Preliminary Draft of NIST Privacy Framework Released
The NIST Privacy Framework will complement the popular NIST CSF
Data privacy and cyber security have a symbiotic and sometimes conflicting relationship. Without robust cyber security, it is impossible to ensure data privacy, as evidenced by the Equifax hack. However, it’s fully possible for an organization to seriously violate users’ data privacy despite practicing robust cyber security. To help government agencies and private-sector organizations better manage the risks of collecting and storing user data and bring privacy risk into parity with their broader enterprise risk portfolio, NIST has released a preliminary draft of the new NIST Privacy Framework, with plans to publish an initial completed version by the end of 2019.
The structure of the NIST Privacy Framework closely mirrors that of the popular NIST CSF so that organizations can use the frameworks together. “While managing cybersecurity risk contributes to managing privacy risk,” NIST writes, “it is not sufficient, as privacy risks can also arise outside the scope of cybersecurity risks.” The Cambridge Analytica scandal – which came to light when a former employee blew the whistle, not in the aftermath of a data breach – illustrated this in stark relief.
What’s in the NIST Privacy Framework?
Like the NIST CSF, the NIST Privacy Framework has three components, or tiers, which seek to reinforce privacy risk management by helping organizations connect business and mission drivers with privacy protection activities.
The Core component of the Privacy Framework is a set of increasingly granular activities and outcomes to encourage organizational dialogue about managing privacy risks. It contains five main functions; Identify-P, Govern-P, Control-P, and Communicate-P, are for managing privacy risks related to data processing, and Protect-P relates to managing privacy risks associated with privacy breaches.
Organizations will use the Profiles component of the Privacy Framework to self-assess their current privacy risk management activities or desired outcomes and identify opportunities for improvement by comparing them with a desired target profile. Finally, the Implementation component will help organizations determine whether they have sufficient resources and processes in place to achieve their target profile.
The Privacy Framework is technology-agnostic and “flexible enough to address diverse privacy needs, enable more innovative and effective solutions that can lead to better outcomes for individuals and enterprises, and stay current with technology trends.”
The need for a separate privacy framework
Mobility and connected everything have fundamentally altered the way we live and do business, and consumers now enjoy many conveniences from these technologies. Unfortunately, as the NIST Privacy Framework points out, these conveniences are made possible by data collection on a massive scale, and consumers “may not be able to understand the potential consequences for their privacy as they interact with systems, products, and services.” NIST goes on to say that organizations may not fully understand the consequences, either, and this could have severely negative effects on them in the long run.
Although no federal data privacy law is currently in sight, the California Consumer Privacy Act takes effect on January 1, 2020, and other states are passing privacy legislation modeled on the CCPA. While the NIST Privacy Framework will be voluntary, it seeks to implement some method to the madness and standardize the language around data privacy and privacy risk management.
Public comment on the NIST Privacy Framework draft will be open through October 24, 2019.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.