Keeping Current with the Data Privacy Landscape

By Chris Giardina, Technical Account Manager at Privitar 

Part of every data privacy specialist’s job is to stay current with the latest personal data privacy news and important developments, including staying abreast of all of the latest local, state and global personal data privacy regulations. I am incredibly fortunate to work at a data privacy and data provisioning-focused company that has policy and research teams that stay on top of this continuously evolving material. Whether or not your organization has similar resources, it’s critical to stay current with the latest developments and to find the right intelligence and content feeds to help to keep us all moving steadily to greater adoption of personal data privacy best practices and standards.

While data privacy is not new, recently I have observed that more and more traditional data management and data standards organizations are increasingly focused on studying and publishing materials that will assist in making goals like ‘privacy by design’ more achievable. 

Two key initiatives I’ve run across in the past year are the NIST Privacy Framework (published in 2020, including the follow on Privacy Workforce Working Group efforts), and the Enterprise Data Management Council’s (EDMC) soon-to-be released Cloud Data Management Capabilities (CDMC), which will highlight best practices for managing data as part of modern cloud data initiatives. I’ll share highlights from those below. 

The NIST Privacy Framework

The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management is the culmination of interest and efforts by both NIST policy staff, engineers and advisors as well as industry practitioners that produced a cross industry ‘tool’ – a voluntary set of guidance and ‘explainers’ constructed in three main parts. The “Core,” “Profiles” and “Implementation” tiers spell out a framework that can assist both those well-versed in data privacy and newcomers on establishing an organized and personalized approach to their data privacy programs. The primary goal is to help organizations manage privacy risks by:

• Taking privacy into account as they design and deploy systems, products, and services that affect individuals;
• Communicating about their privacy practices; and
• Encouraging cross-organizational workforce collaboration—for example, among executives, legal, and information technology (IT)—through the development of Profiles, selection of Tiers, and achievement of outcomes.

The intent of the Framework is to create an approach to designing and implementing privacy protection activities and outcomes that is easy to understand, apply and communicate, and can address a diverse set of prioritized privacy needs. This should help organizations of all types to develop more effective solutions, while at the same time remaining flexible to react to the inevitable changing worlds of technology and regulations.

“The Privacy Framework is designed to be compatible with existing domestic and international legal and regulatory regimes and usable by any type of organization to enable widespread adoption.”

The Framework is broken down into three major sections or parts of content/guidance:

NIST Privacy Framework parts: Core, Profiles, and Implementation Tiers

More recently, NIST has launched a set of working groups called the Privacy Workforce Public Working Groups (PWWG). These are NIST project manager-led and guided efforts currently in progress as of this writing. All are focused on defining more specific practitioner guidance for building readiness and practical implementation capabilities for each of the category areas defined in the Privacy Framework.

Privacy Framework function and category unique identifiers

The PWWG provides a forum for participants from the general public, including private industry, the public sector, academia, and civil society, to create the content of the NIST Privacy Workforce Taxonomy. 

The PWWG’s objectives are to create Task, Knowledge, and Skill (TKS) statements aligned with the NIST Privacy Framework and the National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity. This is one of the best places where data privacy practitioners can get involved, not only to share their personal subject matter expertise, but to also grow their personal network of privacy professionals and to expand their knowledge base and viewpoints via lively debates with a (literally) cross-world set of colleagues.

I’ve personally been working on, contributing content to, and attending review sessions in one of the first of two working groups, focused on Risk Assessment (ID-RA-P).  

EDMC Cloud Data Management Capabilities

A second exciting initiative I’ve been involved with over the past year and a half is the Enterprise Data Management Council’s Cloud Data Management Capabilities working group, launched in 2020 to address the challenges and define best practices for data management in the cloud.

The EDMC is world-renowned for building and publishing the DCAM, the Data Management Capability Assessment Model, an industry standard framework for best practices in data management, primarily focused on financial services, though not exclusively. 

DCAM defines the scope of capabilities required to establish, enable and sustain a mature data management discipline. It addresses the strategies, organizational structures, technology and operational best practices needed to successfully drive data management across your organization, and ensures your data can support digital transformation, advanced analytics such as AI and ML, and data ethics.

The CDMC workgroup is managed by the EDM Council and co-chaired by Morgan Stanley and Refinitiv, with participation from the world’s top Cloud Service Providers (CSPs), technology firms like Privitar, and over 20 leading financial industry firms.  

The CDMC extends the best practices principles promoted in the DCAM to the evolving cloud data management modernization movement, defining the capabilities necessary to  manage and control data in the cloud effectively via the defining of a set of key capabilities that guide to: 

1. Define consistent best practices for a hybrid-cloud world
2. Align key cloud data controls to meet regulatory obligations for sensitive data
3. Accelerate cloud adoption with comprehensive framework

Cloud Data Management Capabilities: Major component sections, categories and  sub-categories of focus, recommendations and prescribed automated controls

Though the CDMC’s focus was not solely on data privacy, it’s clear to see how the combined set of capabilities all work together to support responsible and effective data management, that must include securing and protecting personal data.   

As a member of the CDMC’s “Securing Data & Privacy” sub-group, I, along with Guy Cohen, Privitar’s Head of Policy, worked with a variety of CDMC team leads, CSP representatives and numerous other privacy practice subject matter experts to define, document and publish the capabilities in the ‘Data Privacy Framework’ sub-section.

CDMC Key Controls Summary

Though the final set of published CDMC recommendations is due to be officially published  in Q3, the cross-industry workgroup recently published the “14 Cloud Key Controls & Automations” for managing sensitive data in the cloud, considering business and regulatory requirements around the world. 

Each of these initiatives are perfect examples of data privacy community efforts where we, as data privacy professionals, should seek to get involved, listen and learn and share viewpoints that contribute to the furthering of the important data privacy protection goals we all seek.

Additional Resources 

Take a deeper dive into the NIST Privacy Framework and how to get started here and learn more about getting involved with NIST’s Privacy Workforce Public Working Group here.

If you are interested in engaging with EDM Council participants and staying in touch with the work products of CDMC, you can join the CDMC Interest Group here.

For a great summary of the current status of U.S.-based privacy laws and bills in play, take a look at this extremely useful web page: “US State Privacy Legislation Tracker,” collected and collated by the International Association of Privacy Professionals (IAPP) Westin Research Center.

Stay up to date with the opinions and insights from the world of data privacy by subscribing to our blog, and check out our latest educational resources in Privitar’s Resource Center.