An Interoperable, Practical, and Operational Structure for managing and
demonstrating compliance with the World’s Privacy Requirements
As privacy requirements around the world have become increasingly complex, organizations have looked for ways to align obligations across laws and regulations to support effective operationalization of privacy compliance and risk management. Some organizations have also sought to further integrate their privacy programs with their ethics and compliance programs, their enterprise risk management programs, and other governance, risk and compliance programs. The TrustArc-Nymity integrated Privacy and Data Governance Accountability Frameworks combine and align privacy and data governance controls with privacy management activities across the privacy program lifecycle to help organizations effectively achieve these goals and continuously improve upon them over time.
The Integrated Privacy Frameworks are embedded into the TrustArc Platform and the Nymity line of products to enable organizations to simplify and streamline how they meet their privacy goals with intelligent automation that provides contextual insights to enable them to focus on their highest risks and compliance priorities.
Since its introduction in 2013, organizations around the world have been operationalizing global privacy compliance and managing privacy risk through the Nymity Privacy Management Accountability (PMAF) Framework™ tool and effectively bridging the gap between policies and principles, and the implementation of practical and effective privacy management. Since its design in 2016, organizations worldwide have been building, implementing, and demonstrating their privacy program effectiveness, compliance, and maturity using the TrustArc Privacy and Data Governance (P&DG) Framework embedded into the TrustArc platform, intelligence solutions, and the TRUSTe assurance programs.
The Integrated Privacy Frameworks provide proven methodology for structuring privacy program management throughout its lifecycle in your organization and for demonstrating compliance with applicable laws and regulations.
The core of the new integrated Frameworks is formed by three pillars: Build, Implement and Demonstrate. These three pillars align with the main phases of developing an accountable compliant privacy program that supports compliance with applicable laws and regulations as they evolve over time.
- Build: Design, establish, and manage a program to ensure eﬀective governance, risk management, policies, processes, and accountability.
- Implement: Define data needs, identify data processing risks, ensure the data processing is lawful, manage data flows and third parties, address individual rights, provide data security, data quality, and transparency.
- Demonstrate: Monitor, evaluate, and report on compliance, control eﬀectiveness, risk, and maturity.
Neither is a one-off exercise though – each requires continuous review for changed operational practices and legal requirements. This also means that, for example, the demonstration of part of the program can lead to the realization that additional controls or privacy management activities will need to be implemented to ensure ongoing compliance.
One part of the integrated Framework is based on standards and controls, that will help organizations develop and mature their privacy programs. The 16 standards and 55 operational controls align with key privacy laws, regulations, regulatory frameworks, and other external standards to support all the key phases of building out and managing a privacy program, and enabling it to be integrated with other organizational governance, risk, and compliance programs. The operational controls guide organizations on how to build and implement their privacy program and demonstrate accountability to both internal and external stakeholders. The P&DG (Controls-Based) Framework is designed to be flexible in allowing organizations to use the P&DG Framework at any point in its privacy program development and maturity.
The other part of the Framework is based on Privacy Management Categories and Activities. This is the part that so far has been publicly known as the Nymity Privacy Management Accountability Framework™ and also aligns 13 Privacy Management Categories with key privacy laws, regulations, regulatory frameworks and other external standards to align privacy management activities that are required across jurisdictions. The integration ensures the PMAF can henceforth also be used in combination with the P&DG Framework TAF, but it does not change its content. The thousands of organisations around the world using the Nymity Framework as a basis for their privacy program can continue to do so. The additional mapping, including to the three pillars Build, Implement and Demonstrate, will mainly assist those organisations that have not yet based their privacy program on a framework to get started.
The integrated Framework relies upon the three pillars in combination with thirteen privacy management categories, that identify the main elements of a privacy program. The 139 underlying privacy management activities subsequently help organisations to identify what needs to be done, in order to develop a compliant privacy program. These activities together form a menu from which organisations can select what is applicable and/or relevant to them.
The PMAF was originally developed for communicating the status of the privacy program, in other words a framework for demonstrating accountability. It was designed to report on any privacy program, no matter how it is structured. For example, it works well with privacy programs structured around privacy principles, rationalized rules, standards and codes. 1000’s of organizations around the world are using the framework to structure their privacy programs.
In 2015, the PMAF was further enhanced with supporting tools after additional on the ground research with over 500 privacy officers across 20 countries and over 50 cities. It has been made available to the global privacy community for free and has become a recognized framework used for a variety of purposes. In fact, the Framework has been recognized as an international standard and is being taught as such at the Singapore Management University in an Advanced Certificate Program on Data Protection Frameworks and Standards.
No. The Frameworks are not a one-size-fits-all approach and should not be implemented as such. It may be considered a “menu”, not a checklist. Different sectors and individual organizations have different situations, needs and risk profiles and customize use of the Integrated Frameworks according to their unique needs and risks.
