NIST Shares Enterprise Risk Management Privacy Framework
Privacy guidance from NIST shows organizations how to leverage risk management to improve the approach to protecting sensitive data, as well as clarifying privacy risk management concepts.
By - NIST recently released its privacy framework designed to provide organizations with privacy protection strategies to improve their current methods for using and protecting sensitive data, while clarifying privacy risk management concepts.
The guide is also designed to help organizations identify the privacy outcomes they want to accomplish and prioritize steps to achieve those privacy goals.
Version 1.0 of NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management was created from an earlier draft version as part of a collaboration with industry stakeholders. The structure follows the NIST Cybersecurity Framework, which is complementary to the privacy guide.
According to researchers, the framework can allow for improved privacy engineering practices that support privacy with design concepts. Organizations can also find support in building consumer trust through ethical decision making in product and service design to minimize adverse consequences around individuals’ privacy and security.
Further, the guide provides insight into fulfilling compliance obligations, while “future-proofing products and services to meet these obligations in a changing technological and policy environment.” It also sheds light on how to facilitate communication on privacy practices with individuals, business partners, assessors, and regulators.
While the HIPAA Privacy Rule is specifically targeted to the healthcare sector, many industry stakeholders have noted the 20-year-old rule is missing some critical aspects for the digital age. Congress has targeted some of those gaps in several privacy proposals over the past year, given a host of massive data and privacy breaches.
For NIST, the new privacy guidance targets the current privacy landscape.
“Privacy is more important than ever in today’s digital age,” Under Secretary of Commerce for Standards and Technology and NIST Director Walter Copan, said in a statement.
“The strong support the Privacy Framework’s development has already received demonstrates the critical need for tools to help organizations build products and services providing real value, while protecting people’s privacy,” he added.
While the privacy guidance is voluntary, NIST stressed the tool can be leveraged to demonstrate compliance with compliance laws, such as the California Consumer Privacy Act or the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act.
Organizations can also find building blocks to achieve their privacy goals, including ways to increase consumer trust through better privacy-protected services or products, explained Naomi Lefkovitz, a senior privacy policy adviser at NIST and leader of the framework effort.
“A class of personal data that we consider to be of low value today may have a whole new use in a couple of years,” Lefkovitz said in a statement, “or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit.”
“That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks,” she added.
The framework is broken down into three key areas: the core provides a set of privacy protection activities; profiles will help organizations choose the core activities applicable to their privacy goals; and tiers optimizes resources dedicated to privacy risk management.
NIST officials said they intend to continue building on the framework to ensure its benefit to organizations.
Digital privacy risk management is a comparatively new concept, Lefkovitz explained. And privacy and security are related but distinct concepts. Further, an organization with a strong security posture may not be addressing all its privacy needs.
“People continue to yearn for more guidance on how to do privacy risk management,” she added. “We have released a companion roadmap for the framework to point the way toward more research to address current privacy challenges, and we are building a repository of guidance resources to support implementation of the framework.”
