NIST Privacy Framework – Control

In our first two blogs for the NIST Privacy Framework, we discussed the Identify and Govern functions. In this segment, our focus is on the Control function that defines the appropriate activities to enable…

OpenText  profile picture
OpenText

January 29, 20215 minute read

In our first two blogs for the NIST Privacy Framework, we discussed the Identify and Govern functions. In this segment, our focus is on the Control function that defines the appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. This is where activities are operationalized to reduce the risk associated with data processing activities commensurate to the governance strategies established.  

There are three key areas to consider when developing and implementing controls over processing activities: 

  • Policies, process, and procedure documentation, the “Three P’s.” 
  • Data Processing Management
  • Disassociated Processing 

The three P’s 

Policies, processes, and procedures should be well documented and maintained, or in other words, they should be “Audit Ready.”  The goal is to demonstrate that you have clearly articulated the purpose, scope, roles, and responsibilities for the processing ecosystem. The documentation should clearly cover data processing authorization, data quality, disclosure, alteration, deletion, transfer, and retention.  

Additionally, mechanisms should be in place to focus on the individual’s data processing preferences and requests. Ensuring that data life cycle management is in place and aligned with the sound system development are important to maintaining sound privacy controls as environments change.  

Efforts to memorialize the “Three P’s” will increase the effectiveness of your processing activities and demonstrate that controls are implemented in a mature, risk-based fashion. 

Data processing management – focus on the right processing activities 

Data processing activities should enable privacy principals of individual participation, data quality, and data minimization. These principals are consistent with privacy regulations such as GDPR (General Data Protection) and CCPA (California Consumer Privacy Act).  

Concepts such as the right to be forgotten and to know if your personal data is being processed are mandates in which organizations will need to have the capabilities to execute. Recent privacy regulations place emphasis on the rights of the individual. There should be a huge focus on the individual in processing controls that enable capabilities for securely accessing and transmitting data upon request, as well as altering or deleting personal data. Organizations will need to be responsive to individual requests. 

Data controls that focus on internal processing permissions should be in place and monitored. Permissions controls should be in place the ability for the following core activities: 

  • Reviewing personal data – Access on need to know, risk-based
  • Transmission or disclosure – Limits on who can send data and to whom 
  • Altering personal data – There may be instances when an individual needs their data altered for things such as change of address or name changes. The ability to make changes should be limited to relevant data elements. 
  • Deleting personal data – Individuals have the right to have their data removed from processing activities in certain situations. Execution of these activities should be authorized and incorporate sufficient review and approvals. 
  • Destruction of personal data – Destruction processes should be aligned with data life-cycle management policies and ensure that proper evidence of destruction is provided and stored. 

Data quality controls should focus on: 

  • Audit logs – Ensure that logging is turned on, is being captured and reviewed. 
  • Technical measures to ensure accuracy and completeness of data processing should be tested and assessed. 
  • Privacy preferences should be included in the algorithmic design objectives  

Disassociated processing 

Organizations should also implement controls that support disassociated or data minimization processing objectives. Controls should focus on: 

  • What data elements the user can observe on local devices and ensuring encryption.  
  • Efforts to limit identification of individuals by users can be strengthened by using de-identification and tokenization techniques. 
  • Decentralized, distributed architectures that limit the inference of individual behavior. 
  • System or device configurations that limit the collection or disclosure of data elements. 
  • Use of references instead of values. 

The development, implementation and execution of processing controls builds on the Identify and Govern functions of the NIST Privacy Framework. It is where the rubber meets the road on the privacy control capability journey. 

How OpenText can help in your Control function 

Implementing and integrating privacy governance capabilities ensures alignment in mitigating risk associated with processing activities. It creates mechanisms for the organization to define strategy, roles, responsibilities, processes, and accountability for managing personal data. The absence of strong privacy governance programs can lead to increased compliance risk and reduced trust by employees, customers, and business partners. 

OpenText™ Professional Services offer multiple services to address Cyber Security and Privacy objectives, including Data Classification Services and Incident Response Documentation Reviews. For more information on OpenText’s Risk and Compliance Services, please contact us

Share this post

Share this post to x. Share to linkedin. Mail to
OpenText avatar image

OpenText

OpenText, The Information Company, enables organizations to gain insight through market-leading information management solutions, powered by OpenText Cloud Editions.

See all posts

More from the author

All we want for Christmas:  An open letter to Santa from a modern legal team  

All we want for Christmas:  An open letter to Santa from a modern legal team  

As legal professionals embracing digital transformation, our wish list is a bit different this year.

December 11, 2024 4 minute read

Supercharge Your Data Strategy with the Latest Insights on Data and AI

Supercharge Your Data Strategy with the Latest Insights on Data and AI

Introducing the 2024 CXO Insights Guide on Data & AI Guide

October 31, 2024 6 minute read

From breakdown to breakthrough: How predictive and prescriptive maintenance are revolutionizing operations

From breakdown to breakthrough: How predictive and prescriptive maintenance are revolutionizing operations

Cut downtime, save costs, improve safety and stay ahead of failures with advanced analytics and AI-powered maintenance strategies.

October 16, 2024 7 minute read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.