Managing a cross-border privacy program can be a challenge when your organization needs to comply with a multitude of privacy laws, each with their own specificities. Many organisations have therefore decided to use a compliance framework as the backbone of their privacy program. This has the advantage that a standard set of criteria can be used to build out the program, which in return are mapped to the various legal requirements.
In 2013, Nymity started the development of its Privacy Management Accountability Framework™ (PMAF), that is currently being used by thousands of companies around the world. It was originally developed for communicating the status of the privacy program and to demonstrate accountability. It was designed to report on any privacy program, no matter how it is structured. TrustArc on their turn developed the TrustArc Privacy and Data Governance Framework (P&DG Framework), that is embedded deep in its intelligence and operational software solutions as well as the TRUSTe assurance programs. With the two companies combining their forces since November 2019, the joint teams have worked hard to integrate the two respective frameworks, resulting in today’s launch of the TrustArc-Nymity Privacy and Data Governance Accountability Framework™ (the Framework).
The Core: Three Pillars
The core of the new integrated Frameworks is formed by three pillars: Build, Implement and Demonstrate. These three pillars align with the main phases of developing an accountable privacy program that supports compliance with applicable laws and regulations as they evolve over time.
- Build: Design, establish, and manage a program to ensure effective governance, risk management, policies, processes, and accountability.
- Implement: Define data needs, identify data processing risks, ensure the data processing is lawful, manage data flows and third parties, address individual rights, provide data security, data quality, and transparency.
- Demonstrate: Monitor, evaluate, and report on compliance, control effectiveness, risk, and maturity.
Neither is a one-off exercise though – each requires continuous review for changed operational practices and legal requirements. This also means that, for example, the demonstration of part of the program can lead to the realization that additional controls or privacy management activities will need to be implemented to ensure ongoing compliance.
Standards & Controls
One part of the integrated Framework is based on standards and controls, that will help organisations develop and mature their privacy programs. The 16 standards and 55 operational controls align with key privacy laws, regulations, and other external standards to support all phases of building out and managing a privacy program, and enabling it to be integrated with other organizational governance, risk, and compliance programs. The operational controls guide organizations on how to build and implement their privacy program and demonstrate accountability to both internal and external stakeholders. The P&DG (Controls-Based) Framework is designed to be flexible in allowing organizations to use the P&DG Framework at any point in its privacy program development and maturity.
Privacy Management Categories and Activities
The other part of the Framework is based on Privacy Management Categories and Activities. This is the part that so far has been publicly known as the Nymity Privacy Management Accountability Framework™ and also aligns 13 Privacy Management Categories with key privacy laws, regulations, regulatory frameworks and other external standards to align privacy management activities that are required across jurisdictions. The integration ensures the PMAF can henceforth also be used in combination with the P&DG Framework , but it does not change its content. The thousands of organisations around the world using the Nymity Framework as a basis for their privacy program can continue to do so. The additional mapping, including to the three pillars Build, Implement and Demonstrate, will mainly assist those organisations that have not yet based their privacy program on a framework to get started.
The Integrated Frameworks rely upon the three pillars in combination with thirteen privacy management categories, that identify the main elements of a privacy program. The 139 underlying privacy management activities subsequently help organisations to identify what needs to be done, in order to develop a compliant privacy program. These activities together form a menu from which organisations can select what is applicable and/or relevant to them.
Using the Framework
The Framework can be used at no cost by any organization that wants to develop a structured privacy program. A framework-based privacy program is regarded by many as a strong accountability tool, since it also allows organizations to tell the story behind their privacy program. Which are the choices that were made, how were the policies and procedures developed and how do these link to the evidence of compliance that is available throughout the organization: the Framework provides a common language for privacy management.
Building a program based on a framework, instead of on the basis of a single law, allows development of policies and procedures on the basis of common data protection and privacy concepts that extend across hundreds of laws and regulations around the world. These can subsequently be aligned with the legal requirements in various jurisdictions, which will in many situations only be different when it comes to specific details. For example, the scope and exercise of individual rights under the CCPA and the GDPR are largely aligned, albeit that some terminology used to describe them and the timeframes for compliance are different. However, that does not need to have an impact on the steps to take within an organization to verify the identity of a requestor and finding out which data is available about them before providing a response.
A framework-based approach can be implemented at any stage of a privacy program. Even if your privacy program is well-advanced, it can easily be mapped to the TrustArc-Nymity Privacy and Data Governance Accountability Framework™, which in turns allows for easy compliance checks to privacy and data protection laws around the world, both today and as they change in the future.
The TrustArc-Nymity Privacy and Data Governance Accountability Framework™ is fully integrated in the various modules of the TrustArc platform. Our operational and intelligence solutions, including the Data Inventory Hub and the Assessment Manager, as well as the Privacy and Risk Profiles, rely upon the Framework to assist organisations documenting their compliance requirements and identifying gaps and other risks. Planner and Benchmarks help organisations to keep track of the privacy program itself, including the necessary regular reviews. Finally, our knowledge solutions, including Operational Templates & Resources, will provide organisations with the relevant building blocks to further develop their privacy programs.
The Privacy and Data Governance Framework™ is available to download at no cost here. If you would like to hear more about the background of the Framework and how it can be used on a daily basis as part of your privacy programme, please watch our webinar “Privacy Frameworks: The Foundation for Every Privacy Program”.