Don’t Just Fight Privacy Fires: Plan Ahead to Prevent Them

As privacy concerns continue to increase, most of us spend our days fighting fires. With more privacy regulations continuing to be released, it’s difficult to understand the key differences and know what is most important. With so much to do, and little time to do it, we are often forced to “fight the fires” of the day rather than tackling our to-do list.

Leveraging frameworks can be a great option for managing regulations and cataloging what your organization is, and more importantly, is not doing. By organizing all of your privacy requirements, expectations, and capabilities into a framework, you can streamline your process to make sure you don’t miss anything. This will help your organization prepare for privacy-related issues or “fires” before they spark up.

One example of a framework for organizing privacy capabilities is the NIST Privacy Framework. After a multiyear effort of industry collaboration to define a framework to help identify, assess, manage and communicate privacy risks, the US-based National Institute of Standards and Technology (NIST) released the framework earlier this year. The NIST Privacy Framework was created to help organizations manage the risk imposed by holding and processing privacy data, therefore increasing trust in their products and services. Additionally, for anyone already using the NIST Cybersecurity Framework, the Privacy and Cybersecurity frameworks can be easily leveraged together to make sure both privacy and security concepts are managed in parallel. Due to the similarities in the frameworks, many organizations can leverage their experiences using the Cybersecurity Framework to get a jump-start on addressing the privacy concepts described in the Privacy Framework.

Using a framework can be especially helpful if you are just starting out – sometimes you just need to lay everything out and see what you are dealing with. But don’t keep all the fun for yourself! Making sure you have stakeholders from the business, legal, cybersecurity, and even the risk team can be helpful to increase awareness and gain buy-in for future change. By creating a core team of privacy champions from groups across the organization, you can make sure to build solutions that will fit your company’s specific needs. In bringing together different groups to help evaluate your new requirements, you will be able to better understand organizational priorities and maybe find out a capability is already in place that you didn’t know about.

Additionally, this team can help you understand not only what you need to do, but why you need to do it. Looking at privacy controls and requirements from the different perspectives will help to draw the boundaries for what needs to be done and what may hinder the business as a whole. Understanding the “so what?,” whether it’s a compliance requirement, a customer request, or a desire to set your company apart, will help your organization be able to more effectively prioritize and scope changes that need to be made. Clearly defining these drivers can also make it easier to attain stakeholder or board support.

A few trends that I’ve seen while working with organizations across industry are that communication and transparency are key. Implementing new capabilities and changing the culture of an organization is made significantly easier when you can communicate what needs to happen in a clear and consistent format. By working with a team to document what you’re doing today, as well as forming a comprehensive list of future improvements in a common framework, you can often prevent potential fires before they ever happen.
 
Editor’s note: Find out more about ISACA’s new technical privacy certification, Certified Data Privacy Solutions Engineer.