The document provides an overview of 12 privacy frameworks that can be used to develop comprehensive privacy programs. It describes each framework, including its organization, cost, and key benefits. The top frameworks are ISO 29100, ISO 27701, the ICO Accountability Framework, and the TrustArc-Nymity Framework. They provide standards, guidelines and best practices for building privacy into products and governance. The document aims to help privacy professionals select the most appropriate framework for their needs without needing to reinvent existing approaches.

1. Best Privacy
Frameworks
by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001
1.0, 08.09.202
12

2. 2
A framework is a basic
conceptual structure used
to solve or address
complex issues
Regulation: Rules or laws defined and enforced
by an authority to regulate conduct. ISACA
(e.g., GDPR)
Standard: A mandatory requirement, code of
practice or specification approved by a recognized
external standards organization (such as ISO). ISACA
(e.g.., ISO 27701, BS 10012, ISO 29100)
Guideline: Non-mandatory information leading to a
compliant solution for the related requirement. ISO
(e.g., NOREA Guide)
ISACA
All of them can be used as frameworks!

3. Main
Benefits
Comprehensive
approach /
Privacy
Baseline
Measurement
and
Benchmarking
Demonstration
of maturity
Certification
(proof of
compliance)
Common
language for
privacy pros
and business We don't need to
reinvent the wheel!

4. My TOP 12:
1. ISO 29100
2. ISO 27701
3. ICO Accountability Framework
4. TrustArc - Nymity Framework
5. MITRE Privacy Maturity Model
6. NIST Privacy Framework
7. AICPA Privacy Management Framework
8. NDMO Data Management and Personal Data
Protection Standards
9. NOREA Privacy Control Framework
10. PDPC Guide to Developing a Data Protection
Management Programme
11. Standard Data Protection Model (SDM)
12. SCF Privacy Management Principles (SCF-PMP)
4

5. 5
1. ISO 29100
ISO/IEC 29100:2011 Information technology —
Security techniques — Privacy framework
This standard was last reviewed and confirmed in 2017.
ISO/IEC 29100:2011 provides a privacy framework which:
• specifies a common privacy terminology;
• defines the actors and their roles in processing personally
identifiable information (PII);
• describes privacy safeguarding considerations; and
• provides references to known privacy principles for information
technology.
ISO 29100 is applicable to natural persons and organizations
involved in specifying, procuring, architecting, designing,
developing, testing, maintaining, administering, and operating
information and communication technology systems or services
where privacy controls are required for the processing of PII.
• Organisation: ISO
• CHF 124 ($140)

6. 6

7. 7

8. 8
2. ISO 27701
ISO/IEC 27701:2019 Security techniques —
Extension to ISO/IEC 27001 and ISO/IEC 27002 for
privacy information management —
Requirements and guidelines
This document specifies requirements and provides guidance for
establishing, implementing, maintaining and continually
improving a Privacy Information Management System (PIMS) in
the form of an extension to ISO/IEC 27001 and ISO/IEC 27002
for privacy management within the context of the organization.
This document specifies PIMS-related requirements and provides
guidance for PII controllers and PII processors holding
responsibility and accountability for PII processing.
This document is applicable to all types and sizes of
organizations, including public and private companies,
government entities and not-for-profit organizations, which are
PII controllers and/or PII processors processing PII within an
ISMS.
• Organisation: ISO
• CHF 187 ($210)

9. 9

10. 10

11. 11
3. ICO Accountability
Framework
Accountability is one of the key principles in data protection law
– it makes you responsible for complying with the legislation and
says that you must be able to demonstrate your compliance.
The framework is an opportunity for you to assess your
organisation’s accountability. Depending on your circumstances,
you may use it in different ways. For example, you may want to:
• create a comprehensive privacy management programme;
• check your existing practices against the ICO’s expectations;
• consider whether you could improve existing practices,
perhaps in specific areas;
• understand ways to demonstrate compliance;
• record, track and report on progress;
• or increase senior management engagement and privacy
awareness across your organisation.
Organisation: ICO (UK)
Free

12. 12

13. 13
The framework is divided into 10 categories.
Selecting a category will display ICO’s key
expectations and a bullet-pointed list of ways
you can meet their expectations.
1. Leadership and oversight
2. Policies and procedures
3. Training and awareness
4. Individuals’ rights
5. Transparency
6. Records of processing and lawful basis
7. Contracts and data sharing
8. Risks and data protection impact
assessments (DPIAs)
9. Records management and security
10.Breach response and monitoring

14. 14
4. TrustArc - Nymity
Framework
The TrustArc-Nymity integrated Privacy and Data
Governance Accountability Frameworks combine and
align privacy and data governance controls with privacy
management activities across the privacy program lifecycle
to help organizations effectively achieve these goals and
continuously improve upon them over time.
A framework-based approach can be implemented at any
stage of a privacy program.
• Organisation: TrustArc / Nymity
• Free

