Popular Privacy Management Frameworks
NIST Privacy Framework
The NIST Privacy Framework’s five core functions are:
- Identify: Understand the nature, scope, context, and purpose of personal data processing activities.
- Protect: Implement safeguards and controls to ensure the confidentiality, integrity, and availability of personal data.
- Detect: Develop and implement methods to detect privacy incidents.
- Respond: Develop and implement procedures to respond to privacy incidents in a timely and efficient manner.
- Recover: Develop and implement procedures to restore normal operations and services following a privacy incident.
Each of these functions is intended to help organizations identify and prioritize their privacy risks, and develop and implement plans for managing those risks. The functions are designed to be integrated with an organization’s overall risk management processes, and aligned with the organization’s mission and goals.
ISO 27701 Privacy Information Management
The ISO 27701 standard is based on the following themes:
- Governance: Governance of privacy information management, which includes the management’s commitment, policy, and objectives for the protection of personal data.
- Planning: Planning for privacy information management, which includes risk assessment, risk treatment, and resource allocation.
- Support: Support for privacy information management, which includes the provision of resources, competence, awareness, and communication.
- Monitoring: Operation of privacy information management, which includes the implementation of controls, monitoring, and measurement of the system.
- Evaluation: Performance evaluation of privacy information management, which includes the evaluation of the system’s performance, internal audit, and management review.
- Improvement: Improvement of privacy information management, which includes nonconformity, corrective action, and preventive action.
The standard is designed to be integrated with an organization’s overall information security management system per ISO 27001/2.
CIPL Accountability Framework
CIPL’s framework is grounded in the following nine themes:
- Policies: Organizations should have clear and enforceable written data privacy policies and procedures that comply with laws, regulations, and industry standards, and should communicate these policies to individuals.
- Executive Oversight: Organizations should have internal executive oversight and responsibility for data privacy, with a designated data privacy leader who reports to top management.
- Staffing and Delegation: Organizations should allocate resources and staff to ensure their privacy program is properly implemented, and should provide training and delegate responsibility for data protection throughout the organization.
- Education and Awareness: Organizations should provide education and awareness programs for employees and on-site contractors to keep them informed about data protection obligations.
- Ongoing Risk Assessment and Mitigation: Organizations should implement a process for understanding and mitigating privacy risks from new products, services, technologies, and business models.
- Privacy Impact Assessments: Organizations should conduct Privacy Impact Assessments to evaluate the potential impact of new products, services, and technologies on personal data.
- Demonstrating and Measuring Accountability: Organizations should have methods for demonstrating their accountability for personal data protection through audits, certifications, or other means.
- Compliance: Organizations should comply with all relevant laws, regulations, and industry standards regarding personal data protection.
- Continuous Improvement: Organizations should continuously review and improve their privacy program to stay current with new developments in laws, regulations, and technology.
Generally Accepted Privacy Principles
A North American variation on the OECD Privacy Principles, GAPP enshrines:
- Notice/Awareness: Provide notice to individuals about what personal information is being collected and how it will be used.
- Choice/Consent: Obtain affirmative consent for the collection and use of personal information.
- Security: Protect personal information from unauthorized access, use, and disclosure.
- Data Integrity: Ensure that personal information is accurate, complete, and up-to-date.
- Access/Participation: Provide individuals with access to their personal information and the ability to correct or delete it.
- Accountability: Implement policies and procedures to ensure compliance with the principles.
GAPP was developed in Canada by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). It’s the basis of Canada’s national privacy law, PIPEDA.
Bottom Line:
There is no “best” framework. There are only regional, budgetary, and organizational/cultural preferences.