What is a privacy framework?

A privacy framework describes a set of standards or concepts around which a company bases its privacy program. Typically, a privacy framework does not attempt to include all privacy-related requirements imposed by law or account for the privacy requirements of any particular legal system or regime.  Instead, the framework attempts to establish a privacy program that is separate and apart from the legal requirements of one, or more, specific jurisdictions.

What is the most popular privacy framework?

There are few published statistics regarding the adoption rate of privacy frameworks. The statistics that do exist have questionable reliability, primarily owing to sampling bias and self-reporting bias. For example, studies that ask clients of an organization that creates a privacy framework whether they adopted the privacy framework are likely to overreport adoption rates, as are studies that poll members of privacy organizations who may be predisposed to work at organizations that are more likely to have adopted a privacy framework. That said, a study published by the International Association of Privacy Professionals (IAPP) of a small number of its members reported that 28% of companies had adopted the NIST privacy framework. A slightly smaller number of companies reported adopting the ISO 27701 privacy framework.¹

How many privacy frameworks are out there?

There are numerous privacy frameworks. Some are established by independent organizations such as the International Organization for Standardization (ISO), which established the ISO 29100 privacy framework. Others are established by standard-setting bodies related to specific countries or governments. For example, the United States National Institute of Standards and Technology (NIST) established a NIST Privacy Framework. Other privacy frameworks are created by private companies, trade associations, or organizations.

¹  IAPP-FTI Consulting Annual Privacy Governance Report 2020 at 67.