Sep 28, 2022
Develop the Best Data Privacy Framework
A data privacy framework provides a common approach for understanding and managing data privacy risks within your organization and with external partners. But before implementing a data privacy framework, it’s important to have a data governance program in place to provide vision, strategy, and guidance for implementing your privacy framework.
In this blog post, we’ll cover the role of data governance and how it factors into development, implementation, and management of data privacy programs. We’ll also outline commonly-used data governance and data privacy frameworks and how to choose the right ones for your organization.
What is Data Governance?
The Data Governance Institute defines data governance as “a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.” In short, data governance is the ability of your organization to succinctly manage and account for all data in the organization.
What Are the Benefits of Data Governance?
Data governance can provide substantial benefits for your organization, including:
- Achieve consistency and connectivity through reliable interpretation of data usage.
- Establish a clear direction for data management capabilities and activities through prioritization and decision making.
- Improve the quality, accuracy, and availability of data for stakeholders across your organization.
- Apply consistent data security, usage, and privacy principles to manage security and compliance across the organization.
Metrics and Measurement
- Enable better analytics and predictability for decision making.
- Measure and manage the data governance program via quantitative and qualitative metrics against business outcomes.
- Monitor and evaluate performance and compliance of data resources.
- Embed innovation and foresight into your products through real-life data governance use cases.
To sum it up, data governance provides quality, usable data combined with analytics that allow organizations to make concise decisions based on metrics for real-life use case scenarios.
What Are the Key Considerations for Developing an Effective Data Governance Strategy?
In our work helping clients develop data governance strategies, we’ve found these to be key things to consider:
- Where. Where is your data being stored? Is it in a colocation facility, an in-house data center, a cloud environment?
- Who. Who has access to your data currently? Who should have access to the data? Which departments or functional areas (e.g., marketing, accounting, operations) have access to data? Is that access needed for performing their duties?
- What. What type of data is being stored and handled (e.g., consumer, vendor, employee). Is the data structured or unstructured? What is the desired and current level of data quality?
- Goals. What are the goals you want to achieve with the data? Is the focus on internal or external goals? For example, is it intended to improve sales or drive metrics around improving internal processes?
- Requirements. Once you have the goals in place, you can break out individual data requirements and use them to define a clear outline for your data governance program.
What Are the Important Roles and Responsibilities for a Data Governance Program?
Defining and assigning roles and responsibilities is a critical element of an effective data governance program. Moving from the executive level down, here are the key roles and responsibilities that we recommend for any organization:
- Data Governance Council. Provides vision, strategy, and leadership for the organization’s data governance program. Should include executive-level representatives from all business units.
- Data Stewards. Tactical role responsible for development of data principles, policies, standards, and procedures. Data Stewards ensure that data meets the organization’s quality, privacy, confidentiality, and security requirements.
- Data Custodians. Responsible for the technical environment of the data.
- Data Consumers. Operational role responsible for awareness and execution of data principles, policies, and procedures. Part of the organization’s workforce or trusted business partners. Most consumers are not part of the data governance council, so it is important to ensure that, as a baseline, all staff are trained to meet expectations of the data governance program.
While some larger organizations create dedicated roles to assume these responsibilities, the roles don’t have to be dedicated. They can be embedded into roles and responsibilities that are already defined in an organization. For example, the Data Governance Council can be a component or subcommittee of an organization’s Privacy Council or Privacy Subcommittee. The roles of Data Steward and Data Custodian are often assigned to business/product owners, data scientists, or database administrators.
Are There Frameworks That Can Help Us Develop a Data Governance Program?
Below are three widely-adopted data governance frameworks that can help guide your data governance initiatives and ensure critical components are integrated into your data governance program.
Data Governance Frameworks
All three of these frameworks are detailed and comprehensive and may include elements that are not applicable to your organization. In most cases, after picking a framework, you’ll need to customize it to meet your organization’s specific needs. Tevora’s team of data governance experts would be happy to work with you to identify a framework that will work best for your organization and help you customize it to meet your needs.
As part of your data governance program, we recommend that you select and align with a data lifecycle (a.k.a. data usefulness cycle) to ensure that you have a thorough understanding of how data flows through your organization. You will likely need to customize your data lifecycle to meet the unique needs of your organization.
