technological solutions or tighter controls – will enable it to better manage privacy in line with its risk appetite. For example, financial services companies, which hold a lot of sensitive customer information and operate in a highly regulated environment, are likely to have much lower appetites for privacy risk than enterprises in less regulated sectors. Another important consideration is whether the organization can effectively use the Privacy Framework as a basis for strengthening its competitive position. So, a consumer goods company might use a focus on privacy as a key distinguisher in its brand marketing.