NIST Releases Privacy Framework v1.0
On January 16, 2020, the National Institute of Standards and Technology ("NIST") published its long-awaited Privacy Framework Version 1.0, which aims to provide a "set of privacy protection strategies for organizations that wish to improve their approach to using and protecting personal data."
As the NIST press release describes:
The NIST Privacy Framework is not a law or regulation, but rather a voluntary tool that can help organizations manage privacy risk arising from their products and services, as well as demonstrate compliance with laws that may affect them, such as the California Consumer Privacy Act and the European Union’s General Data Protection Regulation. It helps organizations identify the privacy outcomes they want to achieve and then prioritize the actions needed to do so.
At a basic level, the Privacy Framework provides three main parts, broken down as follows:
Provides an increasingly granular set of activities and outcomes that enable a dialogue about managing privacy risk
Comprised of Functions, Categories, and Subcategories
The five Functions of the Privacy Framework are:
"Profiles are a selection of specific Functions, Categories, and Subcategories from the Core that an organization has prioritized to help it manage privacy risk. Profiles can be used to describe the current state and the desired target state of specific privacy activities"
Support organizational decision making on how to manage privacy risk
Four distinct Tiers
Partial (Tier 1)
Risk Informed (Tier 2)
Repeatable (Tier 3), and
Adaptive (Tier 4)
Ultimately, organizations will be able to use the Privacy Framework to help "optimize beneficial uses of data and the development of innovative systems, products, and services while minimizing adverse consequences for individuals." Together, the Privacy Framework and the Cybersecurity Framework will be a great resource for companies dealing with legal and regulatory complexities in the ever-increasing data-centric world (the Privacy Framework notes that it follows the structure of the Cybersecurity Framework).
. . .