On January 16, the National Institute of Standards and Technology released Version 1.0 of its Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. NIST’s Privacy Framework is a tool meant to aid organizations of all sizes in managing privacy risks without regard to any particular technology, sector, law, or jurisdiction.

Purpose

Recognizing that data about individuals is the driving force in so much of the innovative products and services offered by organizations today and the importance of individuals’ privacy, NIST developed the Privacy Framework to aid organizations in developing improved practices to protect individuals’ privacy. NIST states that the Privacy Framework can support organizations with the following practices:

  • Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data, while minimizing adverse consequences for individuals’ privacy and society as a whole;
  • Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment; and
  • Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.

Core, Profiles, and Implementation Tiers

Like its Framework for Improving Critical Infrastructure Cybersecurity, NIST’s Privacy Framework is comprised of three parts: the Core, the Profiles, and the Implementation Tiers.

The Core is a set of privacy protection activities and outcomes that is designed to prioritize communications regarding privacy protection within an organization. At the highest level, the Core identifies five activities and outcomes, called Functions, that promote privacy security. The five privacy Functions are:

  • Identify-P – Develop the organizational understanding to manage privacy risks for individuals that arise from data processing.
  • Govern-P – Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
  • Control-P – Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
  • Communicate-P – Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
  • Protect-P – Develop and implement appropriate data processing safeguards.

The Profiles enable an organization to assess and describe its current privacy practices – i.e., a “Current Profile” – and to establish privacy goals – i.e., a “Target Profile.” In other words, the Profiles provide a framework and common language for identifying gaps, developing action plans for improvement, and gauging what resources are needed to achieve goals.

The Implementation Tiers – described as Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4) – are benchmarks that represent progress in an organization’s ability to combat privacy risks. While NIST stresses that achieving the outcomes described in an organization’s Target Profile is crucial for successful implementation of the Privacy Framework, an organization may use the Tiers to more effectively communicate about the procedures it has in place and the privacy outcomes it aims to achieve.

Practical Upside

NIST’s Privacy Framework provides an accessible and flexible framework for assessing and responding to privacy risks. It has been well received by the regulatory community. Indeed, the Federal Trade Commission praised an earlier draft of the Privacy Framework in an official comment; and on January 28, the Commodity Futures Trading Commission became the first federal agency to adopt the Privacy Framework, noting that its decision puts the agency “on the cutting edge of data privacy protection.” Bearing those facts in mind, companies should consider the Privacy Framework when fine-tuning their compliance policies and procedures.