Dear NIST Privacy Framework, I have a problem
By Kathleen Randall, EVP North America
This was my Groundhog Day situation in the 6 months before the CCPA update:
Customer: “We are concerned about CCPA.”
Me: “Understandable, given the deadline date. What do you need to do for CCPA to make sure your organization is in compliance?”
Customer: “I have no idea.”
OR
Customer: “We have to comply with GDPR and 6 states’ privacy laws. We know we need to put in a privacy program, but we don’t want to wait until the entire U.S. privacy landscape settles. However, it would be great to receive guidance that we feel confident will meet most or all of the regulations.”
Data privacy and compliance regulations change regularly and vary considerably depending on your country or state. Managing all of these elements alongside your business objectives is complex, so you need expert guidance and the best CCPA compliance software.
Why is Data Privacy Management a challenge?
Technology advancements rapidly create new ways of using personal data. When combined with decentralized regulations issued by governing bodies across each of the 50 states – in addition to country-specific regulations, like in the UK and Japan – it’s been a challenge for national or global organizations to understand what they need to do to comply from a privacy regulation perspective.
What’s with the Data Privacy struggle for U.S. companies?
This struggle has been a relatively new one for American companies. The U.S. landscape is maturing, with state Attorneys General getting in the enforcement game to protect their citizens. Legal practitioners have been stepping into DPO roles and need to catch up with cybersecurity and technology practices, which typically aren’t their speciality.
CISOs are a big part of the privacy program foundation, but remember that the goal is not just protecting personal data. Privacy practices are the operational practices of the business following good ethical procedures – thus, enter the COO. Organizations’ operations, legal, cybersecurity, and risk departments are trying to collaborate to solve the problem. Since each of these groups traditionally has only dealt with a piece of the puzzle, and not solely from a privacy lens, the conversations have been a bit like the blind-leading-the-blind.
Technology is outpacing government regulations
Technology advancements themselves are also posing an ongoing challenge to privacy professionals. While trying to create baseline policies and company practices for protecting privacy, organizations continue to evolve their internal systems with automation and business strategies with AI and big data uses. They are increasing their technology ecosystem with vendors who provide technology offers to realize the company’s digital transformation vision as well. Setting standard control activities and auditing practices in the data privacy space is like a golfer trying the same iron and same stroke at every par and every course, no matter what the weather conditions.
What is NIST Privacy Framework and why is it important?
The NIST Privacy Framework is a voluntary outline intended to help organizations identify privacy protection activities aligned to the business objectives, company policies and values, regulations, and risk management strategies. This long-awaited framework is a necessary tool in today’s digital and regulatory landscape for many industries.
NIST provides a common language and set of standard activities that are regulatory-agnostic but also flexible enough to use in different businesses and regulatory drivers. With NIST, companies that fall under multiple privacy regulations can use this single framework to take an “implement once, comply with many” approach rather than developing separate programs for each regulation.
The Privacy Framework is also integrated with the NIST Cyber Security Framework, which aids in identifying the overlap between cybersecurity and data privacy activities. The harmonized frameworks facilitate collaboration between cybersecurity and privacy teams within an organization. Although data privacy and cybersecurity activities are closely related, they are not the same. Privacy risks can arise from non-security-related incidents.
A strength of the Privacy Framework is that it is not meant to be a one-size-fits-all checklist. The initial approach guides an organization through a privacy risk assessment. This assessment helps the organization understand what requirements to drive that are suited to their regulatory requirements, business practices, risk tolerance, and ethical values of the company.
The framework also provides a mechanism to assess future data privacy concerns with emerging digital and technology projects, which are critical for today’s changing digital landscape.
Where do I start to implement the NIST Privacy Framework?
SureCloud is the first combination data privacy, risk, and compliance management solution that supports the new NIST Privacy Framework. It provides a Turbo-Tax-like setup to guide a privacy team through the end-to-end workflow of ultimately building a privacy program based on the framework to provide best practice guidance.
The goal is to substantiate and ensure that privacy practices are in place at the organization. For privacy programs in a state of infancy – to those that are fully mature – SureCloud provides flexibility from out-of-the-box guidance to fully configurable templates and workflow to meet company-specific practices. Businesses looking for the best CCPA compliance software and a one-stop-shop solution to all GDPR and compliance conundrums need to look no further.
As mentioned, privacy is just a piece of the risk, compliance, and governance requirements that a company must maintain. Thus, it’s important to create a single place where a company’s risk, legal, compliance, and security teams can identify, track, and monitor its programs.
Centralizing these requirements results in:
- An enterprise view of risks at a company rather than siloed point issues
- A reduction in duplicative work effort amongst teams
- The elimination of contradicting activities that result in a negative risk impact to the company
SureCloud brings together the different program siloes by:
-
- Supporting a rationalized compliance program that aligns with multiple regulations and frameworks such as
- NIST Cyber security framework
- NIST Privacy Framework
- ISO standards
- PCI
- IRAM2
- Providing real-time dashboards to report risks and compliance posture from all angles (business units, stakeholder accountability, regulations, policies, etc.)
- Linking your data privacy program to other risk and compliance initiatives in your organization to report true risk impact across your business in terms that executives and the Board of Directors can understand.
- Providing risk programs integrated into SureCloud, including:
- Supporting a common language for risk and control assessments throughout the business
- Centralizing and streamlining issues and remediation tracking activities across audits and assessments
- Supporting a rationalized compliance program that aligns with multiple regulations and frameworks such as
Take a look at our follow-up on this topic, where we explain how the NIST Privacy Framework has been integrated with our software solution.
What to know more about how SureCloud’s GRC, cyber, & risk management software could provide you with the compliance answers your business needs to manage the varying data privacy regulations in your area? Take a look at our Data Privacy Management solutions.