NIST Releases Privacy Risk Management Framework

Last week, NIST announced version 1.0 of its Privacy Framework, a tool designed to support organizations in managing their privacy risks.

In September 2019, NIST released a revised draft Privacy Policy when it called for public feedback. The organization had initially hoped to introduce version 1.0 by the end of 2019, but only on 16 January was it officially announced.

The NIST Privacy Framework has been designed to help organizations of all sizes manage privacy risks by focusing on three main aspects: privacy when developing a product or service, information on privacy practices and interinstitutional cooperation.

The architecture consists of three main components: the heart, the profiles and the implementation stages. The core provides a granular set of activities and results aimed at facilitating internal communication. Profiles represent the core functions, categories and sub-categories of an organisation. Finally, implementation levels help organizations optimize the resources needed for their target profile to be achieved.

NIST stated that the Privacy Framework is a collaborative mechanism not a statute or rule to mitigate threats and enforce compliance with existing legislation, like the GDPR and CCPA in California.

“What you’ll find in the framework are building blocks that can help you achieve your privacy goals, which may include laws your organization needs to follow,” said Naomi Lefkovitz

“If you want to consider how to increase customer trust through more privacy-protective products or services, the framework can help you do that. But we designed it to be agnostic to any law, so it can assist you no matter what your goals are.”

The system should also make it easier for companies to keep up with technological developments and new uses for results, according to Lefkovitz.

“A class of personal data that we consider to be of low value today may have a whole new use in a couple of years, or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit,” she explained. “That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”

NIST states that the NIST cyber security system is intended to be complementary and both will be revised over time.

NIST Privacy System: An Business Risk Management Security Compliance Guide is accessible in PDF format on the NIST website.