Introducing the TrustArc-Nymity Privacy and Data Governance Accountability Framework™

Managing a cross-border privacy program can be challenging when your organization must comply with a multitude of privacy laws, each with its own specificities. Many organizations have therefore decided to use a compliance framework as the backbone of their privacy and data governance program.

A compliance framework uses a standard set of criteria to build out the program, which is mapped to the various legal requirements.

In 2013, Nymity started the development of its Privacy Management Accountability Framework™ (PMAF), which is currently being used by thousands of companies worldwide.

It was developed to communicate the status of the privacy program and demonstrate accountability. It was also designed to report on any privacy program, no matter how it is structured.

TrustArc also developed the TrustArc Privacy and Data Governance Framework (P&DG Framework), which is embedded deep in its intelligence and operational software solutions and the TRUSTe assurance programs.

After the two companies combined forces in November 2019, the joint teams have worked hard to integrate the two respective frameworks, resulting in the launch of the TrustArc-Nymity Privacy and Data Governance Accountability Framework™ (the Framework). 

The Core: Three Pillars

The core of the new integrated Frameworks is formed by three pillars: Build, Implement and Demonstrate.

These pillars align with the phases of developing an accountable privacy program that supports compliance with applicable laws and regulations as they evolve over time. 

    • Build: Design, establish, and manage a program to ensure effective governance, risk management, policies, processes, and accountability.
    • Implement: Define data needs, identify data processing risks, ensure the data processing is lawful, manage data flows and third parties, address individual rights, provide data security, data quality, and transparency.
    • Demonstrate: Monitor, evaluate, and report on compliance, control effectiveness, risk, and maturity.

Neither is a one-off exercise though – each requires continuous review for changed operational practices and legal requirements.

Furthermore, the demonstration of part of the program can lead to the realization that additional controls or privacy management activities will need to be implemented to ensure ongoing compliance.

Standards & Controls

One part of the integrated Framework is based on standards and controls to help organizations develop and mature their privacy programs.

The 16 standards and 55 operational controls align with key privacy laws, regulations, and other external standards to support all phases of building out and managing a privacy program. This enables it to be integrated with other organizational governance, risk, and compliance programs.

The operational controls guide organizations on how to build and implement their privacy program and demonstrate accountability to both internal and external stakeholders. The P&DG (Controls-Based) Framework is designed to be used at any point in your privacy program development and maturity.

Privacy Management Categories and Activities

The other part of the Framework is based on Privacy Management Categories and Activities. This is the part that has been publicly known as the Nymity Privacy Management Accountability Framework.™

It aligns 13 Privacy Management Categories with key privacy laws, regulations, regulatory frameworks and other external standards to align privacy management activities that are required across jurisdictions.

The integration ensures the PMAF can henceforth also be used in combination with the P&DG Framework, but it does not change its content. Organizations around the world using the Nymity Framework as a basis for their privacy program can continue to do so.

The additional mapping will assist organizations that have not yet based their privacy program on a framework to get started. 

The Integrated Frameworks rely upon the three pillars in combination with thirteen privacy management categories that identify the main elements of a privacy program.

The 139 underlying privacy management activities subsequently help organizations to identify what needs to be done to develop a compliant privacy program. These activities together form a menu for you to select what is applicable and/or relevant to you. 

Using the Privacy and Data Governance Accountability Framework

The Framework can be used at no cost by any organization that wants to develop a structured privacy program.

A framework-based privacy program is regarded by many as a strong accountability tool, since it also allows organizations to tell the story behind their privacy program.

This includes the choices that were made, how the policies and procedures were developed and how do these link to the evidence of compliance that is available throughout the organization.

As a result, it provides a common language for privacy management.

Building a program based on a framework, instead of on the basis of a single law, allows development of policies and procedures on the basis of common data protection and privacy concepts that extend across hundreds of laws and regulations around the world.

These can subsequently be aligned with the legal requirements in various jurisdictions, which will in many situations only be different when it comes to specific details.

privacy and data governance priorities

For example, the scope and exercise of individual rights under the CCPA and the GDPR are largely aligned, albeit that some terminology used to describe them and the timeframes for compliance are different.

However, that does not need to have an impact on the steps to take within an organization to verify the identity of a requestor and finding out which data is available about them before providing a response. 

A framework-based approach can be implemented at any stage of a privacy program.

Even if your privacy program is well-advanced, it can easily be mapped to the TrustArc-Nymity Privacy and Data Governance Accountability Framework™, which in turns allows for easy compliance checks to privacy and data protection laws around the world, today and as they change in the future.

Software Integration

The TrustArc-Nymity Privacy and Data Governance Accountability Framework™ is fully integrated in the various modules of the TrustArc platform.

Our operational and intelligence solutions, including the Data Inventory Hub and the Assessment Manager, and the Privacy and Risk Profiles, rely upon the Framework to assist you in documenting your organization’s compliance requirements and identifying gaps and other risks.

Planner and Benchmarks help you keep track of the privacy program itself, including the necessary regular reviews.

Finally, our knowledge solutions, including Operational Templates & Resources, will provide you with the relevant building blocks to further develop your privacy programs.

Download The Privacy and Data Governance Framework™ at no cost.

If you would like to hear more about the background of the Framework and how it can be used on a daily basis as part of your privacy program, please watch our webinar Privacy Frameworks: The Foundation for Every Privacy Program”.