In our first two blogs for the NIST Privacy Framework, we discussed the Identify and Govern functions. In this segment, our focus is on the Control function that defines the appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. This is where activities are operationalized to reduce the risk associated with data processing activities commensurate to the governance strategies established.
There are three key areas to consider when developing and implementing controls over processing activities:
- Policies, process, and procedure documentation, the “Three P’s.”
- Data Processing Management
- Disassociated Processing
The three P’s
Policies, processes, and procedures should be well documented and maintained, or in other words, they should be “Audit Ready.” The goal is to demonstrate that you have clearly articulated the purpose, scope, roles, and responsibilities for the processing ecosystem. The documentation should clearly cover data processing authorization, data quality, disclosure, alteration, deletion, transfer, and retention.
Additionally, mechanisms should be in place to focus on the individual’s data processing preferences and requests. Ensuring that data life cycle management is in place and aligned with the sound system development are important to maintaining sound privacy controls as environments change.
Efforts to memorialize the “Three P’s” will increase the effectiveness of your processing activities and demonstrate that controls are implemented in a mature, risk-based fashion.
Data processing management – focus on the right processing activities
Data processing activities should enable privacy principals of individual participation, data quality, and data minimization. These principals are consistent with privacy regulations such as GDPR (General Data Protection) and CCPA (California Consumer Privacy Act).
Concepts such as the right to be forgotten and to know if your personal data is being processed are mandates in which organizations will need to have the capabilities to execute. Recent privacy regulations place emphasis on the rights of the individual. There should be a huge focus on the individual in processing controls that enable capabilities for securely accessing and transmitting data upon request, as well as altering or deleting personal data. Organizations will need to be responsive to individual requests.
Data controls that focus on internal processing permissions should be in place and monitored. Permissions controls should be in place the ability for the following core activities:
- Reviewing personal data – Access on need to know, risk-based
- Transmission or disclosure – Limits on who can send data and to whom
- Altering personal data – There may be instances when an individual needs their data altered for things such as change of address or name changes. The ability to make changes should be limited to relevant data elements.
- Deleting personal data – Individuals have the right to have their data removed from processing activities in certain situations. Execution of these activities should be authorized and incorporate sufficient review and approvals.
- Destruction of personal data – Destruction processes should be aligned with data life-cycle management policies and ensure that proper evidence of destruction is provided and stored.
Data quality controls should focus on:
- Audit logs – Ensure that logging is turned on, is being captured and reviewed.
- Technical measures to ensure accuracy and completeness of data processing should be tested and assessed.
- Privacy preferences should be included in the algorithmic design objectives
Organizations should also implement controls that support disassociated or data minimization processing objectives. Controls should focus on:
- What data elements the user can observe on local devices and ensuring encryption.
- Efforts to limit identification of individuals by users can be strengthened by using de-identification and tokenization techniques.
- Decentralized, distributed architectures that limit the inference of individual behavior.
- System or device configurations that limit the collection or disclosure of data elements.
- Use of references instead of values.
The development, implementation and execution of processing controls builds on the Identify and Govern functions of the NIST Privacy Framework. It is where the rubber meets the road on the privacy control capability journey.
How OpenText can help in your Control function
Implementing and integrating privacy governance capabilities ensures alignment in mitigating risk associated with processing activities. It creates mechanisms for the organization to define strategy, roles, responsibilities, processes, and accountability for managing personal data. The absence of strong privacy governance programs can lead to increased compliance risk and reduced trust by employees, customers, and business partners.
OpenText™ Professional Services offer multiple services to address Cyber Security and Privacy objectives, including Data Classification Services and Incident Response Documentation Reviews. For more information on OpenText’s Risk and Compliance Services, please contact us.