Privacy & Data Governance Accountability Framework
An interoperable, practical, and operational structure for managing and
demonstrating compliance with global privacy requirements

As privacy requirements around the world have become increasingly complex, organizations have looked for ways to align obligations across laws and regulations to support effective operationalization of privacy compliance and risk management. Some organizations have also sought to further integrate their privacy programs with their ethics and compliance programs, their enterprise risk management programs, and other governance, risk and compliance programs. The TrustArc-Nymity integrated Privacy and Data Governance Accountability Frameworks combine and align privacy and data governance controls with privacy management activities across the privacy program lifecycle to help organizations effectively achieve these goals and continuously improve upon them over time.
The Integrated Privacy Frameworks are embedded into the TrustArc Platform and the Nymity line of products to enable organizations to simplify and streamline how they meet their privacy goals with intelligent automation that provides contextual insights to enable them to focus on their highest risks and compliance priorities.
Background
Since its introduction in 2013, organizations around the world have been operationalizing global privacy compliance and managing privacy risk through the Nymity Privacy Management Accountability (PMAF) Framework™ tool and effectively bridging the gap between policies and principles, and the implementation of practical and effective privacy management. Since its design in 2016, organizations worldwide have been building, implementing, and demonstrating their privacy program effectiveness, compliance, and maturity using the TrustArc Privacy and Data Governance (P&DG) Framework embedded into the TrustArc platform, intelligence solutions, and the TRUSTe assurance programs.
The Integrated Privacy Frameworks provide proven methodology for structuring privacy program management throughout its lifecycle in your organization and for demonstrating compliance with applicable laws and regulations.
The Core: Three Pillars
The core of the new integrated Frameworks is formed by three pillars: Build, Implement and Demonstrate. These three pillars align with the main phases of developing an accountable compliant privacy program that supports compliance with applicable laws and regulations as they evolve over time.
- Build: Design, establish, and manage a program to ensure effective governance, risk management, policies, processes, and accountability.
- Implement: Define data needs, identify data processing risks, ensure the data processing is lawful, manage data flows and third parties, address individual rights, provide data security, data quality, and transparency.
- Demonstrate: Monitor, evaluate, and report on compliance, control effectiveness, risk, and maturity.
How do I use the Framework Standards and Controls?
The operational controls guide organizations on how to build and implement their privacy program and demonstrate accountability to both internal and external stakeholders. The P&DG (Controls-Based) Framework is designed to be flexible in allowing organizations to use the P&DG Framework at any point in its privacy program development and maturity.
How do I leverage the Privacy Management Categories and Activities?
The PMAF was originally developed for communicating the status of the privacy program, in other words a framework for demonstrating accountability. It was designed to report on any privacy program, no matter how it is structured. For example, it works well with privacy programs structured around privacy principles, rationalized rules, standards and codes. 1000’s of organizations around the world are using the framework to structure their privacy programs.
In 2015, the PMAF was further enhanced with supporting tools after additional on the ground research with over 500 privacy officers across 20 countries and over 50 cities. It has been made available to the global privacy community for free and has become a recognized framework used for a variety of purposes. In fact, the Framework has been recognized as an international standard and is being taught as such at the Singapore Management University in an Advanced Certificate Program on Data Protection Frameworks and Standards.
Are the Frameworks “checklists” of privacy management requirements?
Uses of the Framework
Building a program based on a framework, instead of on the basis of a single law, allows development of policies and procedures on the basis of common data protection and privacy concepts that extend across hundreds of laws and regulations around the world. These can subsequently be aligned with the legal requirements in various jurisdictions, which will in many situations only be different when it comes to specific details. For example, the scope and exercise of individual rights under the CCPA and the GDPR are largely aligned even though the terminology used to describe them and the timeframes for compliance are different. However, that does not need to have an impact on the process steps to take within an organization to verify the identity of a requestor and finding out which data is available about them before providing a response.
A framework-based approach can be implemented at any stage of a privacy program. Even if your privacy program is well-advanced, it can easily be mapped to the TrustArc-Nymity Privacy and Data Governance Accountability Framework™, which in turns allows for easy compliance checks to privacy and data protection laws around the world as they exist today and as they evolve over time.
Although originally designed as a framework for demonstrating accountability, organizations around the world are using the Framework for multiple other purposes.
Privacy Program and Privacy Management uses
Structuring the privacy program. Some organizations, often those with a new privacy program or enhancing their existing program, have found the Frameworks to be effective for structuring the privacy program. They may start with any pillar or standard, may use all 13 Privacy Management Categories or a subset, or may focus on a specific set of controls. For example, an organization that builds technology products may focus initially on the Implement pillar and Privacy Management Category 4 – Embed Data Privacy Into Operations and Privacy Management Category 6 – Manage Information Security Risk to ensure that it is building core privacy controls into its products. That same organization may later focus on the Build Pillar by ensuring that its privacy by design activities and controls are well defined in its policies and procedures, leveraging Privacy Management Category 10 – Monitor for New Operational Practices.
Converting one-time compliance projects into sustainable business operations. Considering the European GDPR compliance efforts as an example, in practice, many companies organized their GDPR project into work packages in order to implement the requirements (whether it is in strategy, assigning responsibilities for the new controls, creating records of processing activities or revisiting notices, policies and procedures). Adoption of the Frameworks makes it easy to identify a stable and natural home for the controls resulting from work packages and deliverables of a GDPR project.
Understanding best practices. Use the frameworks as a comprehensive and up-to-date listing of privacy management activities and core controls. Gain insight into how other organizations are implementing activities to enhance privacy management and to demonstrate accountability.
Baselining and planning. Some organizations use the Frameworks as a checklist to identify existing Privacy Management Activities, how those align with applicable legal and regulatory requirements, as well as standards and controls, and for planning the implementation of new ones.
Prioritizing investments and justifying budgets. The Frameworks help organizations determine which privacy management activities are most important to assure risk management, privacy compliance and accountability. In turn, this helps organizations justify the prioritization on investments and maximize resources.
Benchmarking any stakeholder. The Frameworks provides an effective mechanism to compare the privacy program status and maturity across different areas of the organization, or between two organizations.
Demonstrating Accountability
Communicating privacy and risk. The Frameworks provides a common language for privacy management within the organization. This improves understanding across the organization, such as with key partners in IT, Legal, Compliance, and Finance as well as functional units such as HR, Marketing, Sales, Research, Product, and Engineering. It also serves in reporting the status of the privacy program to executive management, the Board and other key internal and external stakeholders.
Regulatory reporting. Stand ready to demonstrate accountability, on-demand, with evidence to a Data Protection Authority (DPA) or other privacy regulator. Some organizations are using the Frameworks, and tools based on the Frameworks to show due diligence, for example in the event of a data breach to demonstrate that the event was an exception that occurred despite a robust program in place to prevent it, as opposed to a systemic issue.
Management Reporting. Report privacy management in a meaningful and simple way to senior management, C-Suite and Board level.
BCR and APEC CBPR Implementation and Monitoring. Save time and resources using the Frameworks when implementing Binding Corporate Rules (BCRs), APEC Cross Border Privacy Rules and APEC Privacy Recognition for Processors, or other certification program requirements in your organization.
Framework Mapping
The Frameworks have been mapped to over 900 privacy laws, international privacy frameworks, guidelines and regulations from around the world and serves as one framework resulting in compliance with multiple obligations. Mapping a multitude of privacy obligations to the Frameworks has been invaluable to organizations in bridging the gap between policies and procedures and one accountable, efficient, scalable and repeatable privacy management program.