In the 21st
century many organizations face challenges to design, operate, or use
technologies in ways that are mindful of diverse privacy needs in an
increasingly connected and complex environment. Current cutting-edge
technologies, which enhance convenience, efficiency and economic growth, are
raising further concerns about their impacts on individuals’ privacy. While
good cybersecurity practices help manage privacy risk by protecting individual’s
information, privacy risks also can arise from how organizations collect,
store, use, and share this information to meet their mission or business
objectives, as well as how individuals interact with products and services. The
use of detailed data about individuals in those new technologies can make
protecting their privacy harder. Today new technology solutions are needed to
efficiently manage and operationalize data privacy. Many organizations have an
increasing reliance on data to drive business, there is an influx of new
technologies into the workplace, and there are regulatory requirements to
demonstrate ongoing compliance. Two projects are aiming to help with meeting
this challenge:
·
Recently the National Institute of Standards and
Technology (NIST) announced a collaborative project to develop a voluntary
privacy framework to help organizations better identify, assess, prioritize, manage,
and communicate privacy risks; bridge the gaps between privacy professionals
and senior executives to foster the development of innovative approaches to flexibly
and effectively protecting individuals’ privacy without stifling innovation;
and increase trust in products and services. NIST’s approach for this framework
is based on the successful, open, transparent, and collective approach used to
develop the NIST’s Cybersecurity Framework. Unofficially, this new framework’s
aim is to create a common vocabulary between lawyers, privacy practitioners, developers, the cybersecurity
team and the c-suite to enable true privacy engineering (NIST has mapped the Cyber
Security Framework to the Privacy Framework core to assist organizations in
identifying similarities and differences and develop a streamlined risk
management process for both).
·
In the last several years, the privacy technology
market has gone from an emerging space to a full-blown, dynamic ecosystem. With
new and robust compliance requirements, many established companies are now part
of the privacy
technology menu, making for a rich marketplace. To help companies navigate
the influx of solutions, the IAPP created the Privacy
Tech Vendor Report which encompass product categories in the privacy ecosystem.
The report contains information from privacy practitioners that is meant to
help companies to decide which are the right privacy product categories that will
be the best fit for driving and scaling privacy compliance.
The subcategory level in
the NIST Privacy Framework presents privacy controls or capabilities
organizations should consider adopting to address privacy risk. These subcategories,
which can be aligned with organizations’ privacy programs, range from “data
elements can be accessed for deletion” to “records of data disclosures are
maintained and can be shared.”. A map
between the subcategories in the NIST Privacy Framework and the privacy product
categories from the Privacy Vendor Report with additional Governance and Technical
and Organizational Measures can be used by the privacy technology market and
the organizations to align privacy measures or technical solutions to the privacy
controls or capabilities while better addressing privacy risks. Additionally, mapping
of prioritized privacy product categories to each equal weighted subcategory in
the NIST Privacy Framework can help organizations to make better decisions on the
best way to accomplish needed privacy controls and capabilities and deal with privacy
risks based on their risk appetite.
Next, I briefly present the Core functions of the
NIST Privacy Framework including categories’ examples for each and general
details on each privacy product categories or essential privacy measures, based
on a prioritized map
between the NIST Privacy Framework and the privacy measures and privacy product
categories.
According to the NIST Privacy Framework, the following
five Core functions should be performed concurrently and continuously to form
or enhance an operational culture that addresses the dynamic nature of privacy
risk.
·
Identify – Understand the business context, including
the privacy interests of individuals affected, and legal/regulatory
requirements. Prioritize efforts, consistent with risk management strategy and
business needs. Examples of categories include: Inventory and Mapping, Business
Environment, Governance, and Risk Assessment.
·
Protect – Implement safeguards that enable authorized
data processing to be conducted in a protected state. Examples of categories
include: Identity Management, Authentication, Access Control, Awareness and
Training, Data Security; and Protected Processing.
·
Control – Enable data management, by organizations and
individuals, with sufficient granularity to manage privacy risks. Examples of categories
include: Policies, Processes, and Procedures; and Data Management.
·
Inform – Enable organizations and individuals to have
a reliable information about how data are processed to manage privacy risk
effectively. Examples of categories include: Transparency Processes and
Procedures, and Data Processing Awareness.
·
Respond – Implement appropriate activities to take
action regarding a privacy breach or event. Examples of categories include: Mitigation and
Redress.
The following is a prioritized list of privacy product
categories and essential privacy measures, with highlighted contributions to privacy
controls and capabilities, aligned with the equal weighted subcategories in the
NIST Privacy Framework.
·
Data
Governance is, among others, a privacy measure, meaning the exercise of
authority and control in the organization over the management of data assets,
through planning, supervision and control over data management and use while leading
toward achieving goals. Established data governance controls contribute to many
subcategories in the NIST Privacy Framework and are key to reporting on data
privacy risks, manage regulatory requirements, privacy awareness education for
stakeholders, authorizing data processing and responding to data breaches.
·
Technical
and Organizational Measures (TOMs) help to ensure a level of security appropriate
to the privacy risk through ongoing confidentiality, integrity, availability,
access to and resilience of data processing and the personal data. TOMs include
authentication, authorization, accounting, network traffic control, vulnerability
management and data encryption, along with data minimization and retention; and
privacy by design solutions.
·
Assessment
Management solutions help with privacy impact assessments, locating and
managing risks and demonstrating compliance. Those solutions enhance visibility
into business context, regulatory requirements and privacy risks and supports
with effort prioritization for risks remediation.
·
Data Mapping
solutions allow building and managing asset inventories and mapping of personal
data flows. Those solutions enhance visibility into data processing and
therefor have a high positive impact on personal data protection and
control.
·
Incident Response
solutions help with managing data breach response processes through workflows
and information on data breach notification laws.
·
Data
Subject Access Request solutions help with receiving and managing individual's
requests for accessing, changing, correcting and deleting their personal data.
·
Consent Management
solutions support collection, tracking, demonstrating and managing individuals’
consent while allowing individuals' control on their communication preferences.
Those solutions allow organizations to inform individuals on data processing
and enhance their control on their personal data.
·
Data Discovery
solutions help to determine and classify , along with business context, what
kind of personal data is possessed to help manage privacy risk and compliance.
·
Privacy Information
Managers help to track information about data privacy regulations, laws and
guidelines at a global scale in an effective and efficient way, while helping
to achieve individual’s privacy interests and supporting with data privacy
compliance management.
·
De-Identification/Pseudonymity
solutions help data scientists, researchers and other stakeholders derive value
from datasets without compromising the privacy of individuals in a given
dataset by generating distinct pairwise identifiers, with no identifying
information about an individual, discourages individual activity tracking and
profiling beyond the operational requirements established by an organization or
by removing personally identifiable information from datasets.
·
Activity Monitoring
solutions help to manage risks to personal data based on detailed information
on how it is used and who and what can access it.
·
Data
Breach Notification services help with a complete communication solution on data
breaches to support affected individuals in managing their risks.
·
Website Scanning
solutions scan and report on websites' cookies and other trackers and help to
ensure compliance with cookie laws and regulations through tailored banners,
preference center and cookie disclosures.