Taking a Regulation-Agnostic Approach to Privacy

Don’t look now, but the next generation of privacy rules is arriving in the United States. As if privacy and security professionals didn’t still have enough trouble with the first generation.

California went first, with the California Consumer Privacy Act (CCPA) which went into effect at the start of 2020. Since then, Colorado and Virginia have enacted their own updated privacy statutes; Florida considered new legislation but didn’t adopt it; Ohio introduced privacy reforms; and California adopted yet another new law, the California Privacy Rights and Enforcement Act, that will go into effect in 2023.

Meanwhile, businesses still have federal privacy standards dictated by HIPAA (for healthcare data), PCI DSS (for credit card data), FedRAMP (for SaaS providers bidding on government contracts), and other regulations. There’s also the European Union’s General Data Protection Regulation (GDPR), other overseas privacy statutes…and, well, you get the idea. It’s anyone’s guess what will come next.

Compliance officers need a more sustainable, strategic, agnostic approach to managing so many rules and requirements. That approach needs to be something that can accommodate future rules easily. 

Moreover, you’ll need to keep proof of your organization’s compliance with these privacy rules to reassure skittish customers looking for assurance that, yes, your business takes data privacy seriously. To be able to provide that assurance, you will also need to take data privacy seriously by embracing privacy by design or some similar philosophy as much as possible. 

What you need, then, is a “regulatory-agnostic” approach – and, ideally, a technology agnostic approach to the tools and platforms you use to support it. 

Where privacy principles come from

Talking about the importance of privacy principles is easy— but where, exactly, do they come from? Several resources exist. 

One good example is the Federal Trade Commission, which identified five main privacy principles in 1998 that still endures to this day:

• Notice and awareness
• Choice and consent
• Access and participation
• Integrity and security
• Enforcement and redress

But that’s not the only set of privacy principles available. For example, the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants developed their own Generally Accepted Privacy Principles (GAPP) in 2009. GAPP has 10 principles, more than the FTC’s five, but the same basic concepts of choice, consent, disclosure and enforcement permeate both.

Meanwhile, Privacy by Design (first developed by a privacy commissioner in Ontario in the 1990s) has seven principles. Those principles focus more on how privacy should work within business systems: privacy as the default; embedded into the design; security lifecycle management of information end-to-end, and so forth. 

Other standards, frameworks, and sets of principles exist as well. Search as much as necessary to find whatever principles are the best match for your organization, and don’t be afraid to mix and match if that’s what works.

What a regulation-agnostic approach to privacy is

How a technology agnostic approach supports privacy

A technology agnostic approach to privacy means you define your principles, policies, and controls first, and only then pick tools that can implement them. Instead of locking your privacy program to one vendor or platform, you treat technology as interchangeable plumbing. That way, when laws or business needs change, you can swap or add tools without redesigning your entire privacy program – your controls and governance model stay stable, even if your tech stack doesn’t. This kind of agnostic approach lets you adapt quickly when a new law, framework, or customer requirement appears, without rebuilding your program from scratch.

This approach to privacy doesn’t begin by asking, “What are all the privacy compliance obligations facing our business?” because those obligations will change over time. Instead, ask a simpler, more strategic question: What are the organization’s core priorities for privacy and security? 

For example, the business might want to collect less information to keep its compliance obligations low. It might want to collect lots of information (which is great for marketing, after all) while making the investment to secure that data more thoroughly. It might want to use internally built technology to reduce vendor risks or embrace SaaS providers for greater efficiency and lower costs while accepting the need for more assurance over those vendors.

Once those privacy priorities are clear, you can adopt one set of controls that implements your most important privacy principles. The NIST privacy framework, for example, is one good place to start. So are the seven principles of Privacy by Design (authored by former Information and Privacy Commissioner of Ontario Ann Cavoukian) or the ISO 27701 standard for privacy management. 

The point here is that the business must define how it wants to embrace privacy as part of its daily operations. That requires senior executives to think about business objectives and strategy and how concerns about privacy fit into those larger questions. Once that understanding is clear, you can use a framework to implement a set of controls that puts those privacy priorities into practice. 

Then you can get more precise, mapping those controls to specific requirements of different laws so you can ensure compliance with whatever privacy rules might crop up. But remember the bigger picture here: the organization defines and implements its own priorities for privacy first and then fine-tunes its controls to specific privacy compliance obligations. 

