Privacy & Data Governance Accountability Framework

An interoperable, practical, and operational structure for managing and
demonstrating compliance with global privacy requirements

As privacy requirements around the world have become increasingly complex, organizations have looked for ways to align obligations across laws and regulations to support effective operationalization of privacy compliance and risk management. Some organizations have also sought to further integrate their privacy programs with their ethics and compliance programs, their enterprise risk management programs, and other governance, risk and compliance programs. The TrustArc-Nymity integrated Privacy and Data Governance Accountability Frameworks combine and align privacy and data governance controls with privacy management activities across the privacy program lifecycle to help organizations effectively achieve these goals and continuously improve upon them over time.

The Integrated Privacy Frameworks are embedded into the TrustArc Platform and the Nymity line of products to enable organizations to simplify and streamline how they meet their privacy goals with intelligent automation that provides contextual insights to enable them to focus on their highest risks and compliance priorities.

Download Framework Resources

Background

Since its introduction in 2013, organizations around the world have been operationalizing global privacy compliance and managing privacy risk through the Nymity Privacy Management Accountability (PMAF) Framework™ tool and effectively bridging the gap between policies and principles, and the implementation of practical and effective privacy management. Since its design in 2016, organizations worldwide have been building, implementing, and demonstrating their privacy program effectiveness, compliance, and maturity using the TrustArc Privacy and Data Governance (P&DG) Framework embedded into the TrustArc platform, intelligence solutions, and the TRUSTe assurance programs.

The Integrated Privacy Frameworks provide proven methodology for structuring privacy program management throughout its lifecycle in your organization and for demonstrating compliance with applicable laws and regulations.

The Core: Three Pillars

The core of the new integrated Frameworks is formed by three pillars: Build, Implement and Demonstrate. These three pillars align with the main phases of developing an accountable compliant privacy program that supports compliance with applicable laws and regulations as they evolve over time.

Build: Design, establish, and manage a program to ensure eﬀective governance, risk management, policies, processes, and accountability.
Implement: Define data needs, identify data processing risks, ensure the data processing is lawful, manage data flows and third parties, address individual rights, provide data security, data quality, and transparency.
Demonstrate: Monitor, evaluate, and report on compliance, control eﬀectiveness, risk, and maturity.

Neither is a one-off exercise though – each requires continuous review for changed operational practices and legal requirements. This also means that, for example, the demonstration of part of the program can lead to the realization that additional controls or privacy management activities will need to be implemented to ensure ongoing compliance.

Uses of the Framework

The Framework can be used at no cost by any organization that wants to develop a structured privacy program. A framework-based privacy program is regarded by many as a strong accountability tool, since it also allows organizations to tell the story behind their privacy program. The Framework provides a common language for privacy management, such as the basis for decisions that were made, how the policies and procedures were developed, and how these link to evidence of compliance and effective management of controls across the organization.

Building a program based on a framework, instead of on the basis of a single law, allows development of policies and procedures on the basis of common data protection and privacy concepts that extend across hundreds of laws and regulations around the world. These can subsequently be aligned with the legal requirements in various jurisdictions, which will in many situations only be different when it comes to specific details. For example, the scope and exercise of individual rights under the CCPA and the GDPR are largely aligned even though the terminology used to describe them and the timeframes for compliance are different. However, that does not need to have an impact on the process steps to take within an organization to verify the identity of a requestor and finding out which data is available about them before providing a response.

A framework-based approach can be implemented at any stage of a privacy program. Even if your privacy program is well-advanced, it can easily be mapped to the TrustArc-Nymity Privacy and Data Governance Accountability Framework™, which in turns allows for easy compliance checks to privacy and data protection laws around the world as they exist today and as they evolve over time.

Although originally designed as a framework for demonstrating accountability, organizations around the world are using the Framework for multiple other purposes.

Framework Mapping

The Frameworks have been mapped to over 900 privacy laws, international privacy frameworks, guidelines and regulations from around the world and serves as one framework resulting in compliance with multiple obligations. Mapping a multitude of privacy obligations to the Frameworks has been invaluable to organizations in bridging the gap between policies and procedures and one accountable, efficient, scalable and repeatable privacy management program.

Download Framework Resources