Close
Close

Empower your data privacy program

How the right framework can fortify your privacy program

RFP
City view from window Consumers have become more concerned about their personal information – and data privacy regulations have become more protective. Your organization’s privacy program can differentiate you from the competition, but the program needs to go beyond simple compliance.

To achieve a differentiated privacy program, many organizations are searching for a privacy framework or standard that can help them create a comprehensive baseline, adapt to new requirements and advance their current privacy practices.

Cybersecurity frameworks have helped organizations to efficiently implement information security practices in the past, and now privacy frameworks are emerging to help organizations advance their privacy operations.

Fiona Ren“Privacy laws and regulations have acted as a guiding light to provide privacy principles and reinforce privacy awareness … [but] they don’t necessarily provide enough guidance on how to operationalize privacy programs.”
— Fiona Ren, Senior Manager,
Grant Thornton Privacy and Data Protection
“Privacy laws and regulations have acted as a guiding light to provide privacy principles and reinforce privacy awareness,” said Grant Thornton Privacy and Data Protection Senior Manager Fiona Ren. “While they have been the driver behind the growth of privacy and data protection awareness, they don’t necessarily provide enough guidance on how to operationalize privacy programs.”

Privacy frameworks are a tool that helps organizations proactively create a privacy program, establish a privacy assurance function, obtain certification and implement a global or enterprise privacy approach.

empower your data privac -program chart

Three frameworks have emerged as leading options: The National Institute of Standards and Technology (NIST) Privacy Framework, the joint International Standards Organization and International Electrotechnical Commission (ISO/IEC) 27701 and ISO/IEC 27018.

The NIST Privacy Framework is complementary to the NIST Cybersecurity Framework, and the ISO/IEC frameworks extend ISO/IEC 27001. So, if your organization is already using those security frameworks, these privacy frameworks are natural extensions to the risk management approach and structure.

NIST Privacy Framework Gabrielle Eberhardt“Organizations choose the NIST Privacy Framework because it complements their existing cyber security framework and provides a privacy maturity scale and crosswalk to other privacy laws and regulations.”
— Gabrielle Eberhardt, Senior Associate,
Grant Thornton Privacy and Data Protection
Released in January 2020, the structure of the NIST Privacy Framework version 1.0 is modeled upon the NIST Cybersecurity Framework, and it serves as a means for improving privacy through enterprise risk management.

It especially helps organizations navigate through a complex privacy environment while staying focused on maintaining the trust of their consumers. “Organizations choose the NIST Privacy Framework because it complements their existing cybersecurity framework and provides a privacy maturity scale and crosswalk to other privacy laws and regulations,” said Grant Thornton Privacy and Data Protection Senior Associate Gabrielle Eberhardt.

The NIST Privacy Framework does not target specific privacy laws or regulations, but it establishes a baseline to help organizations achieve their privacy goals. It provides high-level guidelines for various privacy domains, including inventory and mapping, processing of personal data, data subject rights, controllers and processors, data protection officers, employee data privacy, independent supervisory authority, breach notifications, and training and awareness. Organizations can use this framework, along with the privacy maturity model, to manage privacy risk and assist with the process of complying with various privacy laws.

ISO/IEC 27701 and 27018 The first edition of ISO/IEC 27701, published in August 2019, was the first privacy management certification standard to achieve mainstream adoption. This standard provides guidance for protecting personal data on an ongoing and evolving basis, establishing accountability and guidance for both processors and controllers to manage privacy programs in any environment.

While any type of organization can use ISO/IEC 27701, the standard was developed with the European Union’s 2018 General Data Protection Regulation (GDPR) in mind. The standard includes detailed privacy operational guidance and mapping to GDPR.

Fiona Ren“While each standard has its own value proposition and certification scope, they both are globally recognized extensions of ISO/IEC 27001 and can be leveraged to protect personal information, enhance brand reputation, and build consumer trust.”
— Fiona Ren, Senior Manager,
Grant Thornton Privacy and Data Protection
ISO/IEC 27018 was first published in 2014 and updated in 2019 to provide guidelines for public cloud service providers to protect personal data. It is in line with the privacy principles of ISO/IEC 29100. ISO/IEC 27018 provides more specific data protection requirements that cloud service providers should implement into their environment, in addition to the privacy requirements outlined within ISO/IEC 27701.

“While each standard has its value proposition and certification scope, both standards are globally recognized extensions of ISO/IEC 27001 and can be leveraged to protect personal information, enhance brand reputation, and build consumer trust,” said Ren.

Picking the right privacy framework When deciding which privacy framework is right for your organization, “it depends on your organization’s privacy objectives as well as the type of business operations and global reach your organization has. It is important to first understand your organization’s mission drivers, along with the type of organization, before choosing a privacy framework to implement,” Ren said.

When deciding between the NIST Privacy Framework and ISO/IEC 27701 or 27018 to support privacy compliance, organizations should identify their top privacy objectives. Although any framework may work, these objectives will help identify the framework that will best support the organization.

empower your data privac program chart

  • Organizations that may not be subject to any effective privacy regulations but are looking to protect consumer privacy and gain consumer trust may use the NIST Privacy Framework. Its high-level guidance and maturity model are very beneficial for this type of situation.
  • Organizations that have established privacy programs and are looking to develop privacy assurance or privacy internal audit functions may use either NIST or ISO as a baseline to build privacy frameworks and monitor privacy compliance.
  • Service providers may use the ISO/IEC 27701 or 27018 to support client requirements, enhance brand reputation and streamline their vendor due-diligence processes.
  • Organizations may use either NIST or ISO/IEC to consolidate privacy requirements and build global privacy programs to stay compliant with applicable privacy requirements.
  • If you are already using the NIST CSF as your cybersecurity framework, it might make sense for your organization to continue with the NIST Framework family and leverage the NIST Privacy Framework. If you are already using ISO standards like ISO/IEC 27001 or 27002, it makes sense to continue to leverage and implement the ISO/IEC 27701 or 27018 privacy-specific standards.

Managing privacy programs is a significant undertaking for any organization, and it is only getting more complex. The effort must include cross-functional collaboration across technology, legal, security, business, and compliance.

To support ongoing risk and compliance optimization that will truly differentiate your privacy protection from your competitors, start with a proven privacy framework.

Contacts:

Lindsay Hohler Lindsay Hohler
Principal, Privacy and Data Protection
T +1 703 847 7529


Ariana Davis Ariana Davis
Senior Manager, Privacy and Data Protection
T +1 212 624 5336


Fiona Ren Fiona Ren
Senior Manager, Privacy and Data Protection
T +1 312 602 8082


Gabrielle Eberhart Gabrielle Eberhart
Senior Associate, Advisory
T +1 215 376 6067


Wyatt Gaweda Wyatt Gaweda
Associate, Advisory
T +1 312 602 8312