On January 16, 2020, the National Institute of Standards and Technology (NIST) released its Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (the “Privacy Framework”) Version 1.0.1
The NIST Privacy Framework is not a law or regulation, but rather a voluntary tool that can help organizations manage privacy risk arising from their products and services, as well as demonstrate compliance with laws that may affect them, such as the California Consumer Privacy Act and the European Union’s General Data Protection Regulation. It helps organizations identify the privacy outcomes they want to achieve and then prioritize the actions needed to do so.
NIST initially released a draft version of the Privacy Framework for public comment in September 2019. Among the key goals on which it sought feedback were whether the Framework: (1) adequately addressed privacy practices currently in use, including widely used voluntary consensus standards; (2) enabled organizations to use it in conjunction with the Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”)2 to collaboratively address privacy and cybersecurity risks; and (3) enabled organizations to adapt to privacy risks arising from emerging technologies such as the Internet of Things and artificial intelligence.3
After incorporating feedback from industry subject matter experts, version 1.0 of the Privacy Framework aims to support organizations in fostering customer trust by promoting ethical, privacy-focused decision making, fulfilling compliance obligations, and facilitating communication about privacy practice with individuals, business partners, assessors, and regulators.
The Privacy Framework provides a common language for understanding, managing, and communicating privacy risk. The flexibility and interoperability of the Privacy Framework allows it to be used by any business of any size in any data processing ecosystem. Additionally, it can be used to assist in identifying and prioritizing actions for reducing privacy risk, while serving as a tool for managing that risk across different sectors of an organization.
The Privacy Framework uses a structure similar to the Cybersecurity Framework to facilitate the use of both frameworks in tandem. Like the Cybersecurity Framework, the Privacy Framework is comprised of three parts: the Core, Profiles, and Implementation Tiers (“Tiers”).
The Core is a set of privacy activities and outcomes that allow for communicating priorities related to activities and outcomes across an organization from the c-suite level to the operations level. The Core comprises five functions that organize foundational privacy activities at their highest level. They aid an organization in expressing its management of privacy risk by understanding and managing data processing, enabling risk management decisions, determining how to interact with individuals, and improving by learning from previous activities. The functions are then broken down into categories and subcategories, which are discrete outcomes for each Function. The five high-level functions for managing privacy risks arising from data processing are:
- Identify-P. Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
- Govern-P. Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
- Control-P. Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
- Communicate-P. Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
- Protect-P. Develop and implement appropriate data processing safeguards.
Profiles are a selection of specific Functions, Categories, and Subcategories from the Core that an organization has prioritized to help it manage privacy risk. They represent the organization’s ongoing privacy activities/desired outcomes. When developing a Profile, an organization will review all of the activities/outcomes in the Core to determine which to focus on based on a number of factors, including the business mission, data processing ecosystem roles, types of data processing, and the privacy needs of individuals.
Profiles can be used to identify opportunities for improvement, to conduct self-assessments, and to communicate within an organization about how privacy risks are managed. Organizations are encouraged to develop target Profiles, to identify gaps in their current practices, and identify what actions need to be adjusted to achieve their target goal.
Tiers provide a reference point for how organizations view specific privacy risks, and for determining whether sufficient controls, processes, and resources are in place to handle said risk. Tiers support decision making about how to manage privacy risks, and allow organizations to communicate internally about the allocation of resources needed to progress to the next Tier.
The four Tiers are defined as Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4). Based on the specific needs of an organization, it is not necessary to progress to Tier 4 in all areas. Successful implementation of the Privacy Framework is contingent upon achieving the desired outcomes set in an organization’s target Profile.
Additionally, the Privacy Framework lays out best practices organizations should utilize to achieve their goals under the Privacy Framework including mapping to informative references, strengthening accountability, establishing a “ready, set, go” privacy program, applying the system development life cycle, identifying the organization’s role within a data processing ecosystem, and informing buying decisions.
Because the Privacy Framework is not a law or regulation, its purpose is not to enforce compliance with federal or state regulatory requirements. Rather, it serves as the structure in which privacy professionals can insert the controls necessary for their organization to become, and remain, compliant with applicable privacy law. The Privacy Framework allows organizations of all sizes to better map privacy and compliance requirements, while remaining flexible to modify the privacy program at every level. This inherent flexibility eliminates the need to overhaul an organization’s privacy program every time a new restrictive regulation is passed. The widespread adoption of the Privacy Framework by business will also help raise the standard for privacy protection generally, and ultimately create a safer environment for the individuals those organizations serve.
Much like the Cybersecurity Framework, it is likely the Privacy Framework will be adopted as the foundation organizations use to build their privacy program from the ground up. The ease with which the Privacy Framework can be tailored for any business makes it ideal for the ever-changing regulatory landscape in which organizations must operate.
2 The Cybersecurity Framework was initially published in 2014, and revised during 2017 and 2018, with version 1.1 being released in April 2018. The Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. https://www.nist.gov/cyberframework/new-framework#background.