Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsOverview of the (Draft) NIST Privacy Framework
Work continues on the National Institute of Standards and Technology (NIST) Privacy Framework. It has been some time since we have provided an update on it here on the Clarip Privacy Blog, but we thought it was time to check in after the release of another discussion draft and the second public workshop.
The Privacy Framework’s goal is to improve privacy risk management for organizations delivering systems, products or services in any sector of the economy or society, regardless of focus or size. It is a voluntary framework that follows after the model established in the NIST Cybersecurity Framework
The Privacy Framework is divided into three sections: Core, Profile, and Implementation Tiers. Since we expect that many businesses will
Core
A set of privacy protection activities and outcomes consisting of five functions: Identify, Protect, Control, Inform, and Respond. The functions provide a high level overview of managing privacy risk and then it identifies discrete categories and subcategories for each function. As part of the Core, the five functions are further clarified by the discussion draft:
Identify – Develop the organizational understanding to manage privacy risk for individuals.
Protect – Develop and implement appropriate data processing safeguards. This extends beyond data security to enabling authorized data processing within a protected state. Categories include Identity Management, Authentication, Access Control, Data Security, and Protected Processing.
Control – Develop and implement appropriate activities to enable data management with sufficient granularity to manage privacy risks.
Inform – Develop and implement appropriate activities to enable a reliable understanding of how data is processed.
Respond – Develop and implement appropriate activities to take action regarding a privacy breach or event.
Profile
This is the privacy outcomes the organization aims to achieve. A profile is developed by reviewing all of the functions, categories and subcategories to determine which are the most important based upon business drivers, types of data processing, and individuals’ privacy needs.
As part of the Profile, an organization may develop two different profiles. A Current Profile may indicate privacy outcomes that the organization is currently achieving, while a Target Profile indicates what the organization needs to achieve the desired privacy risk management goals.
Implementation Tiers
This provides context on whether an organization has adequate processes and resources in place to manage privacy risks. There are four distinct tiers: Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3) and Adaptive (Tier 4). Tiers do not represent maturity levels, but progression to a higher tier is appropriate when a privacy risk requires more risk management processes and resources.
NIST Updates
Last week, NIST held its second public workshop on the development of the Privacy Framework. The event was held at Georgia Tech Scheller College of Business. The next workshop for the privacy framework will take place in mid-July in Boise, Idaho. NIST intends to finalize the Privacy Framework in October 2019.
