The Privacy Control Conundrum

Author: Akhilesh Srivastava

Contributor: Jason Cronk

There is a significant gap & glaring absence of well-defined, privacy-specific controls in the industry. Instead of clear, actionable measures, the industry is awash with objectives often mislabeled as controls. This mischaracterization is more than just a semantic issue; it creates confusion and leaves significant gaps in privacy protection.

The situation becomes even more troubling when we look closer at the types of controls that are being promoted. A vast majority of "privacy" controls are heavily skewed towards organizational control and program management. These are the controls that govern the overarching strategies and policies within an organization. While they are important, they do little to directly safeguard privacy. 

The technical and operational controls—the ones that should be at the forefront of privacy protection—are woefully inadequate or primarily focused on security. This imbalance is not just a problem within the widely referenced NIST 800-53 Rev 5 but is a recurring theme across various standards and guidelines from other organizations as well. 

Categorizing Privacy Controls: A Multifaceted Approach 

As explained by R. Jason Cronk in his blog, the controls can be broadly categorized into three main types: technical, operational, and managerial. Understanding these categories is key to implementing effective privacy measures.

Technical Controls

These are the frontline protectors of privacy. A tool that automatically removes unnecessary personal data from chat logs would be an example of a non-security technical control meant to reduce the risk of certain privacy harms, such as the secondary use of data. Another example would be logically segregating data, say through different pseudonyms, to prevent linking of data about people (i.e. generating profiles). They are tangible measures that can be implemented within systems and applications to ensure privacy is maintained. While technical controls need not be automated, they are usually implemented through some technology.

Operational Controls

These involve the processes and procedures that respect privacy in the organization's day-to-day operations. Creating standard operating procedures for customer service representatives, that dictate appropriate and inappropriate questions to ask customers, would be one example. Operational controls are primarily people-driven, though they may use technology to do so. A clear contrast can be demonstrated through data deletion. Having an annual process by which an analyst reviews and deletes old data from a database would be operational (though supported by the delete capabilities of the database). Having a script in the database that regularly removes outdated data would be a technical control. 

Managerial Controls

These are the overarching policies and programs that guide an organization’s approach to privacy and security. Management controls might include the development of policies that dictate how data should be handled within the organization, responding to data subject requests, monitoring the technical and operational controls, and reporting on program metrics. While these controls are important for setting the tone and direction of an organization’s privacy efforts, they are often less effective at directly safeguarding privacy compared to technical and operational controls.

Expanding the Control Framework: System and Environmental Controls

It’s also worth noting that, as our understanding of privacy protection evolves, so does our approach to categorizing and implementing controls. While the technical, operational, and management controls framework provides a solid foundation, privacy professionals are increasingly recognizing the value of additional perspectives on control categorization.

One such perspective divides controls into system and environmental controls, each offering an additional layer of protection that complements our traditional categories.

System Controls focus on actions within a system, and these can either be technical or non-technical. Note, that systems here are used broadly (i.e. a human resource management system includes all the people, processes, and technology in an HR department). An email client that automatically encrypts sensitive data is a technical system control that ensures that information is secure. A person’s decision to enable encryption when emailing sensitive information would also be a system control, though one is prone to more failure if the person forgets. Whether it's a computer automating privacy safeguards or a human taking deliberate action, both scenarios represent how system controls can operate to protect privacy.

Environmental Controls, meanwhile, influence the environment in which a system operates. These controls don’t directly interact with the system but rather shape the conditions under which it functions. An example would be a law that an interviewer in certain states cannot ask a candidate's current pay scale. By fostering a culture of awareness and caution, environmental controls play a critical role in enhancing the overall effectiveness of privacy measures. 

This additional method of categorization—system and environmental controls—complements technical, operational, and management controls, offering a more alternative framework for safeguarding privacy. Recognizing the different types of controls allows organizations to implement a balanced approach, addressing both direct system risks and the broader context in which privacy operates.

Regulatory Perspectives: GDPR's Approach to Privacy Measures

While the categorizations we've discussed provide valuable frameworks for understanding privacy controls, it's also crucial to consider how regulatory bodies approach this issue. The GDPR, one of the most comprehensive privacy laws globally, offers another perspective on categorizing privacy measures that both complements and expands upon our previous discussion.

