NIST releases version 1.0 of its privacy framework

In response to an increasingly complex data privacy regulatory environment, the National Institute of Standards and Technology (NIST) released version 1.0 of its Privacy Framework, subtitled “A Tool for Improving Privacy Through Enterprise Risk Management.” NIST intends the framework “to be widely usable by organizations of all sizes and agnostic to any particular technology, sector, law, or jurisdiction.” Given that current privacy regulations apply to a host of different industries, the NIST framework was built to help all organizations create a foundation for their data privacy practices and quickly adapt to the various compliance requirements.

NIST Privacy Framework overview

Somewhat similarly to how the International Organization for Standardization (ISO) 27701 guideline for privacy information management is an extension of ISO 27001; the NIST Privacy Framework was built with the same structure as the NIST Cybersecurity Framework (CSF), allowing the two to be used together and resulting in a more innovative and effective solution.

The framework is made-up of three components: the Core, Profiles and Implementation Tiers.

• The Core is built to allow collective communication from the C-suite to the technical team about the privacy activities and outcomes that are of biggest importance to the organization. The framework defines five key Functions: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P, each with their own categories and subcategories adding granularity along the way. (Those familiar with the NIST CSF should recognize these terms). These elements work together to provide a holistic view of the privacy activities needed within an organization. The terminology and acronyms allow consistent communication across departments and teams.
• The Profile allows the organization to assess their “as-is” state and set a clear target, or “to-be” state using the Core. Organizations can use the Core to create their “as-is” Profile – assessing existing processes and capabilities against the categories and subcategories prescribed under each Function. The next step is to create the “to-be” or target profile. It is important to note that NIST points out “organizations may not need to achieve every outcome or activity reflected in the Core” and it is for these reasons that there are no template Profiles provided.
• The Implementation Tiers, or “Tiers,” provide a basis for the maturity of the processes and resources in place at an organization to manage privacy risk. The Tiers are meant to assist organizations in determining how mature their privacy practices should and need to be using a risk-and-outcome-based approach. There are four Implementation Tiers: Tier 1 - Partial, Tier 2 - Risk Informed, Tier 3 - Repeatable, and Tier 4 - Adaptive. Similarly to Profiles, organizations may not need to achieve the highest Tier; although NIST does state that most organizations should strive to be at least at Tier 2.

Overall, the NIST Privacy Framework is easy to understand and meant to provide organizations with a roadmap for managing privacy risk. While privacy will always be associated with compliance, the new laws and regulations go far beyond having appropriate documentation. Using a framework such as this to embed privacy from the beginning of a new project helps to ensure that principles such as collection, minimization, sharing and even monetization are responsibly considered.

Steps to take now

While accepting a privacy framework is a great step to creating a sustainable privacy program it will not guarantee compliance with the variety of privacy regulations that exist. Regulations such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) include some select requirements that are not specifically addressed by the NIST Privacy Framework. For this reason, before adopting any framework, organizations should perform a privacy assessment to determine what their personal processing activities are and whose personal data they process. This will provide the organization the information necessary to determine what, if any, privacy regulations apply and allow the organization to identify and adopt a privacy framework that aligns well with its regulatory exposure and the organization’s goals.

For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.