The article “The Privacy Control Conundrum” by Akhilesh Srivastava, with contributions from R. Jason Cronk, addresses the inadequacies in the current framework of privacy controls within the industry. It highlights a critical gap where well-defined, privacy-specific controls are lacking, leading to confusion and ineffective privacy protection.
The article suggests that the current approach is skewed towards managerial controls, often at the expense of technical and operational measures. It also introduces additional categorizations—system controls (actions taken within systems) and environmental controls (external factors influencing system operations)—to enhance privacy protection strategies.
Ultimately, the article calls for a balanced, layered approach to privacy controls, advocating for a shift away from primarily management-focused strategies. It stresses the need for clear, actionable privacy controls that truly protect individual privacy, as the industry evolves to address growing privacy concerns.
There is a significant gap & glaring absence of well-defined, privacy-specific controls in the industry. Instead of clear, actionable measures, the industry is awash with objectives often mislabeled as controls. This mischaracterization is more than just a semantic issue; it creates confusion and leaves significant gaps in privacy protection.
The situation becomes even more troubling when we look closer at the types of controls that are being promoted. A vast majority of “privacy” controls are heavily skewed towards organizational control and program management. These are the controls that govern the overarching strategies and policies within an organization. While they are important, they do little to directly safeguard privacy.
The technical and operational controls—the ones that should be at the forefront of privacy protection—are woefully inadequate or primarily focused on security. This imbalance is not just a problem within the widely referenced NIST 800-53 Rev 5 but is a recurring theme across various standards and guidelines from other organizations as well.
