The Department of Commerce’s National Institute of Standards and Technology (“NIST”) has released Version 1.0 of its Privacy Framework. This voluntary framework aims to provide organizations with strategies to improve their privacy practices, build customer trust, and fulfill compliance obligations. It is designed to be flexible and non-prescriptive, allowing public and private organizations of all sizes to adapt the framework to their own goals and priorities.
NIST announced its intention to develop this tool in September 2018, and spent the following year collaborating with stakeholders – including corporations, governments, academics, industry groups, and non-profits – to create a draft. It released a preliminary draft of the framework in September 2019, soliciting comments that were used to create Version 1.0.
The Privacy Framework comes at a time of significant change for organizations endeavoring to manage their privacy risk. Federal, state, and local governments around the world are issuing first-of-their-kind privacy laws, with more on the horizon, as we have written about here, here, here, here, and here. This patchwork of untested laws increases the challenge of privacy compliance in the U.S. and abroad.
While the Privacy Framework was written to be agnostic to any legal regime, NIST stated in a press release that the framework can help organizations “demonstrate compliance with laws that may affect them, such as the California Consumer Privacy Act and the European Union’s General Data Protection Regulation.” The framework’s ability to guide organizations in successfully navigating compliance waters remains to be seen.
The Privacy Framework was created as a companion to NIST’s Cybersecurity Framework, a tool for reducing, managing, and communicating cyber risks. Since its release in 2014, the Cybersecurity Framework has been widely adopted by a variety of organizations, many of which expressed an interest in a similar tool focused on privacy. “Privacy and security are related but distinct concepts,” NIST explained, “and merely adopting a good security posture does not necessarily mean that an organization is addressing all its privacy needs.” The Privacy Framework adopts the same structure as the Cybersecurity Framework, allowing organizations to use the two side-by-side. NIST intends for both frameworks to be updated over time as best practices evolve and new challenges emerge.
As is the Cybersecurity Framework, the Privacy Framework is composed of three parts – Core, Profiles, and Implementation Tiers:
- The Core is “a set of privacy protection activities and outcomes that allows for communicating prioritized privacy protection activities and outcomes across an organization from the executive level to the implementation/operations level.”
- A Profile “represents an organization’s current privacy activities or desired outcomes. To develop a Profile, an organization can review all of the outcomes and activities in the Core to determine which are most important to focus on based on business or mission drivers, data processing ecosystem role(s), types of data processing, and individuals’ privacy needs.” An organizations can create a “Current” and “Target” Profile to monitor its progress toward improving its privacy practices.
- Implementation Tiers “provide a point of reference on how an organization views privacy risk and whether it has sufficient processes and resources in place to manage that risk. Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk informed.”
NIST will host a webinar on January 29 providing an introduction to the Privacy Framework. Registration is available here.