NIST’s Privacy Framework: An Enterprise-Wide Approach to Protecting Individual Privacy
In January, NIST launched version 1.0 of its Privacy Framework – a voluntary tool to help companies identify and manage their products and services while protecting their customers’ individual privacy.
The Framework considers privacy events as “potential problems arising from system, product, or service operations with data, whether digital or not, through a complete life cycle from data collection through disposal.”
Yet Another Framework?
Today’s landscape is inundated with cybersecurity-related frameworks, so the natural question is, “Why another framework?”
NIST’s answer is simple: a) to build customer trust, b) to fulfill compliance obligations related to privacy, and c) facilitate communication around potential and known privacy issues. Existing cybersecurity frameworks do not cover these issues from a privacy perspective.
The Framework itself is designed to be ‘agnostic,’ with the goal of facilitating conversation from the executive level to the engineer level, as well as with auditors, to ensure business and regulatory requirements related to privacy are being met.
Individual and Corporate Risk
Cybersecurity is a well-known and discussed topic in 2020, but privacy has sources of risks that go beyond purely cyber-related risks.
Privacy issues can impact individual experiences directly in the form of embarrassment, discrimination, or even economic loss. However, all these risks ultimately impact the business in the form of customer abandonment, noncompliance costs, reputational harm, or decline of company culture. Therefore, NIST has taken an enterprise-wide risk management approach with the Framework.
Privacy Framework Composition
NIST’s approach to the Framework is intentionally similar to that of its Cybersecurity Framework (“CSF”). The Framework is made of its Core, Profiles, and related Implementation Tiers, explained briefly below:
- Core – Provides an increasingly granular set of activities and outcomes that enable an organization dialogue about managing privacy risks
- Profiles – Enable the prioritization of the outcomes and activities that best meet organizational privacy values, mission or business needs, and risks.
Implementation Tiers – Support decision-making and communication about the sufficiency of organizational processes and resources to manage privacy risk.
Cybersecurity Framework Alignment
As we covered above, there is some overlap with the NIST CSF and the Privacy Framework. The following diagram shows the privacy breach risks illustrated by the crossover (‘cybersecurity-related privacy events’) that are addressed through alignment.
Alignment with Other Frameworks
With the onset of GDPR in the EU and California’s Consumer Privacy Act (CCPA), HORNE Cyber thought it would be helpful to think through how the Privacy Framework could fit into your organization’s needs.
GDPR requires privacy impact assessments and risk assessments especially around broad monitoring of public spaces or publishing large amounts of sensitive data. The Privacy Framework can help think through the potential control activities your business would need to put into place to meet those requirements.
Even with the limited scope of CCPA, obligations to access, correct, and opt-out of data can be greatly clarified by using the Framework as a guiding tool to make informed decisions about what data is collected and kept by your business.
However, one of the biggest differences from the Privacy Framework and CCPA and GDPR is that the Framework seeks to change the conversation from privacy as a compliance-focused approach to more of a foundation of processes that is focused on adaptability in an ever-changing privacy landscape.
More and more states and federal agencies are considering privacy frameworks. NIST is poised to provide an underlying framework for handling individual privacy.
I see you. I hear you. Your words matter.
Add your own thoughts below.