Picking the right framework for your Data Privacy and Protection Program
Welcome to part three of a four-part series for establishing and maintaining a Data Privacy and Protection Program. This article focuses on picking the right framework to govern your data privacy and protection program.
“Framework” is generally used to refer to the regulations, standards, or policies that govern a program. A Data Privacy and Protection framework provides a consistent approach to managing controls in your data privacy and protection program. A good framework will guide the policies, procedures, processes, standards, controls, and other artefacts in your program. Benefits include risk reduction, improved reputation, measurable performance, and continuous program improvement. This includes both well-recognized frameworks and in-house developed frameworks if they adequately address all the components of a good framework and it is comprehensively implemented.
Privacy Management frameworks vs Laws & Regulations vs Standards
As stated above, the terms “framework” covers your governance requirements therefore, privacy management frameworks, regulations, or standards documents may be adapted to fit your environment. Below are some popular privacy management frameworks, regulations, or standards that may be considered and adopted.
Privacy Management Frameworks:
Privacy by Design (PbD) – This framework has eight key principles and is based on the idea that privacy requirements should be embedded in everything from inception through to destruction/decommission.
Controls Objectives for Information Technologies (CobIT) – This is mainly an IT governance framework for large organizations that focuses on aligning IT Strategy to the business strategy while also providing sound approaches for protecting IT assets.
National Institute of Standards and Technologies Privacy Framework (NIST PF) – This is an extension to the NIST Cybersecurity Framework that incorporates requirements for privacy management.
Laws & Regulations:
General Data Protection Regulation (GDPR) – This is a European data protection regulation that has brought significant attention to data protection around the world. It’s known for its penalties and far-reaching effects. The GDPR has been used to guide the development of data protection regulations around the Caribbean with the Data Protection Act in Jamaica, Barbados, and other islands having noticeable alignment with it.
Personal Information Protection and Electronic Documents Act (PIPEDA) – This is a Canadian law for data privacy that guides an organization’s collection, use, storing, and disclosure of personal data or information.
Health Insurance Portability and Accountability Act (HIPAA) – This is a US law that provides standards for electronic healthcare transactions. Different privacy requirements have been adopted in this regulation, including the right for patients to be anonymous and that patients must “opt-in” prior to their information being shared.
International Standards Organization (ISO) – Is an international standard-setting body that has developed many well-recognized and certifiable standards. Two very popular standards include ISO 27001 Information Security Management System and ISO 9000 Quality Management. Their privacy standards include but are not limited to; ISO 27701 Privacy Information Management Systems (PIMS) and ISO 29100 Privacy Framework (PF), with the former being an extension to ISO 27001.
Generally Accepted Privacy Principles (GAPP) - Provides an approach for implementing and managing a privacy program in alignment with privacy laws and principles. It was developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Fair Information Practices (FIPS) – Includes core privacy principles, such as the rights of individuals, protection controls throughout the data lifecycles, and choice/consent, and provides generally accepted practices in the electronic marketplace. It was developed by the Federal Trade Commission (FTC) but is not a regulation/law therefore, adherence to this standard is not mandatory.
Which one should you adopt?
Just about any of the standards or privacy frameworks may work for your organization, but not just any regulation may be used. It is important to know and understand that privacy obligations in your jurisdiction may apply to you based on the personal data your organization collects, processes, and/or stores. Therefore, start by understanding your business operations, aligning those with the relevant privacy obligations, and evaluating the privacy risks. Higher risks will require greater controls and, therefore, may require a more comprehensive privacy framework. Note that you may also adopt multiple frameworks once they do not conflict with each other. You may also use different frameworks in different jurisdictions.
Here are a few things to consider when selecting your framework:
Size of your organization and privacy budget – CobIT and GAPP are very comprehensive frameworks and will require significant resources to fully implement, while ISO standards are a bit more scalable. Think about the availability of resources and change management culture at your organization by implementing any privacy framework that will require commitment from everyone, but to varying degrees.
Jurisdiction – ISO 27701 PIMS was developed to closely meet the requirements under the GDPR with consideration of varying requirements for Data Controllers versus Data Processors. However, it is not a regulation-agnostic standard. Consideration should still be given to adopting a framework that can closely align with the privacy requirements in your jurisdiction and places where you do business. Also, if you operate in multiple jurisdictions, picking a scalable/flexible privacy framework or standard will allow you to develop customized controls to cover varying privacy obligations
Frameworks already in your environment – Your company has probably adopted a framework for other operations, such as NIST 800-53 for information security management or ISO 3000 for enterprise risk management. The familiarity with existing standards should make the addition of a privacy framework or standard easier to implement, and in some cases, it may just be an extension of existing frameworks.
Business objectives and strategy – The business strategy will drive where there is greater investment and reliance within the business. If your operations and strategy are heavily reliant on IT to achieve objectives, then selecting a privacy framework with a focus on IT strategy may be the best choice, e.g., CobIT. Similarly, if your business operations are within a specific sector, then selecting a privacy framework with requirements specific to that sector may work best, e.g., HIPAA for healthcare or FIPS for electronics marketplaces.
Cover all your bases – While they may not be explicitly outlined, you should select a framework that can, at a minimum, provide guidance for:
o Policies, Procedure, Processes, and Standards
o Committees and Charters/Terms of Reference
o Education & Awareness
o Inventories and Classification
o Risk Management
o Incident Management
o Program assurance/Compliance monitoring
Once you have selected your framework, there are a few things to remember when implementing it:
Communicate the framework to everyone
Assign ownership at the appropriate levels and get executive buy-in
Maintain alignment with applicable privacy obligations based on your privacy legislation
Incorporate compliance requirements internally
Implement metrics/key performance indicators
Continuously monitor compliance with your framework