US Dept of Commerce: How to establish a privacy framework
PRIVACY is a big concern for customers, enterprises, and regulators in the digital age.
With the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) now in play, and lawmakers across the APAC and around the world formulating their own version of privacy laws, attention must be paid to monitoring, managing, and meeting privacy requirements.
Unfortunately, although organizations are aware of the issues, they don’t always seem to have a plan. As a result, they face a significant risk when it comes to data privacy.
To help businesses, especially those without a concrete and proactive risk mitigation strategy in place, the US Department of Commerce’s National Insitute of Standards and Technology (NIST) has recently issued a discussion draft NIST Privacy Framework: An Enterprise Risk Management Tool.
The 38-page document has plenty of interesting information relevant to enterprises, but one important section that SMEs cannot afford to skip is the one with a model to establish a privacy program.
The NIST recommends using a straightforward model of “ready, set, go” phases to create a new privacy program and suggests repeating the phases as necessary to continuously improve privacy.
Let’s delve deeper into the three phases to understand how business leaders can use the model right away to get started with building their own privacy program.
Phase 1: Ready
According to the NIST, effective privacy risk management requires that leaders understand their business and legal environment, make an assessment of their enterprise risk tolerance, and map out its privacy risks.
The company also needs to review its systems, products, and services, and its role and relationship with other organizations in the ecosystem.
“It is important that an organization identifies emerging privacy risks to gain a better understanding of the impacts of its systems, products, or services on individuals,” said the document.
Experts suggest that this phase is the most important because it helps understand what the company actually needs to do in order to get started with addressing its privacy concerns.
Phase 2: Set
Organizations need to understand the different categories and subcategories of risk they face, establish a credible baseline, and then go from there.
Doing this might be a little difficult for first-timers, so organizations might consider working with a subject matter expert or a consultant.
However, the NIST framework does emphasize the need for continuous improvements, which means, even if organizations get started with the project on their own, it might not be a bad idea as improvements can follow in time.
Phase 3: Go
With the action plan “set,” the organization prioritizes which actions to take to address any gaps, and then adjusts its current privacy practices in order to achieve the targets or goals it needs to meet.
For further guidance, the NIST has made informative references that support outcome achievement for the categories and subcategories available online.
The NIST recommends that organizations determine which standards, guidelines, and practices, including those that are sector specific, work best for their needs.
“An organization can cycle through the phases non-sequentially as needed to continuously assess and improve its privacy posture,” the report highlights.