USA: NIST publishes Privacy Framework
The National Institute of Standard and Technology ('NIST') published, on 16 January, version 1.0 of the NIST Privacy Framework ('the Framework').
In particular, NIST outlined that the Framework, as a voluntary tool, is intended to help organisations demonstrate compliance with laws such as the California Consumer Privacy Act of 2018 ('CCPA') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') by optimising beneficial uses of data and protecting the privacy of individuals.
What is the structure of the Framework?
The Framework, intended to work with the NIST Cybersecurity Framework, has three primary sections which gauge the current nature of privacy risk management, and the necessary allocation of resources to ensure progress:
- the Core, a set of privacy protection activities which help manage and articulate privacy risk, as part of the privacy risk assessment process;
- the Profiles, which indicate the privacy outcome desired by and currently being achieved by the organisation and help highlight the Core activities required to achieve the outcome; and
- the Implementation Tiers, which gauge the current nature of privacy risk management, and the necessary allocation of resources to ensure progress.
How does the Framework assist organisations?
The Framework presents five functions – Identify-P, Govern-P, Control-P, Communicate-P, Protect-P, which aid an organisation in managing its privacy risk by understanding and managing data processing, enabling risk management decisions, determining how to interact with individuals, and improving by learning from previous activities. Implementing the necessary activities allows an organisation to map the Framework and target Profile against an organisation's own system development lifecycle. In addition NIST highlighted that the Framework can support organisations by, among other things, facilitating communication about privacy practices, and taking privacy into account in the design and provision of systems, products and services that affect individuals.
How should the Framework be used?
The Framework is not intended to work as a checklist, instead it provides solutions for the unique needs of each organisation and it is designed to complement existing business and systems, products and services. In addition, it promotes the development of Profiles based on a business's current privacy activities and desired outcomes which can be used to conduct privacy risk assessments to identify and evaluate specific privacy risks. The Profile for the organisation informs the Implementation Tier and helps organisations gauge the required internal resource allocation to progress to a higher tier. Finally, NIST highlighted that the flexibility of the Framework means that the manner of its implementation, is left to the implementing organisation.
Pranav Ananth - Privacy Analyst