The National Institute of Standards and Technology (‘NIST’) published, on 9 September 2019, a notice requesting comments on the preliminary draft of the NIST Privacy Framework: a Tool for Improving Privacy through Enterprise Risk Management (‘the Draft Privacy Framework’). In particular, the Draft Privacy Framework aims at providing a common language for understanding, managing and communicating privacy risks with internal and external stakeholders from various entities. Furthermore, NIST noted that the Draft Privacy Framework will provide sufficient guidance and resources to aid organisations in building and maintaining a privacy risk management programme and will be used to identify and prioritise actions for reducing privacy risks and align policy, business and technological approaches to manage identified risks.
NIST outlined that in order to achieve these goals the Draft Privacy Framework focuses on three parts, namely a ‘Core’, ‘Profiles’ and ‘Implementation Tiers’. The ‘Core’ offers a set of privacy protection activities and the possibility for organisations to engage into dialogue about desired outcomes. In addition, ‘Profiles’ will help to determine which ‘Core’ activities should be pursued in order to most effectively reach a determined goal. Finally, ‘Implementation Tiers’ will optimise organisational decision-making on how to manage privacy risks by taking into account the nature of the privacy risks engendered by the organisation’s systems, products, or services and the sufficiency of the processes and resources that the organisation has in place to manage such risks.
Furthermore, and as the Draft Privacy Framework will serve as a foundation for organisations dealing with privacy, NIST highlighted that it is broadly drafted in order to account for the unique needs of organisations and can be used in multiple ways, where the decision on how to apply it is left to the implementing organisation. NIST noted that the possibilities for using the Draft Privacy Framework include, defining and mapping progress through the use of informative references, strengthening accountability, and establishing or improving a privacy programme. Moreover, the Draft Privacy Framework can be applied throughout the phases of a system development life cycle, and within the data processing ecosystem, by providing a means of communication that can be used by staff holding different positions and enhance informed decision-making with respect to purchases and acquisitions.
Finally, NIST noted that the latest version of the Draft Privacy Framework carries notable additions, such as an increased focus on flexibility for organisations to choose different requirements based on their privacy outcome choices, and a structural and conceptual alignment of the Draft Privacy Framework with NIST’s Framework for Improving Critical Infrastructure Cybersecurity (‘the Cybersecurity Framework’), as the two frameworks frequently share a common core. In particular, NIST outlined that the Draft Privacy Framework’s structure closely mirrors the Cybersecurity Framework, which allows for more efficient implementation by organisations that are already familiar with the Cybersecurity Framework.
Comments on the Draft Privacy Framework can be made by 24 October 2019.
LEA BUSCH Privacy Analyst