The technology sector is constantly evolving and with it, the collection, retention and use of personal data. In the European Union, this is something that GDPR was designed to address. More recently, California has introduced the California Consumer Privacy Act (CCPA) to regulate data privacy. It was perhaps inevitable that US federal agencies would seek to introduce something similar.
So, in January 2020 the National Institute of Standards and Technology (NIST) looked to fill the gap and released the NIST Privacy Framework 1.0. NIST describes it as “A Tool for Improving Privacy through Enterprise Risk Management” which will “help organizations protect individuals’ privacy.” So, what exactly is the framework and what does it mean for businesses?
What does the Framework consist of?
Firstly, the National Institute of Standards and Technology has made clear that the Privacy Framework is designed to be used in parallel to the existing NIST Cyber Security Framework, with privacy issues and cyber security developing somewhat in tandem. So, if you are familiar with the Cyber Security Framework, you will already have a good head start on the Privacy Framework.
The overarching structure of the two frameworks are similar. Both frameworks have three parts: the core, profiles, and implementation tiers.
· The Core: The core outlines the privacy activities and outcomes that you can use to determine how to manage privacy risk. These are grouped into five broad functions.
· Profiles: Profiles comprise a set of functions, categories and subcategories that your organization has prioritize for privacy risk management.
· Implementation tiers: These are categories you can use to help prioritize and make practical privacy risk management decisions (divided into 4 tiers).
Why does my business need the Privacy Framework?
Once again, there is no obligation to adopt the Privacy Framework as of now. Nonetheless, it makes good business sense. For a start, businesses that are using the framework are more likely to win the trust of customers, especially with the issue of data privacy becoming ever more prominent.
Secondly, as the pressure to comply with industry standards increases, adopting the Framework is an excellent way to demonstrate compliance.
Thirdly, the Framework is just that – a framework. It is designed to be flexible, to continue developing over time. The assumption is, that this is the first of many versions. So, getting on board with it now is a good way to ensure that your business isn’t left behind as industry privacy standards continue to develop and advance.
Is the NIST Privacy Framework a legal requirement?
No, it is not a legal requirement today. It is not a law or a regulation. However, that does not mean it should just be ignored. Far from it. It is a tool, which has been designed to be implemented voluntarily, with the aim of helping organizations to manage their privacy risk. The National Institute of Standards and Technology itself lays out the benefits of the Privacy Framework, saying that it will help organizations with ethical decision-making, to fulfill compliance obligations and to better communicate about privacy practices with stakeholders. In other words, the NIST Privacy Framework is not an obligation, but it is VERY good practice.
It’s just the beginning…
NIST's Cyber Security Framework has become an established tool for information security requirements. It is quite possible that the NIST Privacy Framework will follow suit over time. Should this happen, now is the time to get on board and work out how it can be applied effectively to your business.