Close Widget

By Kathleen Randall, EVP North America

This is my Groundhog Day situation over the last 6 months:

Customer:  “We are concerned about CCPA.”

Me: “Understandable given the deadline date. What do you need to do for CCPA to make sure your organization is in compliance?”

Customer: “I have no idea.”


Customer: “We have to comply with GDPR and 6 states’ privacy laws.  We know we need to put in a privacy program, but we don’t want to wait until all the U.S. privacy landscape settles. However, it would be great to follow guidance that we feel confident will meet most or all of the regulations.”

Why is Data Privacy Management a challenge?

Technology advancements rapidly create new ways of using personal data. When combined with decentralized regulations issued by governing bodies across each of the 50 states – in addition to country-specific regulations like the UK and Japan – it’s been a challenge for national or global organizations to understand what they need to do to comply from a privacy regulation perspective.

What’s with the Data Privacy struggle for U.S. companies?

This struggle has been a relatively new one for American companies. The U.S. landscape is just now maturing with state Attorneys General getting in the enforcement game to protect their citizens. Legal practitioners have been stepping into DPO roles and find the need to catch up with cybersecurity and technology practices, which typically aren’t their specialty. CISOs are a big part of the privacy program foundation, but keep in mind that the goal is not just about protecting personal data. Privacy practices are the operational practices of the business following good ethical procedures – thus enter the COO. Operations, legal cybersecurity, and risk departments at organizations are trying to collaborate to solve the problem. Since each of these groups traditionally have only dealt with a piece of the puzzle, and not solely from a privacy lens, the conversations have been a bit like the blind-leading-the-blind.

Technology is outpacing government regulations

Technology advancements themselves are also posing an ongoing challenge to privacy professionals. While they are trying to create baseline policies and company practices for protecting privacy, organizations continue to evolve their internal systems with automation, business strategies with AI, and big data uses. They are increasing their technology ecosystem with vendors who provide technology offers to realize the company’s digital transformation vision as well. Setting standard control activities and auditing practices in the data privacy space is like a golfer trying the same iron and same stroke at every par and every course, no matter what the weather conditions.

What is NIST Privacy Framework and why is it important?

The NIST Privacy Framework is a voluntary outline intended to help organizations identify privacy protection activities that are aligned to the business’ objectives, company policies and values, regulations, and risk management strategies. This long-awaited framework is a necessary tool in today’s digital and regulatory landscape for many industries. It provides a common language and set of standard activities that is regulatory-agnostic, but also flexible enough to use in different businesses and regulatory drivers. With NIST, companies that fall under multiple privacy regulations can use this single framework to take an “implement once, comply with many” approach, rather than developing separate programs for each regulation.

The Privacy Framework is also integrated with the NIST Cyber Security Framework, which aids in identifying the overlap between cybersecurity and data privacy activities. The harmonized frameworks together facilitate collaboration between cybersecurity and privacy teams within an organization. Although data privacy and cybersecurity activities are closely related, they are not one in the same. Privacy risks can arise from non-security related incidents.

A strength of the Privacy Framework is that is it not meant to be a one-size-fits-all checklist. The initial approach guides an organization through a privacy risk assessment. This assessment helps the organization understand what requirements to drive that are suited to their regulatory requirements, business practices, risk tolerance, and ethical values of the company.

The framework also provides a mechanism to assess future data privacy concerns with emerging digital and technology projects, which are critical for today’s changing digital landscape.

Where do I start to implement the NIST Privacy Framework?

SureCloud is the first combination data privacy, risk, and compliance management solution that supports the new NIST Privacy Framework. Providing a “Turbo Tax” like setup to guide a privacy team through the end-to-end workflow of ultimately building a privacy program based on the framework to provide best practice guidance. The goal is to substantiate and ensure that privacy practices are in place at the organization. For privacy programs in a state of infancy – to fully mature – SureCloud provides flexibility from out-of-the-box guidance to fully configurable templates and workflow to meet company-specific practices.

As mentioned, privacy is just a piece of the risk, compliance, and governance requirements that an company must maintain. Thus, it’s important to be able to draw a single place where risk, legal, compliance, and security teams at a company can identify, track, and monitor their programs.

Centralizing these requirements results in:

  1. an enterprise view of risks at a company rather than siloed point issues,
  2. reducing duplicative work effort amongst teams,
  3. eliminating contradicting activities that result in negative risk impact to the company.

SureCloud brings together the different program siloes by:

  • Supporting a rationalized compliance program that aligns to multiple regulations and frameworks such as
    • NIST Cyber security framework
    • NIST Privacy framework
    • ISO standards
    • PCI
    • IRAM2
  • Providing real-time dashboards to report risks and compliance posture from all angles (business units, stakeholder accountability, regulations, policies, etc.)
  • Linking your data privacy program to other risk and compliance initiatives in your organization to report true risk impact across your business in terms that executives and the Board of Directors can understand.
  • Risk programs that are integrated in SureCloud include:
    • Third Party Risk Management
    • Data Privacy Management
    • IT/Cyber Risk Management
    • Policy Management
    • Incident Management
    • Vulnerability Management
  • Supporting a common language for risk and control assessments throughout the business
  • Centralizing and streamlining issues and remediation tracking activities across audits and assessments

Stay tuned for a follow up blog on this topic where we look into the NIST Privacy Framework and how it may be the solution…

Subscribe in our pop-up form to get alerts!

How can we help?