NIST Releases Framework for Privacy Risk Management

The National Institute of Standards and Technology (NIST) last week announced version 1.0 of its Privacy Framework, a tool designed to help organizations manage privacy risks.

NIST published a preliminary draft of the Privacy Framework in September 2019, when it requested public feedback. The agency had initially hoped to release version 1.0 by the end of 2019, but it was officially announced only on January 16.

The NIST Privacy Framework is designed to help organizations of all sizes and in all sectors manage privacy risks by focusing on three main aspects: taking privacy into account when developing a product or service, communicating about privacy practices, and cross-organizational collaboration.

The framework has three main parts: the core, profiles, and implementation tiers. The core provides a granular set of activities and outcomes whose goal is to enable internal communication. Profiles represent functions, categories and subcategories from the core that have been prioritized by an organization. Finally, implementation tiers help organizations optimize the resources needed to achieve their target profile.

NIST has pointed out that the Privacy Framework is not a law or regulation, but a voluntary tool that can be used to manage risks and ensure compliance with existing legislation, such as the GDPR and California’s CCPA.

“What you’ll find in the framework are building blocks that can help you achieve your privacy goals, which may include laws your organization needs to follow,” said Naomi Lefkovitz, the senior privacy policy adviser at NIST who led the development of the framework. “If you want to consider how to increase customer trust through more privacy-protective products or services, the framework can help you do that. But we designed it to be agnostic to any law, so it can assist you no matter what your goals are.”

According to Lefkovitz, the framework should also make it easier for organizations to keep up with technology advancements and new uses for data.

“A class of personal data that we consider to be of low value today may have a whole new use in a couple of years, or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit,” she explained. “That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”

NIST says the Privacy Framework is meant to complement the NIST Cybersecurity Framework, and both will be updated over time.

The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management is available in PDF format on NIST’s website.

Related: NIST and Microsoft Partner to Improve Enterprise Patching Strategies

Related: NIST’s Zero Trust Taxonomy Introduces Components, Threats and Migration Routes

Related: NIST Working on Industrial IoT Security Guide for Energy Companies