Organizations with mature privacy programs are reaping more benefits than average and are finding it easier to comply with new privacy regulations, according to Cisco’s 2021 Privacy Benchmark Study. But what is the best way to build and measure privacy maturity? Privacy frameworks are an excellent tool for evaluating, monitoring and improving privacy programs. Because there are only a few traditional frameworks for privacy currently available (e.g., the National Institute of Standards and Technology [NIST] Privacy Framework), in this case the term “framework” is used more broadly to include standards and regulations (e.g., International Organization for Standardization [ISO] 29100 and the EU General Data Protection Regulation [GDPR]) that organizations can leverage to build, govern and mature their privacy practices. Regardless of which framework an organization selects, it can advance privacy maturity when implemented properly.
Selecting a Framework
Many organizations select a framework when trying to solve privacy challenges such as shifting regulatory requirements, conflicting or changing policies/procedures, duplicate compliance efforts and increased operational costs. Choosing a single framework as a foundation for a program solves a lot of these challenges and makes it easier to adapt to organizational and regulatory change.
But selecting a privacy framework is not without its own hurdles. To overcome or avoid these issues, there are a few key questions that should be asked:
- Who should be involved?
- How will a framework benefit the organization?
- Which business processes may be impacted?
- Which frameworks are already being used within the organization?
- What regulatory requirements (e.g., Health Insurance Portability and Accountability Act [HIPAA], California Consumer Privacy Act [CCPA], GDPR) should be considered?
Although a privacy framework is focused on privacy efforts, it impacts many other parts of the organization and may overlap with other frameworks being used by other business functions.
It may be helpful to involve personnel from various functions, such as cybersecurity, IT, information security, legal, compliance, internal audit and risk management, as well as key business process-owners. Including a range of business functions in the selection process is important, but it is important to establish an authority (likely whoever leads the organization’s privacy efforts) to make the final decision.
No matter what framework is selected, it should support organizational objectives, enterprise strategy and stakeholder needs. If it fails to align with any of these elements, enterprise-wide adoption will be difficult, inhibiting the framework’s success.
Implementing Your Privacy Framework
There is no one-size-fits-all approach when it comes to selecting and adopting a framework. However, taking the following four steps can ensure that framework implementation is efficient:
- Framework and regulation mapping—If an organization needs to comply with multiple privacy regulations, you will need to map out how they overlap with your framework and each other. In addition, this is the time to factor in any other frameworks (e.g., the NIST Cybersecurity Framework, ISO 27001) the organization uses to make sure everything is aligned. Mapping out control areas and grouping them by regulation and framework can reduce the complexity.
- Tailoring to the enterprise—Tailoring your framework to the organization’s specific privacy risk and regulatory requirements will help in making the implementation process smoother. This means modifying controls to align with specific business functions and the operating environment, which will require input from other parts of the business. But working with other teams to integrate your framework should help ensure enterprise-wide adoption.
- Documentation—There may be instances where a specific control does not apply to the organization. It is good practice to document the business reasons for not implementing the control. If appropriate documentation of the reasoning behind the exception is maintained, it will we a resource for any future audits and assessments.
- Communication—A key part of successful adoption is communication. It is important to communicate any upcoming changes with core business teams within the organization. Providing appropriate support to the teams that may need to make changes as a result of the framework adoption is beneficial.
Whichever framework or combination of frameworks is chosen, there should be a strategy in place to carry out the controls for ensuring information privacy and data security. Simply having a privacy program and utilizing a framework on paper is not enough. The organization must have a process in place to be able to implement, manage and enhance controls, as well as processes for regularly reviewing controls to ensure effectiveness.
The Benefits of a Privacy Framework
Once the organization has successfully installed a privacy framework, implemented corresponding controls and set up a program for monitoring, the organization gets to reap all the wonderful benefits a framework provides. These include:
- Streamlined compliance
- Measurable results
- Reduced costs
- Improved risk mitigation
- Effective program evaluation
- Alignment with enterprise strategy
- Unification of privacy, security and compliance efforts
- A sustainable privacy program
Choosing and implementing a privacy framework requires a significant investment of time and effort up front, but it ultimately provides the organization with an efficient, mature privacy program that protects critical information and supports business goals.
Editor’s note: For further insights and examples on this topic, read Minaz Khan’s recent Journal article, “A Guide for Selecting and Adopting a Privacy Framework,” ISACA Journal, volume 2, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!