Under GDPR, what we typically refer to as "controls" are called "measures." The regulation consistently uses the phrase "technical and organizational measures" to describe the actions organizations must take to protect personal data. This categorization provides yet another lens through which we can view privacy protection efforts:

Technical Measures

Technical Measures under GDPR align closely with our technical controls and technical system controls. These are the concrete, often technology-based actions taken to protect personal data. Examples include:

• Implementing encryption for data at rest and in transit

• Using pseudonymization techniques to protect individual identities

• Setting up robust access control systems

  
  

Organizational Measures

Organizational Measures encompass a broader range of actions that blend aspects of our operational, management, and environmental controls. These measures focus on creating a privacy-aware organizational culture and structure. Examples include:

• Developing comprehensive data protection policies

• Providing regular privacy training to employees

• Establishing clear roles and responsibilities for data protection within the organization

• Creating and maintaining records of processing activities

It's important to note that while GDPR distinguishes between technical and organizational measures in theory, in practice, these terms are often used together without strict distinction. This combined usage reflects the reality that effective data protection often requires an integrated approach where technical and organizational measures work in tandem.

For instance, implementing a new encryption system (a technical measure) would typically be accompanied by updates to data handling policies and staff training (organizational measures). This holistic approach ensures that the technical solutions are properly understood, implemented, and maintained within the organization's broader privacy framework.

The GDPR's approach bridges some of the gaps we've identified in traditional privacy control frameworks. It encourages a more holistic view of privacy protection, emphasizing the need for both organizational readiness and concrete technical measures. However, even with the GDPR's influence, there's still work to be done in developing and implementing privacy-specific controls that go beyond mere compliance and truly protect individual privacy.

The Need for a Balanced Approach to Privacy Controls

In an ideal world, privacy controls should be implemented in a balanced and layered approach. Technical controls should be the first line of defense, directly protecting data and ensuring that privacy is respected at the system level. Operational controls should be followed, ensuring processes are in place to support and enforce these technical measures. Finally, management controls should provide the overarching framework and direction, guiding the organization’s privacy efforts.

Unfortunately, many organizations approach this process in reverse. They start with management controls, establishing policies and programmatic procedures, but often fail to implement the technical and operational measures that reduce risks and protect privacy. This backward approach, a result of the last-mile problem, leaves significant gaps in privacy protection, as the most effective controls are often underutilized or ignored altogether.

The Privacy Control Landscape: An Industry-Wide Issue

The challenges I’ve outlined are not unique to any single organization or framework. They are systemic issues that permeate the entire privacy engineering landscape. While privacy practitioners often point to NIST 800-53 Rev 4 Appendix J (later incorporated into the integrated catalog in Rev 5) as an industry-accepted privacy control library, the reality is that these controls remain predominantly security-focused. 

Moreover, they are overwhelmingly implemented at the organizational level rather than at the system level, where privacy needs to be protected most. As the industry continues to evolve, there is an urgent need for a more comprehensive and balanced approach to privacy controls—one that prioritizes technical and operational measures while still supporting them with strong management controls.

Conclusion: Moving Forward with a Clearer Vision

The journey into the privacy engineering world has revealed some unsettling truths about the current state of privacy controls. The lack of well-defined, privacy-specific controls, coupled with the overemphasis on management and organizational controls, has created significant gaps in privacy protection. To move forward, we need to adopt a more balanced approach that prioritizes technical and operational controls, ensuring that privacy is protected at every level.

As privacy concerns continue to grow in importance, the industry must evolve to meet these challenges head-on. By clarifying the distinction between controls and objectives and focusing on the most effective measures, we can build a stronger foundation for privacy protection in the digital age.

The Institute of Operational Privacy Designs (IOPD) has recently released a privacy design assurance standard. As part of the next steps of that effort, the IOPD plans to come up with a set of non-security privacy-specific systems and environmental controls. Their initial efforts will be limited, as their main focus is on the broader standard, however, it will bear fruit, and its 5th revision, in years hence, will be as comprehensive in the privacy controls area as 800-53 rev 5 is in the security space.