No. A privacy framework describes a set of standards or concepts around which a company bases its privacy program. Typically, a privacy framework does not attempt to include all privacy-related requirements imposed by law or account for the privacy requirements of any particular legal system or regime. As a result, a company can utilize a privacy framework to build its privacy program or audit its maturity against a privacy framework and yet not be in compliance with specific provisions of data privacy laws. This can occur because a particular privacy law contains additional proscriptive requirements that are not captured by a privacy framework. For example, compare the following provision in ISO 29100:2011 and analogous provisions in the GDPR involving the identification of a point of contact for privacy related concerns:
|ISO 29100:2011 § 5.8
|[I]nclud[e] in notices . . . the identity of the PII controller including information on how to contact the PII controller.
|GDPR Articles 13(a) & 14(a)
|Provide data subjects with “the identity and the contact details of the controller, and, where applicable, of the controller’s representative.”
|GDPR Article 27(1)
|In situations in which a company is subject to the extraterritorial reach of the GDPR, the “controller or processor shall designate in writing a representative in the Union.”
A U.S. company that sells products to individuals in Europe could be compliant with the ISO 29100:2011 requirement by identifying the name of a privacy officer in the United States as a primary point of contact. While it would be complying with some GDPR requirements (i.e., Article 13(a) and/or Article 14(a)), it might not be fully compliant with the GDPR as Article 27 requires a point of contact that is physically in the European Union.