Services

NIST Privacy Framework – The Communicate function

In the first blogs, we focused on the Identify, Govern, and Control functions of the NIST Privacy Framework. In this segment, I’m going to focus on the Communicate function. The increased regulatory focus on privacy issues of late has given greater rights to individuals who want to know what data companies have about them. And it provides people with increased abilities to protect their personal information. In some cases, consumers concerned about privacy are taking action by terminating relationships with companies.

The Cisco 2020 Consumer Privacy Survey found that one-third of consumers are “Privacy Actives,” defined as people who care about privacy, and are willing to or already have switched providers over data actions or policies.

Organizations can improve transparency—as well as reduce privacy risk from business activities—by formalizing their capabilities around communication of privacy policies, processes and procedures, and by ensuring data processing awareness. Plus, this is simply the right thing to do. You build trust with customers by showing that your organization is focused on this.

On the surface, it might seem easy to increase transparency about your organization’s data processing practices. But for the program to be effective, you need a formalized approach where key employees have dedicated responsibilities for communication. To demonstrate transparency with individuals about organizational privacy policies, it is important to clearly communicate core information about:

  • What data is being collected
  • How the data is being used
  • How long the data will be retained
  • If the data will be shared with third parties and, if so, for what purposes
  • The individual’s legal rights
  • Where data can be transferred

It is not enough to just publish privacy policies. We all know most people do not read them. Instead, organizations should implement other mechanisms to inform people about data processing activities—things like the option for individuals to enable or disable their processing preferences. These mechanisms need to be easy for people to find and execute, not buried deep within a website.

It’s also important to put in place mechanisms for actively obtaining feedback from individuals about how their data is processed, and how associated privacy risks are disclosed. Conducting surveys and focus groups are great ways to obtain necessary feedback. It also provides evidence that you are conducting these procedures.

Be sure to include privacy transparency when designing systems or products that interact with individuals. This means ensuring that privacy and risk teams are at the table in the development stage of such initiatives. Integrating privacy transparency considerations into activities protects individuals, as well as the organization itself. And organizations should maintain records of their various activities so they can show that they’ve considered privacy and transparency in the design of systems or products used by individuals.

Within the data processing ecosystem, it’s vital to maintain meticulous records about data corrections, deletions and disclosures to individuals or organizations. For example, to enable accurate records of transmission or disclosure, be sure to keep information on metadata and the sources of such data. This kind of information is required when investigating and responding to a breach event. In the current regulatory environment, there are stringent requirements for providing individuals with mitigation mechanisms such as credit monitoring, consent withdrawal, data alteration or deletion.

The concept of transparent communication should be woven into the DNA of the organization and treated not just as a regulatory requirement but as a core capability for building trust.

How OpenText can help your Communicate function

Implementing and integrating privacy communication capabilities builds consumer trust by improving understanding and dialogue about how data is processed and any associated risks. The absence of strong privacy communication programs can lead to increased compliance risk and reduced revenues as consumers migrate to organizations that are more transparent.

OpenText™ Professional Services offer multiple options to address cyber security and privacy objectives, including data classification services and incident response documentation reviews. For more information on OpenText’s risk and compliance services, please contact us.

Mark McGlenn

Mark McGlenn is Manager of Risk and Compliance Consulting Services for OpenText Security Services. Leveraging best practices such as CIS Critical Controls, NIST CSF, and NIST 800-53, Mark has designed cyber-security assessment procedures and performed engagements in the public and private sectors. He brings unique experiences to assist OpenText customers in addressing compliance and privacy concerns and securing their control environments.

Related Posts

Back to top button