The Framework can be used at no cost by any organization that wants to develop a structured privacy program. A framework-based privacy program is regarded by many as a strong accountability tool, since it also allows organizations to tell the story behind their privacy program. The Framework provides a common language for privacy management, such as the basis for decisions that were made, how the policies and procedures were developed, and how these link to evidence of compliance and effective management of controls across the organization.
Building a program based on a framework, instead of on the basis of a single law, allows development of policies and procedures on the basis of common data protection and privacy concepts that extend across hundreds of laws and regulations around the world. These can subsequently be aligned with the legal requirements in various jurisdictions, which will in many situations only be different when it comes to specific details. For example, the scope and exercise of individual rights under the CCPA and the GDPR are largely aligned even though the terminology used to describe them and the timeframes for compliance are different. However, that does not need to have an impact on the process steps to take within an organization to verify the identity of a requestor and finding out which data is available about them before providing a response.
A framework-based approach can be implemented at any stage of a privacy program. Even if your privacy program is well-advanced, it can easily be mapped to the TrustArc-Nymity Privacy and Data Governance Accountability Framework™, which in turns allows for easy compliance checks to privacy and data protection laws around the world as they exist today and as they evolve over time.
Although originally designed as a framework for demonstrating accountability, organizations around the world are using the Framework for multiple other purposes including:
Some organizations, often those with a new privacy program or enhancing their existing program, have found the Frameworks to be effective for structuring the privacy program. They may start with any pillar or standard, may use all 13 Privacy Management Categories or a subset, or may focus on a specific set of controls. For example, an organization that builds technology products may focus initially on the Implement pillar and Privacy Management Category 4 – Embed Data Privacy Into Operations and Privacy Management Category 6 – Manage Information Security Risk to ensure that it is building core privacy controls into its products. That same organization may later focus on the Build Pillar by ensuring that its privacy by design activities and controls are well defined in its policies and procedures, leveraging Privacy Management Category 10 – Monitor for New Operational Practices.
Some organizations use the Frameworks as a checklist to identify existing Privacy Management Activities, how those align with applicable legal and regulatory requirements, as well as standards and controls, and for planning the implementation of new ones.
The Frameworks provides an effective mechanism to compare the privacy program status and maturity across different areas of the organization, or between two organizations.
Many privacy officers see the opportunity for privacy to be more effectively integrated into an organization’s data and risk management responsibilities and to shift accountability to the business, which in turn will allow the organization to address more risk areas and incorporate privacy by design throughout the organization. The Frameworks are used as a structure to ensure the creation and maintenance of “accountability mechanisms” – processes, standards, and tools that organizations use to mitigate privacy risk – that ultimately empower the business and support ongoing compliance and monitoring of the program.
Use the frameworks as a comprehensive and up-to-date listing of privacy management activities and core controls. Gain insight into how other organizations are implementing activities to enhance privacy management and to demonstrate accountability.
Considering the European GDPR compliance efforts as an example, in practice, many companies organized their GDPR project into work packages in order to implement the requirements (whether it is in strategy, assigning responsibilities for the new controls, creating records of processing activities or revisiting notices, policies and procedures). Adoption of the Frameworks makes it easy to identify a stable and natural home for the controls resulting from work packages and deliverables of a GDPR project.
The Frameworks help organizations determine which privacy management activities are most important to assure risk management, privacy compliance and accountability. In turn, this helps organizations justify the prioritization on investments and maximize resources
Demonstrate that an effective program is in place and demonstrate accountability for:
The Frameworks provides a common language for privacy management within the organization. This improves understanding across the organization, such as with key partners in IT, Legal, Compliance, and Finance as well as functional units such as HR, Marketing, Sales, Research, Product, and Engineering. It also serves in reporting the status of the privacy program to executive management, the Board and other key internal and external stakeholders.
Stand ready to demonstrate accountability, on-demand, with evidence to a Data Protection Authority (DPA) or other privacy regulator. Some organizations are using the Frameworks, and tools based on the Frameworks to show due diligence, for example in the event of a data breach to demonstrate that the event was an exception that occurred despite a robust program in place to prevent it, as opposed to a systemic issue.
Save time and resources using the Frameworks when implementing Binding Corporate Rules (BCRs), APEC Cross Border Privacy Rules and APEC Privacy Recognition for Processors, or other certification program requirements in your organization.
Report privacy management in a meaningful and simple way to senior management, C-Suite and Board level.
The Frameworks also are used by organizations to audit and assess privacy management throughout the organization. The Frameworks have been effective for assembling the necessary documentation and facilitating more effective collaboration between the audit and auditee in internal audits as well as assurance assessments and validation reviews.
The Frameworks have been mapped to over 900 privacy laws, international privacy frameworks, guidelines and regulations from around the world and serves as one framework resulting in compliance with multiple obligations. Mapping a multitude of privacy obligations to the Frameworks has been invaluable to organizations in bridging the gap between policies and procedures and one accountable, efficient, scalable and repeatable privacy management program.