Leveraging NIST’s Privacy Framework for Privacy Governance
We are seeing a parallel to what the financial and banking industry went through during the early years of Sarbanes Oxley (SOX) implementation. In the same way that we can no longer rely on self-regulation, we are no longer able to rely on disparate compliance mechanisms with little to no enforcement.
Whether your organization is just beginning its privacy journey or engaged in operationalizing privacy by design, establishing a framework within which to operate is vital. An ad hoc or loosely defined approach will often result in recurring errors, poorly aligned resources, excessive cost, and ultimately suboptimal outcomes that may put the organization at risk.
Many privacy professionals have come to see the parallels between the maturation process of the information security sector, and as Ms. Pimentel notes, the “early years of SOX implementations.” So why not leverage the lessons learned, available tools, and expertise to ease the initial heavy lifting needed to create an effective and sustainable privacy governance program?
Katie Pimentel Assistant General Counsel joined WireWheel CEO Justin Antonipillai, Director of Privacy, Lisa Barksdale, and her colleague Yahoo Legal Services Senior Manager, Tara Jones, at the breakout session “Rise of the Privacy Operations Leader” at the IAPP Privacy. Security. Risk. 2021 Conference.
Ms. Pimentel kindly spoke with us to offer a small preview of her planned presentation on the value of leveraging the NIST Privacy Framework to achieve effective governance.
Why Choose the NIST Privacy Framework?
According to Katie, “What we noticed with this framework is that it is very high level, but it provided Yahoo with a foundation to build off of and allowed us to pick and choose what parts of it apply to our business and industry and what parts didn’t.”
“The short answer,” says Katie, to why NIST? “is that the Yahoo IT security team (which is aptly named The Paranoids) is already leveraging the NIST Framework from a cybersecurity perspective, so it really made for a nice alignment as a privacy framework.”
And, while other governance-type models were being considered by Yahoo, none fit all the required elements of a privacy governance framework at a top-level quite as nicely as the NIST framework. “That our internal teams understood the framework and controls language – at least from a security perspective – was a big plus,” further notes Ms. Pimentel.
We quickly realized that we needed to have an infrastructure and governance model that is able to support aggregating the information, putting it into a system, and provide a way to more easily produce ROPAs and associated documentation.
Some of the impetus for adopting an established framework like NIST is to improve responsiveness (read time and cost) to regulatory inquiries.
“Complying with GDPR Article 30 documentation (ROPAs) can take a very long time for organizations to put together. And once you collect all that information, you’re not only maintaining it. You’re testing it. You’re making sure that it’s being updated on a regular basis. You’re making sure that you’re training on it and communicating your policies that back that up,”
It’s a Top-Down, Bottom-Up Approach
The “one size fits all” of the NIST Privacy Framework should not be mistaken for rigidity that is often associated with solutions that can’t accommodate the unique requirements of individual organizations. By definition, a framework is a top-level structure (the scaffolding or bones) on which to build to your organization’s specific requirements. This translates into significant flexibility. In this regard it is, says Katie, “agnostic.”
“Leveraging this flexibility, we created a regulation crosswalk, within the framework” explains Ms. Pimentel. “We took the top regulations (such as the GDPR, CCPA, and LGPD), and we mapped, or cross-walked, them into the framework.”
We had all the framework controls that we drafted, at least from a high level, put them in a spreadsheet, and mapped which section of those regulations a control satisfied. We could then see that one set of controls or area of the framework helped us meet several of the obligations within each of these regulations.
“It’s not a one-to-one relationship,” continues Katie. “We achieve the 80/20 Pareto Rule where we hit about 80% of them with the crosswalk view. Importantly, the crosswalk allows us to see across all of these different regulations and highlight where there might be gaps.
The top-down is the framework, the bottom-up is the ROPAs, “and they sort of meet in the middle,” she explains. “The ROPA provides us with the information – the actual data that allows us to understand what types of controls you need, and where risks might exist that indicate the types of reviews and governance we should focus on. The framework drives some of what we’re asking as well, based on our organization and our industry.”
Ultimately, “working within a framework like NIST will provide the needed scale and repeatability” necessary to build a successful privacy governance program.