Automating the NIST and CIPM Frameworks to Ensure Proper Use

Privacy frameworks such as NIST and CIPM play a crucial role in assisting companies in safeguarding privacy. However, these frameworks heavily depend on manual interventions to enforce privacy safeguards, consistently exposing companies to risks stemming from the inaccurate implementation of policies due to an over-reliance on human knowledge and memory. The emphasis on manual interventions also squanders valuable resources on tasks like documentation, alignment, and the continuous back-and-forth communication between privacy professionals and engineers.

Tranquil Data both streamlines and automates a significant portion of the manual work necessary in the NIST and CIPM Frameworks, reducing risk and reclaiming valuable time and resources for privacy professionals. This article outlines some common issues with the NIST and CIPM frameworks, and provides a preview of how Tranquil Data’s software can effectively automate these challenges.

You can access a detailed crosswalk of NIST Privacy Framework and Tranquil Data capabilities here.

Inventory & Mapping

Inventory and mapping processes are cumbersome, costly, and outdated as soon as they are complete. Still, they’re necessary because it’s hard to track where data came from, rules for use, and how data has moved or been re-purposed over time.

Tranquil Data offers a solution to address these challenges by proactively connecting data to its context. This includes providing information about the data’s origin, the purpose for possessing it, and the rules governing its proper use. This proactive approach ensures effective tracking of personal data, even as it is shared or repurposed over time.

Policy Documentation

Regulations, contracts, and privacy policies are typically documented across scattered wikis and shared folders. As a result, large teams are tasked with working across organizations to ensure these rules are well-known and understood.

Tranquil Data automates away this cost and complexity through a single, versioned, system of record for machine-enforceable policies. The policies are configured in a plain language user interface by privacy counsel. Tranquil Data then seamlessly integrates the equivalent machine readable policies into existing dataflows to control and enforce proper use, providing clarity that policies are always met.

Privacy Training

Privacy training faces a fundamental challenge: engineers and lawyers possess different expertise. Engineers lack legal knowledge but are tasked with implementing complex rules, while privacy professionals are responsible for ensuring compliance without the ability to inspect code for proper implementation. Moreover, training relies on effectively educating all employees or conducting a privacy review for each new initiative or change.

Tranquil Data resolves this challenge by decoupling policies from code. This empowers engineers to work compliantly with data, while the platform manages the intricacies of privacy requirements. Consequently, privacy teams transition from low-level training to advancing privacy-enabled experiences.

Access Control

While access control adheres to the principle of least privilege, it fails to address the training and translation gap mentioned earlier (e.g. just because users are limited access it does not mean that those with access implement policy correctly). Access control model also allows for misconfiguration and does not scale as new dimensions of requirements are introduced.

Tranquil Data surpasses the concept of least privilege by ensuring that data is used appropriately for each purpose as defined by policies. Policy decisions are informed by a contextual view of data, providing a scalable and efficient solution.

Automated Enforcement

Automation is the foundation of Tranquil Data, provided via API and database integrations. The product can be run in multiple modes to flag misuse, fail-fast requests that violate requirements, or filter records or fields to stay consistent with a stated purpose.

Continuous Audit

Transparent auditability is a key feature of Tranquil Data, explaining not just what actions were taken, but why each policy decision was made. This builds trust with internal and external stakeholders alike, reducing risk and unlocking new data-driven opportunities.

Working compliantly with personal data just got Tranquil. If automating proper use and sharing is of interest we would love to talk: info@tranquildata.com.