On January 16, the Commerce Department’s National Institute of Standards and Technology (NIST) released version 1.0 of its Privacy Framework: A Tool for Privacy Through Enterprise Risk Management. The product of a two-year consultation process with private-sector and public-sector stakeholders, the Privacy Framework sets out a group of voluntary standards and methods to help companies of all sizes in (i) “[t]aking privacy into account as they design and deploy systems, products, and services that affect individuals”; (ii) “[c]ommunicating about their privacy practices”; and (iii) “[e]ncouraging cross-organizational workforce collaboration—for example, among executives, legal, and information technology (IT)” personnel in the “achievement of [privacy] outcomes.” The Framework is thus intended to assist companies in “[b]uilding customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole”; “[f]ulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment”; and “[f]acilitating communication about privacy practices with individuals, business partners, assessors, and regulators.”

Like its predecessor, the NIST Cybersecurity Framework, the NIST Privacy Framework is likely to prove influential with regulators and policymakers around the globe. As the collection and processing of data about individuals becomes more central to the business models of companies across the economy—and as the varieties of personal data available continue to expand—the Privacy Framework offers companies an important resource to think more systematically about their privacy practices, the risks those practices may create, and the most sensible strategies for addressing those risks.

Core, Profiles, Implementation Tiers

Like the Cybersecurity Framework, the Privacy Framework consists of three components: a Core, Profiles, and Implementation Tiers.

The Core identifies “an increasingly granular set of activities and outcomes that enable a dialogue about managing privacy risk,” grouped into five broad functional categories: identify, govern, control, communicate, protect:

  • Identify: these activities address “[i]nventorying the circumstances under which data are processed, understanding the privacy interests of individuals directly or indirectly served or affected by an organization, and conducting risk assessments enable an organization to understand the business environment in which it is operating and identify and prioritize privacy risks.”
  • Govern: these activities address “establishing organizational privacy values and policies, identifying legal/regulatory requirements, and understanding organizational risk tolerance that enable an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.”
  • Control: these activities address developing and implementing “appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
  • Communicate: these activities address how organizations can develop a “reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
  • Protect: these activities address “data protection to prevent cybersecurity-related privacy events” and “the overlap between privacy and cybersecurity risk management.”

The Profiles section of the Framework explains how organizations can assess their current privacy practices, develop a set of target practices depending on their goals, and make a plan to get from their current practices to their goals.  This section thus highlights that the Framework is less about particular requirements or practices and more about establishing a process and a common vocabulary for addressing privacy issues as they evolve.

The Framework’s Implementation Tiers—partial, risk-informed, repeatable, and adaptive—are notional categories of increasing sophistication in addressing privacy risks that are designed to help companies assess how they stand in their privacy risk management efforts and how they can make those efforts more effective.

Next Steps

The developers of Privacy Framework considered more than 125 other sets of privacy guidance documents as well as legal and regulatory frameworks from around the world. As with the Cybersecurity Framework, NIST will be developing profiles tailored to particular industries in order to help companies make use of the Framework, crosswalks to various laws and regulatory frameworks, and best practice tools. On January 29, NIST will be holding a two-hour webinar to explain the Framework and how it can be used to develop privacy risk management practices.