NIST recently released a final version of its Privacy Framework to incorporate public feedback in response to the draft it issued late last year. For organizations familiar with the NIST Cybersecurity Framework first released in 2014, the privacy framework follows a similar structure and it is intended to be used together.
The document details a voluntary approach to assist organizations managing privacy risks. Like the NIST Cybersecurity Framework, the Privacy Framework calls for a risk-based approach to protecting privacy information. The Privacy Framework includes three sections – the Core, Profiles, and Implementation Tiers. The Core is a set of privacy protection activities and outcomes divided into key categories and subcategories with discrete outcomes. A Profile represents an organization’s current privacy activities or desired outcomes. Implementation Tiers provide a point of reference on how an organization views privacy risk and whether it has sufficient processes and resources in place to manage that risk. Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk informed.
Putting it into practice: The NIST framework may help companies as they benchmark and work to identify potential gaps in compliance with privacy laws. It should not be viewed as a one-size fits all approach – particularly for companies in regulated industries or subject to numerous privacy laws. Although the framework doesn’t necessarily introduce significantly new concepts, we anticipate that companies could begin to see some business partners asking whether they adhere to or are familiar with this framework.