TrustArc-Nymity Integrated Privacy Frameworks

An Interoperable, Practical, and Operational Structure for managing and
demonstrating compliance with the World’s Privacy Requirements

As privacy requirements around the world have become increasingly complex, organizations have looked for ways to align obligations across laws and regulations to support effective operationalization of privacy compliance and risk management. Some organizations have also sought to further integrate their privacy programs with their ethics and compliance programs, their enterprise risk management programs, and other governance, risk and compliance programs. The TrustArc-Nymity integrated Privacy and Data Governance Accountability Frameworks combine and align privacy and data governance controls with privacy management activities across the privacy program lifecycle to help organizations effectively achieve these goals and continuously improve upon them over time.

The Integrated Privacy Frameworks are embedded into the TrustArc Platform and the Nymity line of products to enable organizations to simplify and streamline how they meet their privacy goals with intelligent automation that provides contextual insights to enable them to focus on their highest risks and compliance priorities.


The Core: Three Pillars

The core of the new integrated Frameworks is formed by three pillars: Build, Implement and Demonstrate. These three pillars align with the main phases of developing an accountable compliant privacy program that supports compliance with applicable laws and regulations as they evolve over time.

  • Build: Design, establish, and manage a program to ensure effective governance, risk management, policies, processes, and accountability.
  • Implement: Define data needs, identify data processing risks, ensure the data processing is lawful, manage data flows and third parties, address individual rights, provide data security, data quality, and transparency.
  • Demonstrate: Monitor, evaluate, and report on compliance, control effectiveness, risk, and maturity.

Neither is a one-off exercise though – each requires continuous review for changed operational practices and legal requirements. This also means that, for example, the demonstration of part of the program can lead to the realization that additional controls or privacy management activities will need to be implemented to ensure ongoing compliance.

nymity-framework

•••

 

1. How do I use the Framework Standards and Controls?

One part of the integrated Framework is based on standards and controls, that will help organizations develop and mature their privacy programs. The 16 standards and 55 operational controls align with key privacy laws, regulations, regulatory frameworks, and other external standards to support all the key phases of building out and managing a privacy program, and enabling it to be integrated with other organizational governance, risk, and compliance programs. The operational controls guide organizations on how to build and implement their privacy program and demonstrate accountability to both internal and external stakeholders. The P&DG (Controls-Based) Framework is designed to be flexible in allowing organizations to use the P&DG Framework at any point in its privacy program development and maturity.

nymity-framework

•••

 

2. How do I leverage the Privacy Management Categories and Activities?

The other part of the Framework is based on Privacy Management Categories and Activities. This is the part that so far has been publicly known as the Nymity Privacy Management Accountability Framework™ and also aligns 13 Privacy Management Categories with key privacy laws, regulations, regulatory frameworks and other external standards to align privacy management activities that are required across jurisdictions. The integration ensures the PMAF can henceforth also be used in combination with the P&DG Framework TAF, but it does not change its content. The thousands of organisations around the world using the Nymity Framework as a basis for their privacy program can continue to do so. The additional mapping, including to the three pillars Build, Implement and Demonstrate, will mainly assist those organisations that have not yet based their privacy program on a framework to get started.

The integrated Framework relies upon the three pillars in combination with thirteen privacy management categories, that identify the main elements of a privacy program. The 139 underlying privacy management activities subsequently help organisations to identify what needs to be done, in order to develop a compliant privacy program. These activities together form a menu from which organisations can select what is applicable and/or relevant to them.

The PMAF was originally developed for communicating the status of the privacy program, in other words a framework for demonstrating accountability. It was designed to report on any privacy program, no matter how it is structured. For example, it works well with privacy programs structured around privacy principles, rationalized rules, standards and codes. 1000’s of organizations around the world are using the framework to structure their privacy programs.

In 2015, the PMAF was further enhanced with supporting tools after additional on the ground research with over 500 privacy officers across 20 countries and over 50 cities. It has been made available to the global privacy community for free and has become a recognized framework used for a variety of purposes. In fact, the Framework has been recognized as an international standard and is being taught as such at the Singapore Management University in an Advanced Certificate Program on Data Protection Frameworks and Standards.

nymity-framework

•••

 

3. Are the Frameworks “checklists” of privacy management requirements?

No. The Frameworks are not a one-size-fits-all approach and should not be implemented as such. It may be considered a “menu”, not a checklist. Different sectors and individual organizations have different situations, needs and risk profiles and customize use of the Integrated Frameworks according to their unique needs and risks.