While eyes focus on the privacy legislative debate now underway in the United States, the development of a new Privacy Framework by the influential National Institute of Standards and Technology (“NIST”) is also worthy of attention. On May 13-14, 2019, NIST hosted its second workshop on the recently released discussion draft of its “Privacy Framework: An Enterprise Risk Management Tool” (“Privacy Framework”). The workshop brought together stakeholders to provide feedback on the draft and suggest areas for revision. NIST had previously hosted a workshop in October 2018 to kick off the development of the Privacy Framework and had presented its thinking at other fora such as the Brookings Institution.
The discussion draft of the Privacy Framework attempts to follow the model of NIST’s Cybersecurity Framework released in 2014, which the Federal Trade Commission has acknowledged as a tool that can promote compliance with its security expectations. Like the Cybersecurity Framework, the draft Privacy Framework outlines objectives for organizations to pursue that are focused around core themes. NIST’s stated intention is that organizations may choose whether to use the two frameworks together or independently of one another.
The draft Privacy Framework describes five core privacy “functions” for organizations to develop and implement that track the life cycle of an organization’s management of privacy risk:
- Identify (organizational understanding of privacy risk);
- Protect (appropriate data processing safeguards);
- Control (data management measures);
- Inform (communication about data processing activities); and
- Respond (privacy breach mitigation and redress).
Two of these core functions (Control, Inform) have no mapping to NIST Cybersecurity Framework core functions, while two of the Cybersecurity Framework’s core functions (Detect, Recover) have no analogue in the Privacy Framework. NIST officials have stated that some of the core functions currently included in the Privacy Framework may be adjusted following the feedback received from stakeholders during the recent workshop. For example, NIST expects to broaden the “respond” function to account for ongoing privacy concerns, rather than merely isolated events. NIST also plans to refine the terminology adopted in the Privacy Framework.
One aspect of the Privacy Framework that was commended during the recent workshop, and is not expected to undergo significant revisions, is the “Privacy Risk Management Practices” appendix that outlines key steps for organizations to undertake in managing privacy risk. These include organizing preparatory resources, determining privacy capabilities, conducting privacy risk assessments, and creating privacy requirements traceability.
NIST is expected to publish a full summary and a recording of the opening half-day of the workshop in the next couple of weeks.
While achieving compliance with specific privacy rules is not the Privacy Framework’s goal, companies seeking to develop or refine their data governance programs may find the Privacy Framework’s core practices to provide a useful initial foundation. The Privacy Framework is designed to be flexible and provide organizations with a non-prescriptive set of standards for use when addressing privacy risks. These standards are intended to be risk-based and outcome-based rather than compliance based, and are intended to promote good data-governance practices within companies regardless of what regulatory framework may apply to them.
In this respect, the Privacy Framework is likely to become an important resource for companies building out their compliance programs for the California Consumer Privacy Act and/or the European Union’s General Data Protection Regulation, and for companies anticipating the eventual enactment of additional federal privacy legislation.