Implementing the NIST Privacy Framework – Govern Function
The National Institute of Standards and Technology (NIST) Privacy Framework is a widely known control set used to assist organizations in identifying privacy risks within their business environment and allocating resources to mitigate these risks. Our team previously published an article outlining the best ways to leverage the NIST Privacy (NIST-P) Framework to assess data privacy posture, develop readiness roadmaps, and mature organizational privacy programs.
The NIST Privacy Framework consists of 100 controls divided into five core functions. We also published an article focused on how organizations can best implement the first function: Identify. This article is the next in a series of articles centered on each of the five core functions. We outline here the Govern Function and the corresponding privacy management activities to consider in order to align with the NIST Privacy Framework.
NIST defines the Govern Function as the ability to develop and implement organizational governance structures to ensure continual understanding of the organization’s risk management priorities that are informed by privacy risks. The Govern Function includes four categories: Governance Policies, Processes, and Procedures; Risk Management Strategy; Awareness and Training; and Monitoring and Review. The categories within the Govern Function include 20 subcategory controls as listed in Table 1 below.
Table 1
Category
Governance Policies, Processes, and Procedures (GV.PO-P): The policies, processes, and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of privacy risk.
Subcategory
GV.PO-P1: Organizational privacy values and policies (e.g., conditions on data processing such as data uses or retention period, individuals’ prerogatives with respect to data processing) are established and communicated.
GV.PO-P2: Processes to instill organizational privacy values within system/product/service development and operations are established and in place.
GV.PO-P3: Roles and responsibilities for the workforce are established with respect to privacy.
GV.PO-P4: Privacy roles and responsibilities are coordinated and aligned with third-party stakeholders (e.g., service providers, customers, partners).
GV.PO-P5: Legal, regulatory, and contractual requirements regarding privacy are understood and managed.
GV.PO-P6: Governance and risk management policies, processes, and procedures address privacy risks.
Risk Management Strategy (GV.RM-P): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
GV.RM-P1: Risk management processes are established, managed, and agreed to by organizational stakeholders.
GV.RM-P2: Organizational risk tolerance is determined and clearly expressed.
GV.RM-P3: The organization’s determination of risk tolerance is informed by its role(s) in the data processing ecosystem.
Awareness and Training (GV.AT-P): The organization’s workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements, and organizational privacy values.
GV.AT-P1: The workforce is informed and trained on its roles and responsibilities.
GV.AT-P2: Senior executives understand their roles and responsibilities.
GV.AT-P3: Privacy personnel understand their roles and responsibilities.
GV.AT-P4: Third parties (e.g., service providers, customers, partners) understand their roles and responsibilities.
Monitoring and Review (GV.MT-P): The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk.
GV.MT-P1: Privacy risk is re-evaluated on an ongoing basis and as key factors, including the organization’s business environment (e.g., introduction of new technologies), governance (e.g., legal obligations, risk tolerance), data processing, and systems/products/services change.
GV.MT-P2: Privacy values, policies, and training are reviewed and any updates are communicated.
GV.MT-P3: Policies, processes, and procedures for assessing compliance with legal requirements and privacy policies are established and in place.
GV.MT-P4: Policies, processes, and procedures for communicating progress on managing privacy risks are established and in place.
GV.MT-P5: Policies, processes, and procedures are established and in place to receive, analyze, and respond to problematic data actions disclosed to the organization from internal and external sources (e.g., internal discovery, privacy researchers, professional events).
GV.MT-P6: Policies, processes, and procedures incorporate lessons learned from problematic data actions.
GV.MT-P7: Policies, processes, and procedures for receiving, tracking, and responding to complaints, concerns, and questions from individuals about organizational privacy practices are established and in place.
Assessing an Organization’s Privacy Posture for Govern Function Controls
Organizations could consider the following questions to properly assess their current privacy posture relative to the Govern Function within the NIST Privacy Framework:
What policies, procedures, and guidelines have been developed to direct employees on the organization’s obligations to comply with data protection laws?
Does the organization integrate Privacy by Design into system and product development and business processes?
Has the organization documented key roles and responsibilities related to privacy and information security?
Are business functions such as privacy, information security, and IT involved in the legal contracting process?
Does the organization’s governance and risk management policies and procedures address privacy risks, and is the organization’s risk tolerance communicated?
Does the organization have formal procedures in place for conducting Privacy Impact Assessments (PIAs) to identify and manage privacy risks or embed them into risk decision-making?
Does the organization maintain training or a learning and development program for all employees and/or third parties, including service providers, that accounts for data privacy compliance?
How are new privacy obligations and risks identified, tracked, and managed?
Are lessons learned incorporated into problematic data actions or data breach incidents?
Does the organization have policies and procedures to respond to concerns from individuals about the organization’s privacy or security practices?
Privacy Management Activities to Align with the Govern Function
After assessing an organization’s governance maturity level based on the Govern Function and its key categories, organizations may consider implementing privacy management activities like those outlined below in order to align and remediate gaps towards privacy maturity.
Create a formal internal privacy policy for employees, documenting the different organizational measures, safeguards, etc. used to process both employee and customer data.
Implement Privacy by Design measures and practices such as de-identification, anonymization, etc. for data intensive projects and business activities.
Document roles and responsibilities for privacy governance including organizational charts, job descriptions, etc.
Create a Data Privacy Impact Assessment (DPIA) process that accounts for business and privacy risks.
Implement roles-based data privacy training, particularly for individuals responsible for managing or handling personal information.
Develop a formal process for submission and management of requests and complaints from data subjects or consumers.
The privacy management activities in the Govern Function are organizational in nature, but they also provide a foundation upon which organizations can build their privacy programs. Privacy policies, training, and awareness, understanding and documenting regulatory requirements, addressing data subject or consumer concerns, and managing structural risk tolerance are all essential activities for an organization to develop and maintain its privacy ecosystem. An organization should consider assessing and implementing these foundational activities as it progresses toward complying with the NIST Privacy Framework.
1The information provided in this article is for general informational purposes only and does not constitute legal advice.
This article is originally written by Reagan Bachman, David Manek, and Kenric Tom. We received permission from Ankura to republish it for the ADCG community.