The Privacy Control Conundrum

The article “The Privacy Control Conundrum” by Akhilesh Srivastava, with contributions from R. Jason Cronk, addresses the inadequacies in the current framework of privacy controls within the industry. It highlights a critical gap where well-defined, privacy-specific controls are lacking, leading to confusion and ineffective privacy protection.

The article suggests that the current approach is skewed towards managerial controls, often at the expense of technical and operational measures. It also introduces additional categorizations—system controls (actions taken within systems) and environmental controls (external factors influencing system operations)—to enhance privacy protection strategies.

Ultimately, the article calls for a balanced, layered approach to privacy controls, advocating for a shift away from primarily management-focused strategies. It stresses the need for clear, actionable privacy controls that truly protect individual privacy, as the industry evolves to address growing privacy concerns.


There is a significant gap & glaring absence of well-defined, privacy-specific controls in the industry. Instead of clear, actionable measures, the industry is awash with objectives often mislabeled as controls. This mischaracterization is more than just a semantic issue; it creates confusion and leaves significant gaps in privacy protection.

The situation becomes even more troubling when we look closer at the types of controls that are being promoted. A vast majority of “privacy” controls are heavily skewed towards organizational control and program management. These are the controls that govern the overarching strategies and policies within an organization. While they are important, they do little to directly safeguard privacy. 

The technical and operational controls—the ones that should be at the forefront of privacy protection—are woefully inadequate or primarily focused on security. This imbalance is not just a problem within the widely referenced NIST 800-53 Rev 5 but is a recurring theme across various standards and guidelines from other organizations as well. 

Authors

  • Amazon MIT : AI Implications for Business Strategy A senior leader managing large complex privacy programs at Meta (Facebook), Amazon, and FinTech earlier.

    Privacy Technology and Program Leader

Leave a Reply

Get in Touch!

We are always pleased to hear from you! The IOPD opens its arms proudly to people passionate about privacy. Reach out with questions, comments, and concerns or just to start a conversation...

We are seeking to fill two unpaid positions as members of the IOPD Board of Directors. Terms run for 2 years from appointment. Appointments may be renewed.