“Like building a house, where homeowners get to choose room layouts but need to trust that the foundation is well-engineered, privacy protection should allow for individual choices, as long as long as effective privacy risk mitigations are already engineered into products and services.” 1
The National Institute of Standards and Technology just announced the release of the Preliminary Draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. In the draft, NIST discusses the current challenges facing organizations when it comes to privacy, due to its broad nature. It is difficult to build directions to achieving privacy because it is not a one-size-fits-all approach. The privacy framework ‘s goal is to be a resource for organizations that communicates privacy in a flexible manner, that can be used by different parts of an organization’s workforce.
One issue relating to the broad nature of achieving privacy that was discussed during development was how to describe the relationship between privacy and cybersecurity and how to address their overlap. There were two options presented for the Privacy Framework Core: one that integrated the NIST Cybersecurity Framework and one that did not. In the end, NIST integrated the Privacy Framework with the Cybersecurity Framework and identified where the two are different, identical, or aligned but with adapted text.
The Privacy Framework is divided into three parts: The Core, Profiles, and Implementation Tiers. The Core is divided into five functions in the Privacy Framework: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P along with their respective categories and subcategories. Next, Profiles are where organizations select and prioritize specific activities and outcomes from the Core to help them manage privacy risk based on their specific needs. This is where the customization comes into play and allows organizations to be flexible and choose paths that fit their needs best. Finally, implementation tiers provide a point of reference for the organization’s decision making. Organizations are encouraged to progress to Tier 2; however, an organization’s privacy risks may require it to achieve Tier 3 or Tier 4, or some part of the highest two tiers.
The framework is designed to enable diverse organizations to implement a new privacy program or improve upon an existing one. It keeps technological innovation and vendor management in mind and provides a way to strengthen accountability at all levels of an organization. This draft is a major step in creating a resource all organizations can use to build a better privacy program.
NIST has released the framework draft for public feedback that can be submitted to [email protected] through October 24, 2019.
1 U.S. Dep’t. Of Commerce, Nat’l Inst. Of Standards & Tech., NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Preliminary Draft 3 (Sep. 6, 2019).