The National Institute of Standards and Technology (NIST) recently released its draft Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework).
What is the NIST Privacy Framework?
First, let’s begin with what is NIST? NIST was founded in 1901 and is now part of the U.S. Department of Commerce. According to the NIST website, it is one of the nation’s oldest physical science laboratories, involved in a variety of industries and technologies, from nanomaterials to the smart electric power grid. NIST’s Information Technology Laboratory focuses on the priority areas of Cybersecurity, Internet of Things, and Artificial Intelligence. NIST Security Standards are well known in the cybersecurity field.
The Privacy Framework is a voluntary tool to help organizations and to “foster the development of innovative approaches to protecting individual’s privacy; and increase trust in systems, products, and services.” With the release of the Privacy Framework, NIST recognizes that privacy risks and cybersecurity risks are interconnected, and the Privacy Framework provides a flexible tool that can be used to explore that interconnection.
What Can Organizations Do with the NIST Privacy Framework?
In Section 3.0 of the draft Privacy Framework, it states that “the Privacy Framework can assist an organization in its efforts to optimize beneficial uses of data and the development of innovative systems, products, and services while minimizing adverse consequences for individuals. The Privacy Framework can help organizations answer the fundamental question, ‘How are we considering the impacts to individuals as we develop our systems, products, and services?’”
According to the draft, the Privacy Framework can be used for risk management, to strengthen accountability within an organization, and to establish or improve a privacy program. From a practical standpoint, privacy concerns can be incorporated into product development, service delivery, and supply chain management. Organizations may be able to use the Privacy Framework as they seek to mitigate privacy risks in the development of products and services as well as when they store, collect, process, or sell data. Considering the impact to individual privacy in the development of new technology is a key to protecting that privacy.
NIST is accepting public comments on the draft Privacy Framework until 5 p.m. EST on October 24, 2019.