Execute risk-based and legally defensible data privacy practices that conform with applicable statutory, regulatory and contractual obligations to protect sensitive Personal Data (sPD) throughout its lifecycle.
Organizations govern and implement privacy practices that align with overall privacy strategy; meet statutory regulatory and contractual obligations; ensure privacy by design and by default; protect individual rights; and provide lawful processing and safeguards for sensitive Personal Data (sPD).
Privacy is not a subset of data security, though the two overlap. The PRI domain governs risk-based and legally defensible privacy practices that protect sensitive Personal Data (sPD) throughout its lifecycle, covering statutory, regulatory and contractual obligations that are privacy-specific rather than security-specific. GDPR, CCPA, HIPAA's Privacy Rule and similar frameworks impose obligations around lawful processing, individual rights, consent and data minimization that security controls alone don't address.
The SCF's intent for PRI includes privacy by design and by default, the principle that privacy protections should be built into systems from the start rather than retrofitted. It also covers individual rights, including the right to access, correct and delete personal data, which create operational requirements for organizations to respond to data subject requests in defined timeframes.
PRI and Data Classification (DCH) work together. DCH identifies what sPD exists and where. PRI governs what the organization can do with it, how long it can keep it and what safeguards it must apply. Organizations that handle DCH without PRI often discover privacy obligations they weren't tracking when a regulator or data subject asserts rights the organization has no process to fulfill.