When large technology companies take out full page newspaper ads to talk about their commitment to privacy, and they proactively ask for government privacy legislation, you know we’ve crossed a threshold.
Data Privacy is a hot topic. Consumers are ever more concerned about how their data is being used. In response, governments around the world are issuing new regulations to rein-in aggressive data collection and usage practices that so many vendors have adopted throughout the digital era.
New laws like the European Union’s General Data Protection Regulation (GDPR), California Consumer Protection Act (CCPA) and California Privacy Rights Act (CPRA), the New York SHIELD Act, and more that are emerging require all businesses – not just those in regulated industries – to make significant changes or face stiff penalties. Similar efforts are underway in Brazil, Japan, South Korea, Australia and India. It is highly likely more will follow.
Given the nuances of these varied new requirements, many companies are struggling with managing and securing the volumes of data they collect so they can prevent privacy violations—and consequent consumer wrath. There is no one best way for every business, but the NIST Privacy Framework, published by the U.S. National Institute of Standards and Technology (NIST), offers some valuable guidelines. The many NIST frameworks and controls, issued under Special Publication (NIST SP) 800-53, influence technology buying and evolution both in the private and public sectors. They often influence how other nations establish their own best practices.
Similar to NIST’s Cybersecurity Framework, the NIST Privacy Framework is a free tool that provides a structured approach to defining privacy strategy and goals, identifying privacy-risky practices and developing methods to responsibly manage collection and sharing of sensitive data and Personally Identifiable Information (PII).
Guidelines for the entire data privacy journey
The Privacy Framework Core presents Five Functions (each with associated Categories and Subcategories) of privacy activities and desired outcomes to help organizations determine how to manage privacy risk. They’re structured in a way that allows for adaptability in privacy practices as risks and regulations change. They include:
Identify-P: Develop the organizational understanding to manage privacy risk for individuals arising from data processing
Govern-P: Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk
Control-P: Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks
Communicate-P: Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks
Protect-P: Develop and implement appropriate data processing safeguards. This Function speaks more to data security risks that can come out of lax privacy practices. Cybersecurity remains an equal part of the protection equation
Not every organization needs to reach every outcome described in the Core; it’s a guideline. Rather, an organization’s privacy program should be structured according to its unique business objectives, risk tolerance, market scope (for instance, if you don’t do business with European citizens, then the GDPR may be less relevant for you), and prioritization of resources and budget for managing privacy and security risk.
Data-level protection reinforces compliance
The Framework’s Functions 1 through 4 require (at least in part) human behavioral change and process change. While these Functions are very important to the overall success of a privacy program, they are also subject to human interpretation and even error. But taking privacy to the data level itself, which inherently requires technology, supports the 5th Function, Protect-P. An automated solution that is not subject to human missteps will greatly increase data security and thereby privacy compliance by default.
Your digital solution should be built to secure sensitive and confidential data throughout its entire life cycle. That means even when it leaves your perimeter and travels to unmanaged domains, devices and applications, where it is most vulnerable. Simply having it get into unauthorized hands, whether accidentally or intentionally, is a breach. Those wrong hands may use the data for inappropriate means, compounding the problem. It’s important to implement solutions that automatically prevent this from happening, thereby removing any guesswork or risks associated with common data-sharing and collaboration practices.
Regulatory bodies around the world will continue to implement rules and penalties related to maintaining privacy. It’s no longer optional: companies must be able to achieve a state of continuous compliance while allowing for business operations to continue. It’s time to amp your privacy program now, so you’re ready for whatever regulation comes next.