NIST Releases Framework for Privacy Risk Management
The National Institute of Standards and Technology (NIST) last week announced version 1.0 of its Privacy Framework, a tool designed to help organizations manage privacy risks.
NIST published a preliminary draft of the Privacy Framework in September 2019, when it requested public feedback. The agency had initially hoped to release version 1.0 by the end of 2019, but it was officially announced only on January 16.
The NIST Privacy Framework is designed to help organizations of all sizes and in all sectors manage privacy risks by focusing on three main aspects: taking privacy into account when developing a product or service, communicating about privacy practices, and cross-organizational collaboration.
The framework has three main parts: the core, profiles, and implementation tiers. The core provides a granular set of activities and outcomes whose goal is to enable internal communication. Profiles represent functions, categories and subcategories from the core that have been prioritized by an organization. Finally, implementation tiers help organizations optimize the resources needed to achieve their target profile.
NIST has pointed out that the Privacy Framework is not a law or regulation, but a voluntary tool that can be used to manage risks and ensure compliance with existing legislation, such as the GDPR and California’s CCPA.
According to Lefkovitz, the framework should also make it easier for organizations to keep up with technology advancements and new uses for data.
“A class of personal data that we consider to be of low value today may have a whole new use in a couple of years, or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit,” she explained. “That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”
NIST says the Privacy Framework is meant to complement the NIST Cybersecurity Framework, and both will be updated over time.
The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management is available in PDF format on NIST’s website.