Making Privacy a Priority: New Framework Helps Companies Develop and Implement Privacy Strategies

It’s no secret that privacy is on the minds of consumers now more than ever. As more businesses gather and mine information about their customers, new requirements address the collection, management, storage, and protection of personal data.

Two regulations, in particular, are already having an enormous impact on how organizations handle privacy issues as part of their overall operations. They could have a significant effect on an organization’s bottom line if privacy issues are not taken into account. They are EU’s General Data Protection Regulation (GDPR), which went into effect in 2018, and the California Consumer Privacy Act (CCPA) of 2018, which went into effect January 1, 2020 and will be enforced beginning July 1, 2020.

To help organizations comply with emerging privacy laws and build consumer trust, the National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, has developed a new privacy framework — a voluntary tool designed to help develop and implement privacy strategies. NIST released the framework on January 16, 2020.

The framework is flexible enough so that your organization can use it to adopt processes that fit your needs, strategies, and appetite for risk. It is divided into three main parts that include discrete steps and activities to help you examine and improve your processes.

• Core: The framework begins with a set of activities to stimulate a dialogue—from the executive level to the implementation/operations level—about important privacy protections and desired outcomes for your organization.  

• Profiles: Profiles are a selection of specific Functions, Categories, and Subcategories from the Core that are in line with the organization’s overarching goals and values and that have been prioritized to help manage privacy risk. You can use profiles to conduct self-assessments and to communicate within your organization or between organizations about how privacy risks are being managed.

• For example, you may decide to complete a Current Profile to assess privacy outcomes you are already achieving as well as a Target Profile to identify the outcomes your organization needs to achieve in order to reach your privacy risk management goals. The differences between the two Profiles enable you to identify gaps, develop an action plan for improvement, and gauge the resources that would be needed (e.g., staffing, funding) to achieve privacy outcomes. This helps address privacy risk in a cost-effective, prioritized manner.

• Implementation: The framework includes a set of tiers to determine where your organization stands on privacy risk and whether it has sufficient processes and resources in place to manage that risk. These tiers reflect a progression from informal, reactive responses to approaches that are agile and risk informed.

The NIST framework is not the only tool for privacy risk management. The AICPA has developed a GAPP (generally accepted privacy principles) that can be tested as part of the Trust Services Criteria for SOC 2.

Weaver’s IT Advisory professionals can help your organization adapt these frameworks to your business. Contact Weaver for more information.

Authored by Brittany George, CISA, CISM, QSA, and Alexis Kennedy,CPA, CISSP, CISA, CCSFP.

© 2020