The Nymity Privacy Management Accountability Framework

The Nymity Privacy Management Accountability Framework was released by the Nymity company in 2012 as a new tool to manage privacy risk. The primary goal was to bridge the gap between standard framework concepts and the actual physical implementation of these concepts(McQuay, 2019). This implementation was developed through a series of workshops held in the early 2000s. There was a significant overhaul in 2015, where numerous tools were added to the framework.

Similar to the NIST Privacy Framework, the Nymity Privacy Management Accountability Framework utilizes major categories which are referred to by Nymity as “scopes”. Each scope can be considered roughly analogous to the NIST subcategory field. However, these scopes are further enhanced by having discrete implementation actions available to the privacy officer performing the implementation. Nymity states that these should be regarded as a menu of options rather than a checklist of hard requirements(McQuay, 2019).

The Nymity Privacy Management Accountability Framework covers thirteen primary scopes (Nymity Inc., 2018):

1.      Maintain governance structure.

2.      Maintain personal data inventory and data transfer mechanisms.

3.      Maintain internal data privacy policy.

4.      Embed data privacy into operations.

5.      Maintain training and awareness program.

6.      Manage information security risk.

7.      Manage third-party risk.

8.      Maintain notices.

9.      Respond to requests and complaints from individuals.

10.  Monitor for new operational practices.

11.  Maintain data privacy breach management program.

12.  Monitor data handling practices.

13.  Track external criteria.

These are meant to provide a more structured implementation plan than NIST and similar entities provide. For example, the NIST Privacy Framework Data Processing Awareness category defines breach guidance somewhat vaguely by requiring that during a breach, impacted subjects can be notified and that the privacy officer shall create a data breach playbook for the data subject protection plan. Compared to this, the Nymity PMAF provides eight specific requirements (Nymity Inc., 2018):

1.      Maintain a data privacy incident/breach response plan

2.      Maintain a breach notification and reporting protocol

3.      Maintain a log to track data privacy incidents/breaches

4.      Monitor and report data privacy incident/breach metrics

5.      Conduct periodic testing of data privacy incident/breach plan

6.      Engage a breach response remediation provider

7.      Engage a forensic investigation team

8.      Obtain data privacy breach insurance

This provides a deeper level of prescriptive guidance on how to better implement a data breach response plan. By providing this more in-depth guidance, businesses which are at a lower level of privacy maturity can better understand the necessary steps to perform to achieve a higher overall level of compliance. While the NIST Privacy Framework seeks to give a general overview of the concepts to address, Nymity PMAF directly addresses these concepts with concrete actions to take.

When comparing the structure of the Nymity PMAF to the NIST Privacy Framework, the overall organization of the frameworks differs. As NIST seeks to provide more holistic guidance, the categorization follows a cyclical structure. Specifically, NIST follows a chronological structure in that one must first perform an identification step to understand privacy risks. After that, a governance step is performed to develop privacy risk mitigations. Next, a control step is performed to ensure that requirements are properly mapped to risks. Upon completion of that, there is a communication phase where training is provided to stakeholders. The last step is to perform a protection phase where the security controls of the data are assessed (“Privacy Framework,” 2018). 

Compared to a similar implementation in the Nymity PMAF, the steps are much more oriented towards a synchronous implementation scheme rather than sequential. For example, most scopes are themed around maintaining and monitoring of existing practices and implementing them if not yet performed. In this way, more freedom is provided to select the applicable steps by the privacy officer. This confers both advantages and disadvantages as being less sequential may cause prioritization issues; however, the ability to self-prioritize controls may allow for improved implementation flow (Nymity Inc., 2018).

Overall, neither framework can be determined to be objectively better or worse than the other. NIST provides a strong guidance for the sequential implementation of a privacy program. Nymity gives structured guidance on the actual steps required to perform the implementation of a privacy program. As both frameworks are optional, businesses may choose to adopt strategies common to one or both as applicable.

References:

McQuay, T. (2019, January 19). Re: Developing a Privacy Framework (Docket No. 181101997-8997-01). https://www.nist.gov/system/files/documents/2019/02/04/nymity_terry_mcquay_teresa_troester-falk_002.pdf

Nymity Inc. (2018). Nymity Privacy Management Accountability Framework. Nymity Inc. https://d2l.sdbor.edu/content/enforced/202010/1903792-202410INFA-722-DT1-24230/Nymity%20PMAF.pdf

Privacy Framework. (2018). NIST. https://www.nist.gov/privacy-framework