The National Institute of Standards and Technology (NIST), perhaps best known in healthcare for its Cybersecurity Framework, has unveiled a tool for managing privacy risk.
Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management is designed to provide a useful set of privacy protection strategies to help organizations improve their approach to using and protecting personal data. The publication also provides clarification about privacy risk management concepts and the relationship between the Privacy Framework and NIST’s Cybersecurity Framework.
NIST stresses that its Privacy Framework is not a law or regulation, but rather a voluntary tool that can help organizations manage privacy risk arising from their products and services, as well as demonstrate compliance with laws that may affect them, such as the California Consumer Privacy Act and the European Union’s General Data Protection Regulation. It helps organizations identify the privacy outcomes they want to achieve and then prioritize the actions needed to do so.
The Privacy Framework’s executive summary notes that it can help organizations with communication about privacy practices with individuals, business partners, assessors, and regulators. “Deriving benefits from data while simultaneously managing risks to individuals’ privacy is not well-suited to one-size-fits-all solutions. Like building a house, where homeowners make layout and design choices while relying on a well-engineered foundation, privacy protection should allow for individual choices, as long as effective privacy risk mitigations are already engineered into products and services.”
“What you’ll find in the framework are building blocks that can help you achieve your privacy goals, which may include laws your organization needs to follow,” said Naomi Lefkovitz, a senior privacy policy adviser at NIST and leader of the framework effort, in a prepared statement. “If you want to consider how to increase customer trust through more privacy-protective products or services, the framework can help you do that. But we designed it to be agnostic to any law, so it can assist you no matter what your goals are.”
The Privacy Framework has an overarching structure modeled on that of the widely used NIST Cybersecurity Framework and the two frameworks are designed to be complementary and also updated over time. Privacy and security are related but distinct concepts, Lefkovitz said, and merely adopting a good security posture does not necessarily mean that an organization is addressing all its privacy needs.
The Privacy Framework builds around three sections: the Core, which offers a set of privacy protection activities; the Profiles, which help determine which of the activities in the Core an organization should pursue to reach its goals most effectively, and the Implementation Tiers, which help optimize the resources dedicated to managing privacy risk.