Data privacy is a complex issue in today’s always-connected world. We want our privacy protected, yet willingly share all sorts of personal information in our quest to connect with friends, shop for products, or make dinner reservations. Simultaneously, organizations that collect this information from individuals are recognizing the economic and social challenges of protecting it. Indeed, failure to properly safeguard personal data can negatively impact corporate reputations, customer confidence, and profitability.

What is the NIST Privacy Framework 1.0?

To help organizations engineer better privacy practices, the National Institute of Standards and Technology (NIST) recently released a new framework for improving privacy through Enterprise Risk Management. The agency worked with both public and private stakeholders to create the NIST Privacy Framework 1.0, which is a voluntary tool designed specifically to help organizations:

  • Better identify, assess, manage, and communicate privacy risks when designing or deploying systems, products, and services
  • Foster the development of innovative approaches to protecting individuals’ privacy
  • Increase trust in systems, products, and services.

This framework follows the structure of NIST’s popular Cybersecurity Framework, and the two frameworks are recommended to be used in tandem. Both frameworks are composed of three parts: Core, Profiles, and Implementation Tiers. Each component in the Privacy Framework reinforces privacy risk management through enterprise objectives, roles, responsibilities, and privacy protection activities.

  • The Core is intended to enable a dialogue, from the executive level to the implementation/operations level, about important privacy protection activities and desired outcomes.
  • The Profiles are intended to prioritize and manage outcomes and activities to align with organizational privacy values, business needs, and risks, including the current and desired target states of specific privacy activities.
  • The Implementation Tiers are intended to support organizational decision-making and communication about the privacy risks of an organization’s systems, products, or services and its ability to manage such risks with existing processes and resources. This also can be used to communicate internally about resource allocations necessary to progress to a higher tier or as general benchmarks to gauge progress in managing privacy risks.

Who can benefit from the NIST Privacy Framework?

This new framework was developed as a nontechnical guide to privacy and security best practices. And it couldn’t have come at a better time as organizations continue to adapt to new and existing data-handling laws like the California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), and the EU’s General Data Protection Regulation (GDPR).

Even if an enterprise already has a robust security strategy in place, a look through the new NIST Privacy Framework is recommended to identify potential gaps and ensure compliance with all applicable privacy-related regulations.

While aimed primarily at members of the C-suite who manage enterprise risks, the Privacy Framework will guide all risk managers to build better privacy foundations by bringing privacy risk into parity with their broader enterprise risk portfolio.

The National Institute of Standards and Technology is a nonregulatory agency in the U.S. Department of Commerce. For more about the California Consumer Privacy Act, please download Riskonnect’s e-book, Your Guide to the CCPA.  For more on managing risk at an enterprise level, please download, Charting a Course for Enterprise Risk Management.