[co-author: Ryan Kim]
In this fourth installment of five articles centered around the core functions within the National Institute of Standards and Technology (NIST) Privacy Framework, we cover the Communicate function and the corresponding privacy management activities that drive alignment with the framework.
As published in an article outlining the best ways to leverage the NIST Privacy (NIST-P) Framework to assess data privacy posture, develop readiness roadmaps, and mature organizational privacy programs, the NIST Privacy Framework is a control set consisting of 100 controls divided in five core functions and used to assist organizations in identifying privacy risks within their business environment and allocating resources towards mitigation of those risks.
This article on the Communicate function succeeds the prior installments on how organizations can best implement the first three core functions of Identify, Govern, and Control is the next in a series of articles centered on each of the five core functions.
NIST defines the Communicate function as the ability to develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks. Although shorter than the other functions, the categories within are critical to ensure your organization is aware and trained on responsibilities associated with the collection, use, and protection of personal information. The Communicate function includes two categories: Communication Policies, Processes, and Procedures; and Data Processing Awareness. The categories within the Control function include 10 subcategory controls as listed in Table 1 below.
|Communication Policies, Processes, and Procedures (CM.PO-P): Policies, processes, and procedures are maintained and used to increase transparency of the organization’s data processing practices (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) and associated privacy risks.
||CM.PO-P1: Transparency policies, processes, and procedures for communicating data processing purposes, practices, and associated privacy risks are established and in place.
CM.PO-P2: Roles and responsibilities (e.g., public relations) for communicating data processing purposes, practices, and associated privacy risks are established.
|Data Processing Awareness (CM.AW-P): Individuals and organizations have reliable knowledge about data processing practices and associated privacy risks, and effective mechanisms are used and maintained to increase predictability consistent with the organization’s risk strategy to protect individuals’ privacy.
||CM.AW-P1: Mechanisms (e.g., notices, internal or public reports) for communicating data processing purposes, practices, associated privacy risks, and options for enabling individuals’ data processing preferences and requests are established and in place.
CM.AW-P2: Mechanisms for obtaining feedback from individuals (e.g., surveys or focus groups) about data processing and associated privacy risks are established and in place.
CM.AW-P3: System/product/service design enables data processing visibility.
CM.AW-P4: Records of data disclosures and sharing are maintained and can be accessed for review or transmission/disclosure.
CM.AW-P5: Data corrections or deletions can be communicated to individuals or organizations (e.g., data sources) in the data processing ecosystem.
CM.AW-P6: Data provenance and lineage are maintained and can be accessed for review or transmission/disclosure.
CM.AW-P7: Impacted individuals and organizations are notified about a privacy breach or event.
CM.AW-P8: Individuals are provided with mitigation mechanisms (e.g., credit monitoring, consent withdrawal, data alteration or deletion) to address impacts of problematic data actions.
Assessing an Organization’s Privacy Posture for the Communicate Function
Organizations could consider the following questions to properly assess their current privacy posture relative to the Communicate function within the NIST Privacy Framework:
- How do you monitor processes for new types of or users of personal information?
- Do you have privacy policies, processes, and procedures that contain purposes, practices and associated risk management? How are they communicated within your organization?
- Are mechanisms in place for obtaining feedback from individuals (customer service, “contact us”, surveys or focus groups) about data processing and associated privacy risks or concerns?
- Do your systems/product/service design take into account data processing visibility?
- Does the organization maintain records of data disclosures or share the data such as with third parties? Can data disclosure records be accessed?
- Do you have a procedure for communicating data corrections or deletions to individuals or other organizations?
- Do you document or maintain data provenance and lineage processes and verify the lawfulness of the data sources?
- Do you have a procedure to notify impacted individuals or organizations about a privacy breach or incident?
- Does your breach notification process include providing individuals with mitigation mechanisms to address impacts of problematic data actions?
Privacy Management Activities to Align with the Control Function
After assessing an organization’s governance maturity level based on the Communicate function, organizations may consider implementing privacy management activities like those outlined below in order to align and remediate gaps towards privacy maturity.
- Map and ensure the categories of personal information collected, categories of sources, categories of third parties and categories of uses are updated and transparent in a privacy notice(s).
- Implement a Privacy Council or Steering Committee with representatives from business functions to meet, review and provide feedback on privacy policies, procedures, and challenges while leading the operationalization of such policies within the organization.
- Provide transparent mechanisms for individuals to inquire about privacy concerns.
- Create a process to manage vendor risk management including ability to create records or generate a list of all vendors with access to certain systems and personal data elements.
- Develop/enhance privacy risk and incident response plan(s) and breach notification protocols through periodic reviews and testing.
The privacy management activities in the Communicate function are critical for organizations to ensure they provide effective training and awareness while operationalizing privacy policies and procedures so all employees or stakeholders handling personal information understand the data processing activities and associated risks. An organization should consider assessing and implementing these foundational activities as it progresses toward complying with the NIST Privacy Framework.