Back to all blog posts

Choosing a privacy framework

Developing a privacy program for any organization is a daunting task. You need to be aware of your organization’s information requirements, be aware of the applicable laws and regulations, be culturally sensitive, be a strategist, be a teacher, be a leader, be a communicator, and much more. Leveraging successful, proven approaches to developing the privacy program is invaluable. This is where frameworks help..

Privacy frameworks provide a structure on which to base your privacy program and related activities. Clearly, you can develop your own that is specific to your organization, but why reinvent the wheel when there are several publicly available privacy frameworks to choose from?

Some sample frameworks

Some privacy frameworks are based on principles or standards. Examples of these include the Fair Information Practice Principles (FIPPs), OECD Privacy Guidelines, the GAPP maturity model, ISO 27701, and the NIST Privacy Framework.

Other frameworks are presented in laws and regulations. GDPR, HIPAA, CPRA, and the Australian Privacy Act are just a few you may use as frameworks for your program, particularly if you fall under that law’s jurisdiction.

Finally, you can also find frameworks from technology vendors such as OneTrust and TrustArc. For example, TrustArc acquired the Privacy Data Governance Accountability Framework when they acquired Nymity, a framework I used for years.

How to choose

I’ve often been asked “which framework should I use to build my privacy program?” Each framework has its strengths, but also its weaknesses. Let’s look at a simple example.

If you select the GAPP Maturity Model as your framework, you can strive for a very advanced privacy program. Privacy Ref performed an assessment on one company that decided to follow this path and had a very mature program. The organization was, naturally, very proud. The assessment found, however, that there were significant gaps in legal compliance. (To simplify this, I like to say that my mother is very mature, but she may still get a speeding ticket.) The framework will only help you meet the purposes it was created for.

So, why choose one framework? You can use different frameworks for different purposes. For example:

  • I like to use a tailored version of GDPR (see below) as a basis for a privacy program.
  • The GAPP maturity model allows you to measure how you are doing against industry expectations.
  • The NIST Privacy Framework allows you to set profiles of implementation iterations providing goals and milestones for program implementations.

 Since this list is suggesting why you might choose different frameworks or how you might. Modify them, it feels like you need an additional modifying phrase or sentence on this one.

Make it your own

I’ve often been asked “which framework should I use to build my privacy program?” Each framework has its strengths, but also its weaknesses. Let’s look at a simple example.

If you select the GAPP Maturity Model as your framework, you can strive for a very advanced privacy program. Privacy Ref performed an assessment on one company that decided to follow this path and had a very mature program. The organization was, naturally, very proud. The assessment found, however, that there were significant gaps in legal compliance. (To simplify this, I like to say that my mother is very mature, but she may still get a speeding ticket.) The framework will only help you meet the purposes it was created for.

So, why choose one framework? You can use different frameworks for different purposes. For example:

  • I like to use a tailored version of GDPR (see below) as a basis for a privacy program.
  • The GAPP maturity model allows you to measure how you are doing against industry expectations.
  • The NIST Privacy Framework allows you to set profiles of implementation iterations providing goals and milestones for program implementations.

We are resuming
in-person training
Starting June 2021
at Delray Beach, FL