Top 9 Reasons You Need a Data Privacy Framework

Data privacy is a moving target, and your regulators, customers, employees and partners expect your company to keep pace. A data privacy framework is a tool that can help meet this challenge with a combination of discipline and agility by laying out the privacy policies and procedures your company follows.

Why Do Data Privacy Frameworks Matter?

Political, business and technology developments continue to exert pressure on companies’ handling of data privacy, driving their embrace of privacy frameworks that can address immediate concerns and help them adapt to change. Here’s what’s happening:

1. U.S. policy: The prospects for a comprehensive national privacy policy are growing stronger,[1] even as individual states continue to roll out their own rules and as government agencies enforce a patchwork of older rules on the books.
2. International policy: Europe’s General Data Protection Regulation (GDPR) set a global standard that has been adapted for use by many other countries and localities. Enforcement has included fines on hundreds of companies. But now that the GDPR is five years old, some policymakers are calling for a rethink.[2]
3. Business: Companies’ current remote working arrangements are stress-testing privacy rules and their observance by employees and cloud service providers.
4. Consumers: Consumer pressure is growing, with a recent survey showing that nearly 80% of people are concerned about their data privacy.[3]
5. Technology: Innovations such as artificial intelligence and facial recognition pose significant new privacy concerns.
6. Security: Data breaches pose one of the biggest threats to data privacy, since 80% of these incidents steal personally identifiable information (PII).[4] The threat is growing, with breaches exposing far more records in 2020 than ever before.[5]

Reasons Your Organization Needs a Data Privacy Framework

A data privacy framework is a living document with guidelines that can be adjusted as events unfold, so it can set your company up to succeed in this turbulent environment. The National Institute of Standards and Technology (NIST), the U.S. standards body, provides three tactical reasons your company needs a data privacy framework:

1. Decision-making: A framework can support ethical decision-making in product development and operations — optimizing data use while minimizing adverse consequences for individuals’ privacy.
2. Compliance: It can help comply with current regulations while futureproofing against changing rules and technologies.
3. Communications and collaboration: Having your company’s guidelines in writing helps you communicate your privacy practices within your organization and beyond, to customers, partners and regulators.

What Is the NIST Privacy Framework?

NIST’s privacy framework is a little over a year old and still evolving, and many companies have adopted it as the foundation for their own frameworks.[6] NIST’s voluntary guidelines are widely followed since government contractors are often expected to comply with them for public sector procurement, which also has a knock-on effect on private sector procurement in the U.S. and abroad. The institute’s privacy framework is designed to work in tandem with its cybersecurity framework.

NIST’s privacy framework is structured around business drivers, organizational roles and responsibilities, and privacy protection activities.[7] It breaks down like this:

• Functions: What high-level privacy risk management considerations feed into identifying, governing, controlling, communicating and protecting sensitive data? For instance, governance decisions would recognize regulatory requirements and set company policies to prioritize efforts. Matters of control would guide data governance and management. Decisions about protection would cover cybersecurity-related privacy events, such as data breaches.
• Profiles: How well does your company currently perform each of these functions? What is your desired level of performance?
• Implementation: What are the processes and resources needed to achieve your targeted profile? Here, NIST’s list gets quite long and detailed, including risk assessments, inventories, awareness programs, monitoring mechanisms and more.

Companies can choose to pattern their data privacy frameworks on NIST’s model or others. For instance, the International Organization for Standardization (ISO) has published another general framework.[8] In the healthcare industry, a “Draft Consumer Privacy Framework for Health Data” has been published by a pair of advocacy groups seeking to fill gaps in the data protections covered by the Health Insurance Portability and Accountability Act (HIPAA).[9]

Whatever your choice, your company cannot treat its data privacy framework as a “one and done” exercise, but must periodically review, revise, communicate and train employees to keep pace with new developments.

Implementing Data Privacy Frameworks

At a technical level, implementing data privacy frameworks involves processes that could include any of the following:

• Identify and prioritize confidential information, such as customers’ credit card numbers or employees’ social security numbers.
• Map how confidential information flows in your company and who is involved.
• Set limits on collecting, holding, accessing, using and sharing information.
• Gain individuals’ consent.
• Encrypt, de-identify and anonymize personal information.
• Sample, review, analyze and route flagged data.
• Find and delete customer information on demand, under regulatory timelines.
• Monitor and control internal and third-party data governance.
• Report breaches involving PII to regulators in near-real time.

“CIOs play a major role in establishing foundational capabilities for a sustainable privacy program,” reports CIO Dive. “Once those layers are in place, companies have the freedom to evolve as needed without introducing additional change to the rest of the organization.”[10]

Some companies are finding they need to adjust privacy procedures in the current remote working environment. “When dealing with personal data while working from home, users are left alone with numerous legal obligations that are difficult to understand and may find themselves unknowingly in breach of the law,” says European Parliament Member Alex Voss.[11]

Automating Data Privacy Frameworks

Companies can automate privacy protections themselves and with consultants on their existing systems, or they can turn to a growing “privacy tech” industry for more specialized tools to implement their data privacy frameworks.

Many organizations with large amounts of information in their possession have found they can no longer perform their compliance tasks without assistance from privacy technologies, according to the International Association of Privacy Professionals’ (IAPP) “2021 Privacy Tech Vendor Report.”[12] Product categories in the report include assessment management tools that can locate compliance gaps; consent management tools that manage users’ consent for tracking and other purposes; incident response solutions that help companies inform relevant stakeholders that their information was compromised in a breach; and others.

Cloud service providers also commit to supporting customers’ privacy compliance, as Mimecast does for its email, storage and archiving solutions. This often includes providing contractual assurances of the service provider’s own adherence to privacy rules. In addition, service providers may equip customers’ system administrators with management consoles for such compliance processes as archive search, e-discovery and review.

The Bottom Line

Companies can do a better job at data privacy when they put in place privacy frameworks that document the policies and procedures for protecting their customers’ and employees’ personal information. Frameworks can help them address today’s requirements and adapt to tomorrow’s in an ever-changing business, technology and regulatory environment.

[1] “The Battle of the Bills Begins: Proposed Federal Data Privacy Legislation Aims to End Patchwork Problem But Increases Enforcement,” National Law Review

[2] “How to Bring GDPR into the Digital Age,” Politico

[3] “Data from Entrust Reveals Contradictions in Consumer Sentiment Toward Data Privacy and Security in 2021,” Entrust

[4] “Global Cost of Data Breach Study 2020,” Ponemon Institute

[5] “New Research: No. of Records Exposed Increased 141% in 2020,” Risk Based Security

[6] “Benefits, Attributes and Habits of Mature Privacy and Data Protection Programs,” International Association of Privacy Professionals

[7] “NIST Privacy Framework,” National Institute of Standards and Technology

[8] “Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management,” International Organization for Standardization

[9] “Privacy and Cybersecurity,” eHealth Initiative & Foundation and Center for Democracy and Technology

[10] “The CIO’s True Role in Data Privacy,” CIO Dive

[11] “How to Bring GDPR into the Digital Age,” Politico

[12] “2021 Privacy Tech Vendor Report,” International Association of Privacy Professionals