Don’t Just Fight 隐私 Fires: Plan Ahead to Prevent Them

As privacy concerns continue to increase, most of us spend our days fighting fires. With more privacy regulations continuing to be released, it’s difficult to understand the key differences and know 什么 is most important. 有这么多事情要做, 而且没有时间去做, we are often forced to “fight the fires” of the day rather than tackling our to-do list.

Leveraging frameworks can be a great option for managing regulations and cataloging 什么 your organization is, 更重要的是, is 不 做. By organizing all of your privacy requirements, 预期, 将能力整合到一个框架中, you can streamline your process to make sure you don’t miss anything. This will help your organization prepare for privacy-related issues or “fires” before they spark up.

One example of a framework for organizing privacy capabilities is the NIST隐私框架. After a multiyear effort of industry collaboration to define a framework to help identify, 评估, 管理和沟通隐私风险, the US-based National Institute of Standards and Technology (NIST) released the framework earlier this year. The NIST隐私框架 was created to help organizations manage the risk imposed by holding and processing privacy data, therefore increasing trust in their products and services. Additionally, for anyone already using the NIST网络安全框架, the 隐私 and 网络安全 frameworks can be easily leveraged together to make sure both privacy and security concepts are managed in parallel. Due to the similarities in the frameworks, many organizations can leverage their experiences using the 网络安全 Framework to get a jump-start on addressing the privacy concepts described in the 隐私 Framework.

Using a framework can be especially helpful if you are just starting out – sometimes you just need to lay everything out and see 什么 you are dealing with. 但不要把所有的乐趣都留给自己! Making sure you have stakeholders from the business, 法律, 网络安全, and even the risk team can be helpful to increase awareness and gain buy-in for future change. By creating a core team of privacy champions from groups across the organization, you can make sure to build solutions that will fit your company’s specific needs. In bringing together different groups to help evaluate your new requirements, you will be able to better understand organizational priorities and maybe find out a capability is already in place that you didn’t know about.

Additionally, this team can help you understand 不 only 什么 你需要这样做，但是 为什么 你必须这么做. Looking at privacy controls and requirements from the different perspectives will help to draw the boundaries for 什么 needs to be done and 什么 may hinder the business as a whole. 理解“那又怎样??,” whether it’s a compliance requirement, 客户请求, 或者是想让你的公司与众不同, will help your organization be able to more effectively prioritize and scope changes that need to be made. Clearly defining these drivers can also make it easier to attain stakeholder or board support.

A few trends that I’ve seen while working with organizations across industry are that communication and transparency are key. Implementing new capabilities and changing the culture of an organization is made significantly easier when you can communicate 什么 needs to happen in a clear and consistent format. By working with a team to document 什么 you’re 做 today, as well as forming a comprehensive list of future improvements in a common framework, you can often prevent potential fires before they ever happen.
 
编者按: Find out more about ISACA’s new technical privacy certification, Certified Data 隐私 Solutions Engineer.