Most privacy laws are based on the same concepts — many of you may know them as the FIPPs, or Fair Information Practice Principles. The FIPPs comprise transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing.
While these fundamental concepts are at the heart of privacy legislation and other kinds of frameworks, each framework has a slightly different way of assigning responsibility for them to businesses. Some frameworks are very prescriptive, like CCPA requiring businesses to implement specific types of data subject rights submission methods. Others are more flexible, directing businesses to have appropriate methods for submission. Some identify a list of information you must provide in a privacy notice, while others have an ambiguous requirement to notify individuals of your data handling practices. And even more challenging, some are prescriptive in different ways that don’t align and occasionally conflict.
At Ethos, we’ve developed a process and a product centered on Adaptive Privacy as a path to help privacy professionals understand where these obligations overlap, where they’re different, and how they’re different, so we can all make better decisions on how to run a privacy program. Adaptive Privacy first works to understand your business context — where you do business, what industry you’re in, what data you process, and how you use it — and then dynamically produces appropriate requirements based on what it knows. As your privacy obligations change due to internal or external factors, Adaptive Privacy reflects those changes helping privacy teams stay ahead of ever-changing legislation and helping businesses make strategic decisions aligned with their goals and risk tolerance.