The US National Institute of Standards and Technology's (NIST) recently released Privacy Framework can help your organization define privacy goals, identify privacy risks, and optimize the use of personal information while limiting privacy violations. The framework is not a law or standard; it is a free tool, similar to NIST's Cybersecurity Framework.
Although many security professionals are familiar with cybersecurity, privacy presents new and fluid challenges. Attitudes toward privacy vary from person to person and change over time. New products and services often provide new ways to violate privacy, and the regulatory environment changes rapidly in response to perceived privacy threats.
Many organizations are already required to comply with the GDPR and the CCPA and are likely to be subject to many proposed regulations. NIST's Privacy Framework is a sort of how-to guide to privacy risk management. It can help your organization navigate this fluid environment without losing the trust of your customers and employees or running afoul of new regulations.
Here's what your team needs to know about the NIST Privacy Framework, and how to put it to work in your organization.
New challenges, new guidance
New regulations pose new challenges, including an expanded definition of personal information that must be protected. You also need to consider new rights for data subjects—the people whose information is collected and used—to know what's being collected, how it is used, and how it is shared.
Data subjects may also be required to opt in to allow collection and use, or be allowed to opt out.
Expanded pool of sensitive information
We are used to protecting personal information such as names and addresses, government-issued identifiers such as Social Security numbers and document locator numbers, financial information and account numbers, and medical information. But now you have to worry about employment and education history, biometric information, third-party cookies, browser histories, and more.
Access rights
The rights granted to data subjects varies from regulation to regulation. Generally, however, organizations should expect to disclose when and how they collect personal information and to honor opt-in and opt-out decisions.
They may also have to have a "legitimate purpose" for collecting and using the data and disclose that purpose, the source of the data, and the retention period. Data subjects may be able to ask for copies of the personal information collected about them and amend, correct, or delete it.
Purpose control
Organizations required to disclose the purpose of data processing will also need to make sure that the purpose is one to which data subjects are willing to give consent.
Most people are willing to share personal information in return for something of value—a job, a bank loan, a discount on groceries, or free real-time traffic information. But they will only share information with organizations that they trust will not use the data for purposes for which they do not approve.
Your organization will probably have to disclose whether they share, transfer, or sell personal information to third parties, and if so, you'll need to name those third parties. You may also be required to ensure that third parties are complying with the new regulations.
Cybersecurity is hard enough in its own right; adding privacy risk management and regulatory compliance is a serious challenge. NIST says that its Privacy Framework will help organizations identify and mitigate the new privacy risks.
Use only what applies to your needs
The framework is intended to be regulation-agnostic. It includes privacy requirements drawn from the GDPR and CCPA, but you can adapt it to include new requirements as new regulations come into effect.
It is flexible, in that organizations select their own goals, activities, and compliance levels. If your organization must comply with the GDPR but not the CCPA, you may be able to ignore any CCPA-specific requirements.
The organization of the Privacy Framework is similar to that found in the Cybersecurity Framework, and the two may be used together. Both frameworks have three parts: the core, profiles, and implementation tiers.
The core framework: Managing private risk
The core describes privacy activities and outcomes that you can use to determine how to manage privacy risk. The activities and outcomes are grouped into five functions: Identify-P, Govern-P, Control-P, Communicate- P, and Protect-P. (The "P" in each function name is used to distinguish the Privacy Framework's functions from similar Cybersecurity Framework functions.)
Each function, in turn, is divided into categories and subcategories.
As an example, Identify-P is the goal-gathering information needed to do a privacy risk assessment. Identify-P categories include inventorying and mapping data processing, and understanding the privacy risks to individuals. Subcategories include identifying potential problematic data actions and associated problems, and identifying, prioritizing, and implementing risk responses.
NIST recommends that organizations using the Privacy Framework to map informative references to the subcategories they choose to use. These references could be standards, laws, regulations, best practices, technical guidance, tools, or anything else that will help your organization determine which activities or outcomes to prioritize. NIST maintains a repository of informative references to support the use of its Privacy Framework.
Profiles: Prioritize your risk management
Privacy Framework profiles consist of a set of selected functions, categories, and subcategories that your organization has chosen to prioritize for privacy risk management.
Your organization may choose to compare a current profile of outcomes it already gets to a target profile outlining its privacy goals. Organizations might also develop a profile of outcomes that they require a third party to achieve before sharing or transferring data to that party.
Implementation tiers: Where to jump in
The final component of the framework is a set of four implementation tiers your organization can use to help make pragmatic privacy risk management decisions. These include:
- Tier 1: Partial—Limited awareness; no formalized privacy process; ad hoc risk assessment
- Tier 2: Risk-informed—Awareness of privacy risk informs process, but no formal organization-wide privacy policies
- Tier 3: Repeatable—Formal policies; organization-wide privacy risk management
- Tier 4: Adaptable—Continuous privacy improvement; the relationship between privacy risk and organizational objectives is clear
Different organizations face different risks and have different financial and resource constraints, which will affect the tier they choose to achieve. NIST recommends that most organizations reach at least Tier 2.
How to put it all to use
The Privacy Framework won't tell your organization exactly what it needs to do to protect privacy, but it can help you to define reasonable steps to improve your privacy practices and move toward compliance with applicable regulations.
Additionally, just as NIST's Cybersecurity Framework has become a common language for information security requirements, the Privacy Framework may fill a similar role for privacy compliance.
It can serve as an easily understood method for demonstrating regulatory compliance, assuring constituents that the organization is protecting their privacy rights and defining privacy requirements for any third parties with which the organization will share personal information.
Ultimately, whether NIST's Privacy Framework is the best way to manage your privacy risk is up to you, but this free tool from an authoritative source is certainly worth looking into.
