This is my Groundhog Day situation over the last 6 months:
Customer: “We are concerned about CCPA.”
Me: “Understandable given the deadline date. What do you need to do for CCPA to make sure your organization is in compliance?”
Customer: “I have no idea.”
Customer: “We have to comply with GDPR and 6 states’ privacy laws. We know we need to put in a privacy program, but we don’t want to wait until all the U.S. privacy landscape settles. However, it would be great to follow guidance that we feel confident will meet most or all of the regulations.”
Technology advancements rapidly create new ways of using personal data. When combined with decentralized regulations issued by governing bodies across each of the 50 states – in addition to country-specific regulations like the UK and Japan – it’s been a challenge for national or global organizations to understand what they need to do to comply from a privacy regulation perspective.
This struggle has been a relatively new one for American companies. The U.S. landscape is just now maturing with state Attorneys General getting in the enforcement game to protect their citizens. Legal practitioners have been stepping into DPO roles and find the need to catch up with cybersecurity and technology practices, which typically aren’t their specialty. CISOs are a big part of the privacy program foundation, but keep in mind that the goal is not just about protecting personal data. Privacy practices are the operational practices of the business following good ethical procedures – thus enter the COO. Operations, legal cybersecurity, and risk departments at organizations are trying to collaborate to solve the problem. Since each of these groups traditionally have only dealt with a piece of the puzzle, and not solely from a privacy lens, the conversations have been a bit like the blind-leading-the-blind.
Technology advancements themselves are also posing an ongoing challenge to privacy professionals. While they are trying to create baseline policies and company practices for protecting privacy, organizations continue to evolve their internal systems with automation, business strategies with AI, and big data uses. They are increasing their technology ecosystem with vendors who provide technology offers to realize the company’s digital transformation vision as well. Setting standard control activities and auditing practices in the data privacy space is like a golfer trying the same iron and same stroke at every par and every course, no matter what the weather conditions.
The NIST Privacy Framework is a voluntary outline intended to help organizations identify privacy protection activities that are aligned to the business’ objectives, company policies and values, regulations, and risk management strategies. This long-awaited framework is a necessary tool in today’s digital and regulatory landscape for many industries. It provides a common language and set of standard activities that is regulatory-agnostic, but also flexible enough to use in different businesses and regulatory drivers. With NIST, companies that fall under multiple privacy regulations can use this single framework to take an “implement once, comply with many” approach, rather than developing separate programs for each regulation.
The Privacy Framework is also integrated with the NIST Cyber Security Framework, which aids in identifying the overlap between cybersecurity and data privacy activities. The harmonized frameworks together facilitate collaboration between cybersecurity and privacy teams within an organization. Although data privacy and cybersecurity activities are closely related, they are not one in the same. Privacy risks can arise from non-security related incidents.
A strength of the Privacy Framework is that is it not meant to be a one-size-fits-all checklist. The initial approach guides an organization through a privacy risk assessment. This assessment helps the organization understand what requirements to drive that are suited to their regulatory requirements, business practices, risk tolerance, and ethical values of the company.
The framework also provides a mechanism to assess future data privacy concerns with emerging digital and technology projects, which are critical for today’s changing digital landscape.
SureCloud is the first combination data privacy, risk, and compliance management solution that supports the new NIST Privacy Framework. Providing a “Turbo Tax” like setup to guide a privacy team through the end-to-end workflow of ultimately building a privacy program based on the framework to provide best practice guidance. The goal is to substantiate and ensure that privacy practices are in place at the organization. For privacy programs in a state of infancy – to fully mature – SureCloud provides flexibility from out-of-the-box guidance to fully configurable templates and workflow to meet company-specific practices.
As mentioned, privacy is just a piece of the risk, compliance, and governance requirements that an company must maintain. Thus, it’s important to be able to draw a single place where risk, legal, compliance, and security teams at a company can identify, track, and monitor their programs.
Centralizing these requirements results in:
Stay tuned for a follow up blog on this topic where we look into the NIST Privacy Framework and how it may be the solution…
Subscribe in our pop-up form to get alerts!