NIST Privacy Framework: A New Tool to Identify and Manage Privacy Risk in Organizations

The National Institute of Standards and Technology (NIST) published its first Privacy Framework on January 16, 2020.  NIST is a non-regulatory agency within the U.S. Department of Commerce tasked with promotion of innovation and industrial competitiveness by advancing measurement science, standards, and technology.

The Privacy Framework is designed to support organizations in building customers’ trust by supporting product and service design and deployment that optimize beneficial uses of data while minimizing adverse privacy consequences, fulfilling current and future compliance obligations in the ever-changing technological and policy environment, and facilitating communication about privacy within and outside the organizations.

A decision on how to apply the Privacy Framework is left to the individual organization.  For example, the Framework may be used as a risk management tool, to establish and improve a privacy program, to analyze and articulate gaps in the existing privacy management processes, and to strengthen accountability. Given the variety of ways in which the organizations might utilize the Framework, its drafters discourage the notion of the “compliance with the Privacy Framework” as a uniform or externally referenceable concept.

The Privacy Framework follows the structure of the NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) and is comprised of three parts: Core, Profiles, and Implementation Tiers.

Core

The Core Tier is a set of privacy protection activities and outcomes designed to enable an organizational dialogue about managing privacy risk.   The Core is comprised of five Functions ­­­­- Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P ­­­­- and is further divided into key Categories (groups of privacy outcomes) and Subcategories (specific outcomes of technical and management activities).

The activities in the Identify-P Function are foundational for effective use of the Privacy Framework.  They include data mapping and inventorying, understanding privacy interests of individuals served or affected by the organization, and conducting risk assessments to enable an organization to understand its business environment and prioritize privacy risks.

The activities in the Govern-P Function are designed to implement the organizational governance structure to enable an ongoing understanding of its management priorities that are informed by privacy risk.  The Categories associated with this Function include Governance Policies, Processes, and Procedures; Risk Management Strategy; Awareness and Training, and Monitoring and Review.

The activities in the Control-P Function enable organizations to manage data with sufficient granularity to manage privacy risks.  The categories listed in this Function include Data Processing Policies, Processes, and Procedures; Data Processing Management; and Disassociated Processing.

The activities in the Communicate-P Function enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data is processed as well as associated privacy risks.   The relevant Categories include Communication Policies, Processes, and Procedures and Data Processing Awareness.

The Protect-P Function involves development and implementation of appropriate data processing safeguards to preclude cybersecurity-related privacy events.  NIST Cybersecurity Framework, which enables organizations to apply the principles and best practices of risk management to improve security and resilience, can be leveraged to further support the management of cybersecurity risk by using its Detect, Respond, and Recover Functions.  Alternatively, organizations may use all five Cybersecurity Framework Functions (Identify, Protect, Detect, Respond, and Recover) to collectively address privacy and cybersecurity risks.

Profiles

Profiles are a selection of specific Functions, Categories, and Subcategories from the Core that an organization has prioritized to help it manage privacy risks.

Profiles can used to describe the current and desired states of the organization’s privacy program and specific activities.  The difference between the two Profiles, in turn, will enable the organization to identify the gaps and develop a process for improvement in a cost-effective and prioritized manner.  Profiles could also help in communicating risk within and between organizations by comparing current and desired state of privacy outcomes.

The drafters emphasize that the Framework does not prescribe Profile templates and that organizations may not need to achieve every outcome and activity identified in the Core Function.  When developing a Profile, organizations are encouraged to select and tailor the Core activities to their specific needs based on their industry, business objectives, privacy values, risk tolerance, roles in the data processing ecosystem, legal and regulatory requirements and best practices, and the privacy needs of individuals served or affected by the organization’s systems, products, and services.

Implementation Tiers

The four distinct Implementation Tiers – Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4), ­­­­describe the maturity of the organization’s privacy program.  The Tiers, in turn, are each defined by four elements: Privacy Risk Management Process, Integrated Privacy Risk Management Program, Data Processing Ecosystem Relationship, and Workforce.

The tiers represent a progression, although not a compulsory one. Whereas most organizations will benefit from maturing from the lowest Partial Tier, not all organizations need to achieve Tiers 3 and 4, or may chose to focus only on certain privacy functions within these higher tiers.   The Tiers may be used as a benchmark to gauge progress in the organization’s capability to manage privacy risks as well as to communicate internally about resource allocation necessary to progress to a higher tier.  The drafters of the Framework emphasize that the successful implementation of the Privacy Framework is based upon achieving the outcomes in the organization’s Target Profile taking into consideration all pertinent factors rather than upon a Tier determination.

Today, organizations increasingly recognize that failure to manage privacy risks may adversely affect their customers and employees, brand reputation, bottom line, and future growth prospects.  For companies subject to privacy regulations, the additional risks include regulatory and legal exposure.  As more states are expected to follow California this year in enacting comprehensive privacy statutes, these risks will only increase. The Privacy Framework introduces a valuable and very timely tool for organizations to facilitate development and management of privacy programs amenable to emerging regulations, technologies, and privacy risks.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653