TOPICS: Data Protection, Privacy Risk Management, Privacy by Design, NIST
The US National Institute for Standards and Technology ("NIST") has released a preliminary draft of its privacy framework for comments.
Titled "Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management", the draft was developed in collaboration with private and public stakeholders and aims to provide a voluntary framework that will enable businesses to derive benefits from data, while simultaneously protecting individuals' privacy.
The NIST privacy framework is based on the structure of its 2014 Cybersecurity Framework and is designed to facilitate the use of both frameworks together. As is the case with the Cybersecurity Framework, it is composed of three parts, each designed to reinforce enterprise privacy risk management, including in terms of implementation. The objective is to support enterprise decision-making regarding the sufficiency of organizational processes and resources to manage privacy risks.
The draft relies on the assumption that privacy frameworks are not well suited to fit all one-size solutions, and that each business should pin point its unique profile in order to effectively manage and mitigate risks. The draft is designed to provide a common language for understanding and managing risks, while ensuring enough flexibility to address diverse privacy needs. The draft is also concerned with enabling innovation, such as IoT products, through the implementation of privacy by design approaches which
The framework aims to be beneficial for businesses and organizations of all sizes and industries, regardless of their role in the data processing ecosystem, and can serve as the foundation for new privacy protocols and procedures or for improving existing protocols, by supporting the identification of gaps in the organization's practices.
In requesting public comments, NIST wishes to obtain stakeholders' validation in order to ensure that the framework adequately defines the relationship between privacy and cybersecurity, thereby enabling cost-effective implementation, which will be inclusive of, and not disruptive to, effective current in use privacy practices.
If widely implemented, the so-called voluntary privacy framework, or parts of it, might conceivably become a binding industry standard to be used by organization in various
industries. In a similar vein, we previously reported that the ISO has released the first International Standard to help organizations manage privacy information and meet regulatory requirements. We would be happy to provide guidance concerning the NIST new Privacy Framework and its implementation.
This update was published as part of our Technology & Regulation monthly client update. To read more about HFN's Technology & Regulation Department, click here.