NIST Privacy Framework Update
In September, the National Institute of Standards and Technology (“NIST”) released the preliminary draft of the NIST Privacy Framework (“Privacy Framework”). NIST partnered with stakeholders from the public and private sectors to develop the Privacy Framework. The Privacy Framework is modeled and designed to work in tandem with the NIST Cybersecurity Framework. Like the Cybersecurity Framework, the Privacy Framework is voluntary and utilizes a risk-based approach to address an organization’s privacy needs. By using a risk-based approach as the cornerstone, the Privacy Framework can be used by any organization, regardless of size, complexity, and industry. Because the Privacy Framework is designed for widespread use, it is agnostic to any particular law, industry, jurisdiction, and technology. The Privacy Framework is designed to assist organizations in a variety of ways, including the following:
- Mapping to Informative References: NIST is in the process of mapping the Privacy Framework to other relevant NIST guidance (e.g., NIST Security and Privacy Controls for Information Systems and Organizations 800-53 Rev. 5) and anticipates developing mapping for industry sectors and privacy laws and regulations.
- Strengthening Accountability: Organizations can use privacy risk assessments to direct its privacy risk management operations and processes by engaging all levels of an organization in the process of privacy accountability.
- Establishing a Privacy Program: The enactment of the General Data Protection Regulation (“GDPR”) and the California Consumer Protection Act of 2018 (“CCPA”) required many organizations to consider privacy compliance in their corporate risk positions for the first time. Through the Privacy Framework, NIST developed a “ready, set, go” model for such organizations to support the creation of a new privacy program or improvement of an existing program.
- Information and System Development Lifecycle: Organizations can use privacy risk assessments to better understand how data is processed during the entire information and system development lifecycle: creation/collection, processing, dissemination, use, storage, and disposition/destruction/deletion. By better understanding these processes, organizations are better positioned to anticipate privacy risks and take appropriate proactive steps.
The preliminary draft also contains several example case studies of how organizations could use the Privacy Framework to address their own diverse and unique privacy needs. In the current evolving privacy-regulatory environment, the Privacy Framework is aptly positioned to assist organizations with creating, or improving on, a strong privacy risk management program.