That’s far wiser than the alternative of forcing additional controls onto the business every time a new privacy rule crops up. An agnostic approach gives you a stable foundation that can flex with new regulations and new technologies over time. And you can be sure that more privacy rules will crop up.

You have an incentive to do this

Another argument in favor of this approach to data privacy: businesses have a strong economic incentive to embrace effective privacy and information security frameworks. 

For example, Utah and Ohio both offer liability protection for companies that suffer a data breach if the company creates and maintains a cybersecurity program modeled after certain frameworks (The frameworks include PCI DSS, NIST 800-171, FedRAMP, and a few others). To qualify for that protection, the company needs a written cybersecurity program that includes both technical and administrative controls, but the concept is clear: if you base your privacy and security program on a proven framework, the government will give you more favorable treatment in the event of a breach.

The same is also now true with HIPAA compliance, thanks to the HIPAA Safe Harbor Law passed earlier this year. If a company uses industry-standard best practices to protect personal health information, that accelerates the audits federal regulators might require and reduces the potential fines regulators might impose for a breach. 

Other benefits include potentially lower insurance costs and a talking point your sales teams can use while talking to customers: that your business takes privacy seriously, and can be a trustworthy third party for customers.

Creating a regulatory-agnostic privacy program: What you’ll need to get right

First, as we mentioned already, your organization will need to decide what its privacy principles are; from there you can (using frameworks) derive specific privacy policies and controls. And since those principles will intersect with business objectives, senior management really will need to sit down and think about this question.

For example, you don’t want to alienate operating units by placing too much burden on them; that could pigeonhole your compliance program as something to be sidelined and avoided. You also want to consider the privacy issues that might arise from new business ventures (including expansion into new geographic markets) or marketing campaigns. Who gets to review and approve those plans? Who gets to veto them? What process will be in place to ensure privacy concerns are part of those reviews and approvals? 

Second, you’ll need to be clear about roles and responsibilities to implement whatever privacy regime you decide to implement. For example, what role will the CISO play? Who implements measures such as training, third-party contracting, or other measures that historically aren’t the CISO’s job, but are important to success? What about a regulatory compliance officer who already handles privacy issues for, say, pharmaceutical or banking industry regulators — what role does that person play? 

Third, you’ll need strong documentation capabilities. That means you’ll need a single source of truth for data or evidence about your privacy program’s effectiveness, so you can promptly conjure up necessary evidence for any auditor, regulator, or sales prospect who comes asking. Strong documentation capabilities are also what make a technology agnostic approach realistic. If your evidence, mappings, and policies live in one system of record, you can change ticketing tools, CRMs, or cloud providers without losing your view of how privacy is actually enforced.

Related article: Evidence Collection for Security Assurance: The Challenges and Solutions

One sensible idea I’ve heard is this: to establish privacy controls according to some proven framework you’ve decided to use. (For instance, the NIST privacy framework is one good place to start, especially if your organization is already familiar with the NIST Cybersecurity Framework). Tie specific privacy policies to those controls and tag those controls with comments or additional fields about the specific legal requirements they’re meant to address. Then, when someone asks, for example, “How are you complying with the GDPR in Europe?” you can pull up all relevant documentation with a few easy commands. 

FAQ: agnostic approaches to privacy

What is an agnostic approach to privacy?

An agnostic approach to privacy is one that starts from high-level principles and business objectives rather than any single regulation or tool. You define what privacy outcomes you want (for example, data minimization, strong consent, transparent access), implement controls and governance to achieve those outcomes, and then map those controls to specific laws and frameworks like GDPR, CCPA, or HIPAA.

What is a technology agnostic approach in privacy programs?

A technology agnostic approach means your privacy program is not tightly coupled to any one vendor, platform, or product. Your policies, controls, and evidence model are designed in a way that can be supported by multiple tools. That makes it easier to change or add systems (say, a new CRM or cloud provider) without having to redesign your privacy program every time.

Why combine a regulation-agnostic and technology-agnostic approach?

When you combine a regulation-agnostic approach with a technology agnostic approach, you get a privacy program that is resilient on two fronts: it can absorb new laws and new tools. Regulations can change, and your tech stack will definitely change, but your core privacy principles, controls, and documentation model stay consistent.

That’s a regulation-agnostic approach to privacy. That’s how you can satisfy the many privacy gods demanding attention from your business.