Privacy Management
Accountability Framework™

A Practical and Operational Structure for managing and
demonstrating compliance with the World’s Privacy Requirements

Organizations around the world are operationalizing global privacy compliance and managing privacy risk through the Nymity Framework™ tool and effectively bridging the gap between policies and principles, and the implementation of practical and effective privacy management. The Framework is a proven method for structuring privacy management throughout your organization and for demonstrating compliance with laws.


Nymity Privacy Management Accountability Framework™


Nymity Privacy Management Accountability Framework™ – Mapped to GDPR and CCPA
1. How was the Framework developed?

It was originally developed for communicating the status of the privacy program, in other words a framework for demonstrating accountability. It was designed to report on any privacy program, no matter how it is structured. For example, it works well with privacy programs structured around privacy principles, rationalized rules, standards and codes. 1000’s of organizations around the world are using the framework to structure their privacy programs.

In 2015, the Nymity Framework™ was further enhanced with supporting tools after additional on the ground research with over 500 privacy officers across 20 countries and over 50 cities. It has been made available to the global privacy community for free and has become a recognized framework used for a variety of purposes. In fact, the Framework has been recognized as an international standard and is being taught as such at the Singapore Management University in an Advanced Certificate Program on Data Protection Frameworks and Standards.


2. Is the Framework a “checklist” of privacy management requirements?

No. The Framework is not a one-size-fits-all approach and should not be implemented as such. It may be considered a “menu”, not a checklist. Different sectors and individual organizations have different situations, needs and risk profiles and customize use of the Framework according to their unique needs and risks.


3. What are privacy management activities?

Privacy management activities (also referred to as technical and organisational measures) are ongoing procedures, policies, measures, mechanisms, and other initiatives that impact the processing of personal data or that relate to compliance with privacy and data protection laws. Organisations select which privacy management activities to implement based on the organization’s compliance requirements, risk profile, business objectives, and the context of data processing (type of data processed, nature of processing, purpose for collection, use and disclosure, etc.).

A description of the definition and scope for each of the 130+ privacy management activities identified in the Nymity Privacy Management Accountability Framework.


Although originally designed as a framework for demonstrating accountability, organizations around the world are using the Framework for multiple other purposes including:


Privacy Program and Privacy Management uses:
ico-structuringStructuring the privacy program:

Some organizations, often those with a new privacy program or enhancing their existing program, have found the Nymity Framework™ effective for structuring the privacy program. The may use all 13 Privacy Management Categories or a subset. For example, a North American service provider/data processor many not implement many of the activities within certain Privacy Management Categories as they are not relevant given the nature of their data processing activities.

ico-baseliningBaselining and planning:

Some organizations use the Nymity Framework™ as a checklist to identify existing Privacy Management Activities and for planning the implementation of new ones.


The Nymity Framework™ provides an effective mechanism to compare the privacy program across different areas of the organization, or between two organizations.

ico-shiftingShifting privacy accountability to the business:

Many privacy officers see the need to shift accountability to the business which in turn will allow the organization to cover more risk and incorporate privacy by design throughout the organization. The Nymity Framework™ is used as a structure to ensure the creation and maintenance of “accountability mechanisms” which ultimately empower the business, and ongoing compliance and monitoring of the program.

Using the foundation of existing global policies and guidelines that address regulatory requirements, the Nymity Framework™ is used as a tool to make sure there are procedures, work instructions and guidelines that could be leveraged more globally and in a more scalable, regulatory agnostic and efficient way for the organization.

ico-best-practicesUnderstanding best practices:

Use the framework as a comprehensive and up-to-date listing of privacy management activities. Gain insight into how other organizations are implementing activities to enhance privacy management and to demonstrate accountability.

ico-one-timeConverting one-time compliance projects into sustainable business operations:

Considering the European GDPR compliance efforts as an example, in practice, many companies organized their GDPR project into work packages in order to implement the requirements (whether it is in strategy, assigning responsibilities for the new controls, creating records of processing activities or revisiting notices, policies and procedures). The adoption of the Nymity Framework™ makes it easy to identify a stable and natural home for the controls resulting from work packages and deliverables of a GDPR project.

ico-budgetsPrioritizing investments and justifying budgets:

The Nymity Framework™ helps organizations determine which privacy management activities are most important to assure risk management, privacy compliance and accountability. In turn, this helps organizations justify the prioritization on investments and maximize resources

Demonstrating Accountability

Demonstrate that an effective program is in place and demonstrate accountability for:

ico-communicatingCommunicating privacy and risk:

The Nymity Framework™ provides a common language for privacy management within the organization. This improves understanding among various departments including in IT, operational and functional units such as IT, HR and marketing. It also serves in reporting the status of the privacy program to the Board and other key stakeholders.

ico-reportingRegulatory reporting:

Stand ready to demonstrate accountability, on-demand, with evidence to a Data Protection Authority (DPA) or other privacy regulator. Some organizations are using the Nymity Framework™ to show due diligence, for example in the event of a data breach to demonstrate that the event was an exception that occurred despite a robust program in place to prevent it, as opposed to a systemic issue.

ico-bcr-apec-cbprBCR and APEC CBPR Implementation and Monitoring:

Save time and resources using this Framework when implementing Binding Corporate Rules (BCRs) and APEC Cross Border Privacy Rules in your organization.

ico-managementManagement Reporting:

Report privacy management in a meaningful and simple way to senior management, C-Suite and Board level.

ico-auditAuditing and assessing:

The Nymity Framework™ is also used by organizations to audit and assess privacy management throughout the organization. The Framework has been effective for assembling the necessary documentation and facilitating more effective collaboration between the audit and auditee.


The Nymity Framework™ has been mapped to over 800 privacy laws, international privacy frameworks, guidelines and regulations from around the world and serves as one framework resulting in compliance with multiple obligations. Mapping a multitude of privacy obligations to the Nymity Framework™ has been invaluable to organizations in bridging the gap between policies and procedures and one accountable, efficient, scalable and repeatable privacy management program.


Download Nymity Privacy Management Accountability Framework final in pdf form for history of the Framework, scopes and additional information on it's uses.