The National Institute of Standards and Technology (NIST) released version 1.0 of its Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, which follows the structure of the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The Privacy Framework acknowledges that failure to manage privacy risks can have direct adverse consequences at both the individual and societal levels, with follow-on effects on organizations’ brands, bottom lines, and future prospects for growth. “Finding ways to continue to derive benefits from data processing while simultaneously protecting individuals’ privacy is challenging, and not well-suited to one-size-fits-all solutions.”
The Framework includes three parts: Core, Profiles, and Implementation Tiers.
The “Core” is designed to enable a dialogue among the various stakeholders-executive level to implementation/operations level-and sets forth activities and outcomes, including:
- Functions: organize foundational privacy activities, including Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P
- Categories: subdivision of a Function into groups of privacy outcomes
- Subcategories: subdivision of a Category into specific outcomes of technical and/or management activities
Profiles can be used to describe the current state and the desired target state of specific privacy activities. They are designed to enable the prioritization of the outcomes and activities that best meet organizational privacy values, mission or business needs, and risk.
Implementation tiers support organizational decision-making and communication about how to manage privacy risk by taking into account the nature of the privacy risks engendered by an organization and the sufficiency of the organization’s processes and resources to manage such risks. The Framework specifies four Tiers that recognize a progression in managing privacy risks: (1) Partial, (2) Risk Informed, (3) Repeatable, (4) Adaptive.
The NIST Framework offers flexible and useful practices that can be adopted as appropriate by entities engaging in personal data processing activities. In its accompanying Roadmap for advancing the Privacy Framework, NIST seeks continued collaboration with its stakeholders from government, academia, and industry on privacy risk management, including in the following priority areas for development, alignment, and collaboration: (1) Privacy Risk Assessment, (2) Mechanisms to Provide Confidence, (3) Emerging Technologies (IoT and AI), (4) De-Identification Techniques and Re-identification Risks, (5) Inventory and Mapping, (6) Technical Standards, (7) Privacy Workforce, and (8) International and Regulatory Aspects, Impacts and Alignment.
Take note that while privacy standards are still in their infancy, they can be useful tools for showing that an entity is committed to privacy and has engaged in industry best practices. Additional privacy systems management standards include ISO/IEC 27701 (Security techniques for privacy information management), ISO/PC 317 (Consumer protection: privacy by design for consumer goods and services), IEEE P7002 (Data Privacy Practices), and the International Association of Privacy Professionals has a Privacy Engineering Section. Which one(s) will you follow?