Duties and functions

Implementing the NIST Privacy Framework – Governance Function | Ankura Cybersecurity and Data Privacy

The National Institute of Standards and Technology (NIST) Privacy Framework is a widely known set of controls used to help organizations identify privacy risks in their business environment and allocate resources to mitigate those risks. Our team previously published an article outlining the best ways to leverage the NIST Privacy Framework (NIST-P) to assess data privacy posture, develop readiness roadmaps, and mature organizational privacy programs.

The NIST Privacy Framework consists of 100 controls divided into five main functions. We also published an article focusing on how organizations can best implement the first function: identify. This article is the next in a series of articles focusing on each of the five main functions. Here we describe the governance function and corresponding privacy management activities to consider in order to align with the NIST privacy framework.

NIST defines governance function as the ability to develop and implement organizational governance structures to ensure an ongoing understanding of organizational risk management priorities that are informed by privacy risks. The governance function has four categories: governance policies, processes and procedures; Risk management strategy; Awareness and training; and monitoring and review. The categories within the governance function include 20 sub-category controls listed in Table 1 below.

Table 1

Category

Sub-category

Governance policies, processes and procedures (GV.PO-P): The policies, processes and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental and operational requirements are understood and inform the management of confidentiality risk.

GV.PO-P1: The organization’s privacy values ​​and policies (for example, data processing conditions such as data use or retention period, individuals’ prerogatives with respect to data processing) are established and communicated .

GV.PO-P2: Processes to instill organizational privacy values ​​in the development and operations of systems / products / services are established and in place.

GV.PO-P3: The roles and responsibilities of the workforce are established with respect for privacy.

GV.PO-P4: Privacy roles and responsibilities are coordinated and aligned with third party stakeholders (eg, service providers, customers, partners).

GV.PO-P5: Legal, regulatory and contractual requirements regarding confidentiality are understood and managed.

GV.PO-P6: Governance and risk management policies, processes and procedures address privacy risks.

Risk management strategy (GV.RM-P): The organization’s priorities, constraints, risk tolerances and assumptions are established and used to support operational risk decisions.

GV.RM-P1: Risk management processes are established, managed and accepted by stakeholders in the organization.

GV.RM-P2: Organizational risk tolerance is determined and clearly expressed.

GV.RM-P3: Determining the organization’s risk tolerance is informed by its role (s) in the data processing ecosystem.

Awareness and Training (GV.AT-P): Organization staff and third parties involved in data processing receive privacy awareness training and are trained to carry out their privacy-related duties and responsibilities in accordance with related policies, processes, procedures and agreements and the confidentiality values ​​of the organization.

GV.AT-P1: Staff are informed and trained on their roles and responsibilities.

GV.AT-P2: Senior managers understand their roles and responsibilities.

GV.AT-P3: Privacy staff understand their roles and responsibilities.

GV.AT-P4: Third parties (eg, service providers, customers, partners) understand their roles and responsibilities.

Monitoring and review (GV.MT-P): The policies, processes and procedures for the ongoing review of the organization’s privacy policy are understood and inform the management of privacy risks.

GV.MT-P1: The privacy risk is reassessed on an ongoing basis and as key factors, including the organization’s business environment (e.g., the introduction of new technologies), governance (e.g., legal obligations, risk tolerance), data processing and system / product / service change.

GV.MT-P2: Privacy values, policies and training are reviewed and all updates are communicated.

GV.MT-P3: Policies, processes and procedures to assess compliance with legal requirements and privacy policies are established and in place.

GV.MT-P4: Policies, processes and procedures for communicating the progress of privacy risk management are established and in place.

GV.MT-P5: Policies, processes and procedures are established and in place to receive, analyze and respond to actions of problematic data disclosed to the organization from internal and external sources (e.g. internal discovery, privacy researchers, professional events).

GV.MT-P6: Policies, processes and procedures incorporate lessons learned from problematic data actions.

GV.MT-P7: Policies, processes and procedures for receiving, tracking and responding to complaints, concerns and questions from individuals about organizational privacy practices are established and in place.

Assessing an organization’s confidentiality position for governance function controls

Organizations could consider the following questions to properly assess their current position on privacy in relation to the governance function under NIST’s privacy framework:

  1. What policies, procedures and guidelines have been developed to orient employees on the organization’s obligations to comply with data protection laws?
  2. Does the organization integrate Privacy by Design into systems and product development and business processes?
  3. Has the organization documented key roles and responsibilities related to confidentiality and information security?
  4. Are business functions such as privacy, information security and IT involved in the legal procurement process?
  5. Do the organization’s governance and risk management policies and procedures address privacy risks and is the organization’s risk tolerance communicated?
  6. Does the organization have formal procedures in place to conduct Privacy Impact Assessments (PIAs) to identify and manage privacy risks or to incorporate them into policy making? risk decision?
  7. Does the organization maintain a training or learning and development program for all employees and / or third parties, including service providers, that takes into account data privacy compliance?
  8. How are new confidentiality obligations and risks identified, monitored and managed?
  9. Are lessons learned incorporated into problematic data actions or data breach incidents?
  10. Does the organization have policies and procedures to address individuals’ concerns about the organization’s privacy or security practices?

Privacy management activities to align with governance function

After assessing the level of governance maturity of an organization based on the governance function and its key categories, organizations may consider implementing privacy management activities such as those described below in order to align and fill the gaps towards privacy maturity.

  1. Create a formal internal privacy policy for employees, documenting the various organizational measures, guarantees, etc. used to process employee and customer data.
  2. Implement privacy-by-design measures and practices such as de-identification, anonymization, etc. for data intensive projects and business activities.
  3. Document roles and responsibilities for confidentiality governance, including organizational charts, job descriptions, etc.
  4. Create a Data Privacy Impact Assessment (DPIA) process that considers business and privacy risks.
  5. Implement role-based data privacy training, particularly for those responsible for managing or processing personal information.
  6. Develop a formal process for submitting and managing requests and complaints from data subjects or consumers.

The privacy management activities in the governance function are organizational in nature, but they also provide a foundation on which organizations can build their privacy programs. Privacy policies, training and awareness, understanding and documenting regulatory requirements, addressing affected person or consumer concerns, and managing structural risk tolerance are all essential activities for a organization develops and maintains its privacy ecosystem. An organization should consider evaluating and implementing these core activities as it progresses toward compliance with the NIST privacy framework.

1The information provided in this article is for general information purposes only and does not constitute legal advice.

Source link