Both ISO and COBIT have developed excellent data lifecycles that are summarized below.
Two Popular Data Lifecycles
Source: ISACA, COBIT 5: Enabling Information, USA 2013, figure 23, page 33
To provide an example of how a data lifecycle can help to ensure you have the right data privacy and security controls in place, let’s consider a hypothetical case involving marketing data. In this scenario, a company obtains marketing data that it uses for development of a new product and an associated marketing campaign.
Prior to launch of the new product and campaign, the marketing data is considered confidential information, which requires a series of robust privacy and security controls to safeguard it. Remember the importance of acceptable use and consent when it comes to marketing.
After the product and campaign launch, the portion of the marketing data that is shared with the public is no longer confidential. At this point, the robust privacy and security controls can be loosened or removed for the now-public information, saving the company time and money.
As demonstrated in this example, the data lifecycle can be an effective tool to ensure that sensitive information is protected when needed while minimizing costs.
What is a Data Privacy Framework?
A data privacy framework provides a common language for understanding, managing, and communicating privacy risks with internal and external stakeholders. It can be customized based on the unique requirements of an organization and used to identify and prioritize actions for reducing privacy risk. It can also be a tool for aligning policy, business, and technological approaches to effectively manage identified privacy risks.
What Are the Leading Data Privacy Frameworks?
The table below provides a high-level comparison of three commonly-used data privacy frameworks.
Comparison of Data Privacy Frameworks
NIST Privacy Framework
• Good for organizations just getting started with a data privacy program.
• Dovetails nicely with popular NIST Cybersecurity Framework (CSF).
• Takes a risk-based approach to privacy.
• Emphasizes ethical implications of data privacy risk.
• Extension of ISO 27001 with most of the controls from 27001 referenced in 27701.
• Defines steps to build out and improve a Privacy Information Management System.
• Applicable to all types and sizes of organizations, including government, private, public, and entities processing or storing data.
• Maps well to International Association of Privacy Professionals (IAPP) requirements.
• Much more work to implement than ISO 27018.
• If current functions map well to GDPR, then 27701 is a good choice.
• Relatively high-level framework.
• Good for organizations just getting started with a data privacy program.
• Jurisdiction and industry neutral.
• Primarily a set of considerations or questions to ask yourself when building or managing a data privacy program.
• May not be sufficient for larger organizations, but can be a great way to supplement and strengthen other data privacy frameworks.
There is a significant overlap between the NIST Privacy Framework and ISO 27701, and they have many security controls in common. It often comes down to whether an organization wishes to tie into either NIST CSF or ISO 27001, which they are already using, or plan to use for security controls.
How Should We Implement a Data Privacy Framework?
Tevora has developed a proven methodology for helping clients implement a data privacy framework. Here’s a summary of the approach:
Tevora’s Data Privacy Framework Implementation Methodology
One of the most important parts of this approach is to identify upfront the geographies in which you will be doing business and, based on that, what data privacy laws you will need to comply with. This should be done in Phase 1 (Understanding Obligations). For example, if you are doing business in Europe, compliance with GDPR will be critical. For California, you’ll need to comply with CCPA. This is where the usage of a privacy framework, such as ISO 27701 becomes so beneficial, as these frameworks are meant to be an easily digestible list of requirements which will get a company from start to finish in meeting compliance with most every privacy law.
Tevora would be happy to partner with you to use our methodology to implement a data privacy framework that is tailor-made for your organization.
Below are additional resources that provide a deeper dive on the topics covered in this blog post:
- Tevora Webinar: How to Develop the Right Data Privacy Framework for Your Organization
- Tevora Privacy Engineering Datasheet
- Tevora Privacy Governance Datasheet
- ISO 38500 Standard
- NIST Privacy Framework
- COBIT 5 Framework
- ISO 27701 Standard
We Can Help
If you have questions about any of the topics covered in this blog post or would like help implementing, enhancing, or customizing a data governance or data privacy framework for your organization, our team of experienced governance and privacy experts can help. Just give us a call at (833) 292-1609 or email us at firstname.lastname@example.org.