The U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST”) now has released the preliminary draft of the “NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.” NIST is seeking comments on the preliminary draft of the Privacy Framework and plans to use these comments to develop version 1.0 of the Privacy Framework. Comments are due by 5:00 p.m. ET on October 24, 2019.
NIST developed the voluntary Privacy Framework in collaboration with private and public stakeholders and intends for it to be widely useable across industries, organizations, and jurisdictions. The Privacy Framework is based on the structure of the NIST Cybersecurity Framework so that the two frameworks can be used together.
The preliminary draft incorporates feedback that NIST received from stakeholders starting when it released a Request for Information in 2018. Discussions with stakeholders covered topics such as how to incorporate cybersecurity risk management into the Privacy Framework and whether the Privacy Framework and Cybersecurity Framework should have overlapping Functions (discussed below) regarding data security. Because stakeholders had varying preferences based on differences in their organizations’ approach to privacy, the preliminary draft aims to provide flexibility in using the Privacy Framework.
Understanding Privacy Risk
The preliminary draft seeks to provide users with an understanding of the unique aspects of privacy risk management. It notes that cybersecurity risk management can help address some privacy risk, such as in the event of a data breach, but such management is not sufficient to address all privacy risks. Instead, privacy risk management must take into account potential problems that could result from system, product, or service operations with data. These problems, the draft notes, may range from “dignity-type effects such as embarrassment or stigmas to more tangible harms such as discrimination, economic loss, or physical harm.” Once the potential problem is identified, an organization can use the Privacy Framework to conduct an assessment of the privacy risk and organizational risk involved in order to drive the decision-making process.
The Privacy Framework
The Privacy Framework is intended to guide businesses through a risk- and outcome-based assessment and improvement process. The preliminary draft is organized around three parts: the Core, Profiles, and Implementation Tiers.
- Core: The Core includes “a set of activities and outcomes that enable an organizational dialogue about managing privacy risk.” It is divided into five Functions: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P. The first four are targeted at privacy risks from data processing. The last is for privacy risks arising from privacy breaches and can be used in conjunction with the Cybersecurity Framework Functions to address privacy and cybersecurity risks. The Functions each have associated Categories (privacy outcomes closely tied to programmatic needs and particular activities) and Subcategories (specific outcomes). NIST developed a preliminary mapping of the Core and its Subcategories based on key relevant NIST guidance.
- Profiles: Profiles are an organization’s current privacy activities or desired outcomes. The selection of a Profile follows a review of the Functions, Categories, and Subcategories “based on business/mission drivers, types of data processing, and individuals’ privacy needs.” Organizations can create a Current Profile and a Target Profile to assist in improving privacy practices by moving towards the Target Profile. Additionally, separate profiles can be used for specific organizational components, systems, products, services, or categories of individuals.
- Implementation Tiers: Implementation Tiers serve as a reference point for the organization’s views on privacy risk and whether it has the resources and processes necessary to manage that risk. The four tiers range from informal and reactive responses to agile and risk-informed approaches. Tier selection should be based on the organization’s “Target Profile and how this relates to current risk management practices; its data processing systems, products, or services; legal and regulatory requirements; business/mission objectives; organizational privacy values and individuals’ privacy needs; and organizational constraints.”