NIST Proposes Privacy Framework to Help Make Sense of Global Privacy Regulations

Personal information has been a key enabler of business transformation, innovation and improved efficiencies over the past two decades. With it, consumer experiences have evolved, sometimes without consumers themselves understanding what data has been collected about them and how it is used.

In the wake of recent high-profile data breaches, influential companies have had their reputations tarnished and consumer demand for transparency has skyrocketed. Over the past year alone, this demand has resulted in the steady increase in privacy regulations around the world.

Global privacy regulations

Global privacy regulations

Since each new regulation has its own flavor, global organizations need strategies to effectively manage the challenges of compliance. Organizations that approach privacy strategically stand to gain a competitive edge when it comes to building and retaining customer trust. Creating a cohesive privacy posture, however, is much easier said than done. The ongoing National Institute of Standards and Technology (NIST) Privacy Framework initiative is intended to address these challenges.

What Is the NIST Privacy Framework?

In October 2018, NIST, collaborating with public and private stakeholders, started drafting its privacy framework. The framework is intended to serve as a guide for chief information security officers (CISOs), chief privacy officers (CPOs) and other internal privacy stakeholders and is geared toward helping them improve their organizational privacy posture. Like the NIST Cybersecurity Framework introduced in 2014, organizations that choose to comply with the privacy framework can do so voluntarily.

It is expected that the framework will be presented in language that can be understood by both privacy and security professionals, as well as executives and other business stakeholders who may have no expertise in privacy, and that’s a very good thing. The roles of the CISO and CPO are evolving to have complementary concerns, which means they must work more closely together, especially when it comes to privacy and personal data protection. Technical professionals and legal professionals speak in very different language in their day-to-day lives, so when it comes to implementing an effective privacy program, everyone had better be speaking the same language to establish a common understanding of what needs to get done.

NIST has been working quickly. A request for information (RFI) to gather input and guide the development of the framework wrapped up in January, and the outline of the NIST Privacy Framework was drafted and shared in March.

At its core, the framework provides a commonsense set of five functions that address the full life cycle of information privacy. These include the need for organizations to:

  1. Identify the processes and business context within which personal information is being used and assess any associated risk to individuals’ privacy as a result;
  2. Protect personal information by implementing protective measures such as privacy awareness training, data security and identity and access management (IAM);
  3. Control and implement processes and activities that meet privacy policy objectives as they pertain to areas such as user preferences and data management;
  4. Inform and remain transparent about how information is being processed for both organizations and individuals by implementing processes and activities that provide a commonsense understanding; and
  5. Respond when personal information has not been processed appropriately or a breach of personal information has occurred.

The outline clearly demonstrates NIST’s intent to structure and deliver a privacy framework built on the success of their Cybersecurity Framework. The identify, protect and respond functions are part of both frameworks. This alignment is expected to help organizations that already voluntarily follow the Cybersecurity Framework adapt to the privacy processing domain. The nature of the activities underlying each of these functions, however, emphasizes privacy-centric needs, such as how personal information is being used and how it flows within and outside of an organization as part of the identify function. Yet to be defined are the underlying outcomes of each of the five functions termed the “categories” and “subcategories.”

Privacy Profiles Enable Collaboration

Because the Privacy Framework is shaping up to provide a broad and comprehensive set of objectives, NIST also proposed a privacy framework profile construct. The profile is a mechanism to bring focus to the subset of the framework functions and categorized activities under each, relevant to meeting a particular privacy objective or privacy risk that an organization must manage. Profile creation may be in response to an identified privacy risk or focused on delivering outcomes required by a regulation, such as the California Consumer Privacy Act (CCPA).

While there may be disparities in how privacy regulations get implemented, it turns out that data protection requirements and controls have a significant amount of overlap, which allows for a repeatable process that can accelerate readiness for new privacy regulations as they emerge. With this in mind, there may be opportunities for organizations to collaborate, and perhaps open-source, regulation-driven profiles are a good start. In fact, NIST recently launched its Privacy Engineering Collaboration Space as part of its Privacy Engineering Program , where practitioners can do just that, starting with privacy risk assessment and de-identification use cases.

What’s Next for NIST?

NIST will release a discussion draft of the Privacy Framework and host a second public workshop from May 13–14 as it moves quickly toward its objective to create an enterprise privacy risk management tool that organizations will want to adopt. You can find the development schedule and more information on how you can contribute on the NIST website.