Nymity Privacy Management Accountability Framework

Nymity, a data privacy compliance company, has developed a privacy management accountability framework. It has helped organizations around the world with complying with privacy laws. See a copy of the framework below, and here. In a January 14, 2019 letter to NIST it provided an outline of its PMAF in response to a general inquiry by NIST for information on a privacy framework.



Nymity's framework is not intended to be a checklist. An organization need not perform all of the 130 tasks in each of the 13 listed categories. It should instead select those which most clearly address its own concerns. Organizations can use the framework to show due diligence in attempting to prevent data breaches. The framework can help an organization confirm that it has procedures in place that are followed by each of its departments.


Nymity can cross reference data privacy laws to the framework to show how various regulations require organizations to take differing or equivalent steps:



The letter lists how likely different types of data processing are to affect the rights of individuals:



The framework covers these 13 categories, in which are given some of the key steps an organization can take to ensure data privacy:


  1. Maintain Governance Structure - appoint Data Protection Officer.

  2. Maintain Personal Data Inventory and Data Transfer Mechanisms - register databases with regulators.

  3. Maintain Internal Data Privacy Policy - the organizational code of conduct should include privacy concerns.

  4. Embed Data Privacy into Operations - integrate data privacy into record retention practices.

  5. Maintain Training and Awareness Program - conduct privacy training reflecting job specific content.

  6. Manage Information Security Risk - take measures to encrypt data.

  7. Manage Third-Party Risk - confirm the data privacy measures of vendors.

  8. Maintain Notices - provide notice in contracts of data privacy policies.

  9. Respond to Requests and Complaints from Individuals - investigate root causes of data privacy complaints.

  10. Monitor for New Operational Practices - guidelines for Data Protection Impact Assessments (DPIA) and Privacy Impact Assessments (PIA).

  11. Maintain Data Privacy Breach Management Program - maintain a log to track data privacy incidents.

  12. Monitor Data Handling Practices - conduct internal audits.

  13. Track External Criteria - seek legal opinions regarding new laws.