15. 15

16. • The Core: The three pillars of Build, Implement, and
Demonstrate
• Standards and Controls: The 16 Standards and 55
Framework Controls
• Privacy Management Categories and Activities:
The 13 Privacy Management Categories and 139
Privacy Management Activities organized under the
Core three pillars
• Framework Mapping to Popular Laws:
The Framework is mapped to several popular laws,
regulations, and other standards
16

17. 17
5. MITRE Privacy
Maturity Model
Framework for developing, implementing, maintaining, and
evaluating privacy programs. Privacy programs must be
comprehensive enough to address all requirements established by
authoritative sources (e.g., laws, regulations, guidance), and must
be supported by written policies, appropriate training, ongoing
practices, and appropriate assessment.
This model may be used to assess both completeness (whether an
organization has identified and implemented all elements of a
privacy program) and maturity level (an evaluation of to what
degree practices supporting each element are effective in achieving
their intended purpose).
It was developed based not only on comprehensive research of
relevant laws and guidance, but on practices that have been
assessed as effective in many organizations.
It is a part of the MITRE’s Privacy Engineering Tools:
https://www.mitre.org/news-insights/publication/mitres-privacy-
engineering-tools-and-their-use-privacy-assessment
• Organisation: MITRE
• Free

18. 18

19. 19

20. 20

21. 21
6. NIST Privacy
Framework
The NIST Privacy Framework is a voluntary tool developed in
collaboration with stakeholders intended to help organizations
identify and manage privacy risk to build innovative products and
services while protecting individuals’ privacy.
NIST is developing the framework to help organizations with:
• Building customer trust by supporting ethical decision-making
in product and service design or deployment that optimizes
beneficial uses of data while minimizing adverse consequences
for individuals’ privacy and society as a whole;
• Fulfilling current compliance obligations, as well as future-
proofing products and services to meet these obligations in a
changing technological and policy environment; and
• Facilitating communication about privacy practices with
customers, assessors, and regulators.
Organisation: NIST
Free

22. 22

23. 23

24. 24
7. AICPA Privacy
Management
Framework
The Privacy Management Framework (PMF) can be used as
a foundational element in establishing and operating a
comprehensive information privacy program that addresses
privacy obligations and risks while facilitating current and
future business opportunities.
• Organisation: AICPA
• For Memebers Only

25. 25

26. 26

27. 27
8. NDMO Standards
The National Data Management and Personal Data Protection
Standards document covers 15 Data Management and Personal
Data Protection domains. To support the development of the
Data Management and Personal Data Protection standards, a set
of international references, internal relevant policies and
regulations, and guiding principles were defined.
Government Entities (KSA) must implement the standards, and
compliance will be measured yearly to monitor progress and
drive efforts towards a successful implementation.
• Organisation: National Data Management Office (Saudi Arabia)
• Free

28. 28

29. 29

30. 30
9. NOREA Privacy
Control Framework
This guide (in Dutch “Handreiking”) is issued by NOREA,
the professional association of IT auditors in the
Netherlands and was developed to guide Dutch chartered
IT-auditors in issuing assurance reports in alignment with
the European General Data Protection Regulation (GDPR)
and the relevant standards on assurance engagements.
• Organisation: NOREA (Netherlands)
• Free

31. 31

32. 32
The PCF contains:
95 controls in total, divided over
32 subjects in
9 Lifecycle Management phases

33. 33
10. PDPC Guide
Guide to Developing a Data Protection Management
Programme
This guide seeks to help organisations develop or improve
their personal data protection policies and practices
through the implementation of a Data Protection
Management Programme (DPMP). Organisations may
benchmark their existing personal data protection policies
and practices against this guide.
• Organisation: PDPC (Singapure)
• Free

34. 34

35. 35

36. 36
11. Standard Data
Protection Model
(SDM)
The Standard Data Protection Model (SDM)
A method for Data Protection advising and controlling on
the basis of uniform protection goals
The SDM provides appropriate measures to transform the
regulatory requirements of the GDPR to qualified technical
and organisational measures.
The SDM's catalogue of reference measures can be used to
check for each individual processing whether the legally
required ‘target’ of measures corresponds to the existing
‘actual’ of measures.
• Provider: Conference of the Independent Data Protection
Supervisory Authorities of the Federation and the Länder
(Germany)
• Free

37. 37

38. 38

39. 39
12. SCF Privacy
Management Principle
(SCF-PMP)
The Secure Controls Framework™ (SCF) focuses on internal
controls.
The SCF is a metaframework – a framework of frameworks
• Organisation: SCF
• Free

40. 40

41. 41

42. 42
One more thing:
CNIL DPO Guide
The objective of this guide is to support both organisations
in setting up the function of Data Protection Officer (DPO)
and such officers in the exercise of their profession.
This guide is a living tool which will be enriched by best
practices reported by professionals to the French Data
Protection Authority (CNIL).
• Organisation: CNIL (France)
• Free

43. 43

44. 44
[Concept] Mapping - An indication that one
concept is related to another concept. NIST

45. 45
Mapping
The main question:
How does conforming to one framework help
the organization conform to another framework?
Five Important Assumptions for the Mapping
1. The intended users of the mapping
2. Why someone would want to use this mapping
3. The types of concepts to be mapped
4. The direction of the mapping
5. How exhaustive the mapping will be

46. csrc.nist.gov/pubs/ir/8477/ipd 46
www.patreon.com/posts/developing-and-88697200

47. 47

48. 48
TrustArc-Nymity Framework -> GDPR and ISO 27701
www.patreon.com/posts/mapping-of-to-61726397

49. 49
Framework Why do I like it?
1. ISO 29100 Simple, Privacy Principles, Aligned with the ISO Standards
2. ISO 27701 Integrated with the ISMS (ISO 27001), Well-known international standard, Good
Structure, Certification, Mapping to GDPR
3. ICO Accountability Framework Recommendations from the Supervisory Authority (SA), Good Structure, Case studies,
Additional resources (self-assessment and tracker), GDPR, Free
4. TrustArc-Nymity Framework Simple, Good Structure, Free
5. MITRE Privacy Maturity Model Good Structure (Elements of a Privacy Program), Maturity Levels, Checklist, Additional
Resources, Free
6. NIST Privacy Framework Aligned with NIST CSF (cybersecurity), Tiers 1-4 (Partial, Risk Informed, Repeatable,
Adaptive), Free
7. AICPA Privacy Management
Framework
Simple, Good Structure, Mapping to GDPR, Free (for members)
8. NDMO Standards Recommendations from the SA, Data Management Guiding Principles, Set of controls,
Control description, Aligned with DAMA DMBoK, Free
9. NOREA Privacy Control Framework Focus on Audits, Good Structure, Set of controls, GDPR, Mapping to GDPR, Mapping to
ISO 27001, ISO 27701 and ISO 29100, Free
10. PDPC Guide Recommendations from the SA, Simple, Examples and Checklists, Training and
Communication Initiatives, Data Inventory Map, Free
11. Standard Data Protection Model
(SDM)
Recommendations from the SA, Protection goals, Data Life Cycle, SDM cube, Risks,
PDCA, Integrations with BSI Grundschutz, GDPR, Mapping to GDPR, Free
12. SCF-PM Metaframework, Good Structure, Mapping to many frameworks, Free

50. 50
1. ISO 29100 www.iso.org/standard/45123.html
2. ISO 27701 www.iso.org/standard/71670.html
3. ICO Accountability Framework www.ico.org.uk/for-organisations/uk-gdpr-guidance-and-
resources/accountability-and-governance/accountability-framework
4. TrustArc - Nymity Framework www.trustarc.com/trustarc-privacy-data-governance-accountability-
framework
5. MITRE Privacy Maturity Model www.mitre.org/news-insights/publication/mitres-privacy-engineering-
tools-and-their-use-privacy-assessment
6. NIST Privacy Framework www.nist.gov/privacy-framework
7. AICPA Privacy Management Framework www.us.aicpa.org/interestareas/informationtechnology/privacy-
management-framework
8. NDMO Standards www.sdaia.gov.sa/en/SDAIA/about/Documents/PoliciesEN.pdf
9. NOREA Privacy Control Framework www.norea.nl/uploads/bfile/bb6ebde8-a436-43d0-b3df-ceef7a50556c
10. PDPC Guide www.pdpc.gov.sg/help-and-resources/2019/07/guide-to-developing-a-
data-protection-management-programme
11. Standard Data Protection Model (SDM) www.datenschutz-mv.de/datenschutz/datenschutzmodell
12. SCF-PM www.securecontrolsframework.com
CNIL DPO Guide www.cnil.fr/en/cnil-publishes-guide-dpos
All Privacy Standards and Frameworks www.patreon.com/posts/best-privacy-and-85140462

51. Thanks, and good luck!
May the Privacy Frameworks Force be with you!
www.linkedin.com/in/andreyprozorov
www.patreon.com/AndreyProzorov
51

52. 52
www.patreon.com/posts/my-presentation-88795477 www.patreon.com/posts/my-presentation-81082595
Related presentations

53. 53
P.S. Have you seen my Privacy
Implementation Toolkit?
www.patreon.com/posts/66191153