Blog

The New NIST Privacy Framework: What You Should Know

By Antonia Dumas, Associate at XPAN Law Group 

I will not keep you on the edge of your seat waiting: the newly released National Institute of Standards and Technology (NIST) Privacy Framework does provide a tool, but that tool is part of a much larger (more complicated) puzzle. 

As data privacy becomes a larger concern to all, IT depts that are used to implementing clear security controls need to evolve to include privacy considerations within those security frameworks. While at the same time, executives are looking to establish complete security and privacy programs that will work throughout the organization. So, every organization is looking for that magic “easy” button, the straight forward way to clearly address data privacy and security together.  

After a collaborative effort between NIST and various stakeholders in the public and private sectors, a new voluntary tool has been released: National Institute of Standards and Technology (NIST) Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. The goal of the Privacy Framework is to “enable better privacy engineering practices that support privacy by design concepts and help organizations protect individuals’ privacy.”

NIST Privacy Framework Structure 

The Framework was developed to be compatible with NIST’s Critical Infrastructure

Cybersecurity (Cybersecurity Framework) by following the same structure, facilitating the use of both frameworks together. Thus, it contains the same three key components: 

  1. The Core;
  2. Profiles; and 
  3. Implementation Tiers. 

The Core

This includes a set of privacy protection activities and desired outcomes intended to enable dialogue throughout the organization. The Core is then further divided into key Categories and Subcategories (i.e., discrete outcomes) into five key functions:  

  1. Identify-P – Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
  2. Govern-P – Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. 
  3. Control-P – Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
  4. Communicate-P – Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks., and 
  5. Protect-P – Develop and implement data processing safeguards.

Of these five, Protect-P is specifically focused on managing risks associated with security-related privacy events (e.g., privacy breaches). A key issue that the Federal Trade Commission noted was important to address throughout the Privacy Framework in its comment during the drafting and discussion around the Privacy Framework

Profiles

The Profiles are intended to assist with the actual prioritization of the different privacy protection activities and desired outcomes to best meet organizational privacy values, mission or business needs, and risks.

For example, an organization can use Profiles to “review all of the outcomes and activities in the Core to determine which are most important to focus on based on business or mission drivers, data processing ecosystem role(s), types of data processing, and individuals’ privacy needs.” An organization can create or add Functions, Categories, and Subcategories as needed. They can also be used to conduct self assessments and to communicate regarding the management of data privacy throughout the organization. 

Implementation Tiers 

The Implementation Tiers are intended to support decision-making and communication about the effectiveness of the organization’s privacy processes and resources to manage privacy risk.

The implementation tiers (Appendix E) are particularly interesting in establishing four levels of implementation from T1: Partial, Tier 2: Risk Informed, Tier 3: Repeatable, and Tier 4: Adaptable.

The highest Tier, Adaptable, provides the goal of a company establishing: 

  1. A privacy risk management process that adapts to privacy practices and continuous improvement that adapts to the changing legal and technological landscape; 
  2. A developed integrated privacy risk management program that is organization-wide and uses risk-informed policies, processes and procedures;
  3. An understanding of its data processing “ecosystem” relationship; and 
  4. A knowledgeable workforce with specialized skill sets related to privacy throughout the organization.  

How to Use the Privacy Framework 

The Privacy Framework provides a list of useful figures and tables to help demonstrate its requirements and functions. The idea is that the Privacy Framework can be used as a risk management tool for all types of organizations from those that are seeking to establish a new privacy program to those that already have an existing robust privacy management process. Some organizations may use the Frameworks Core Functions (Categories and Subcategories) as a point of reference and to analyze any gaps. Other organizations may use the Profiles and/or Tiers to determine how to allocate privacy risk management priorities and roles throughout the organization.  

Some suggested ways to use the Privacy Framework include: 

  • Mapping to Informative References 
  • Strengthening Accountability 
  • Establishing or Improving a Privacy Program 
  • Applying to the System Development Life Cycle 
  • Using within the Data Processing Ecosystem 
  • Informing Buying Decisions 

Is It The Only Tool Of Its Kind?

No, NIST’s Privacy Framework is not the only (or first) tool available. The ISO 27001 standard (formally known as ISO/IEC 27001:2005), in existence for sometime, provides a specification for an information security management system (ISMS). The ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.

Why Is Risk Management Important to Data Privacy? 

Risk management is a key component to a strong security and privacy program. Additionally, more and more regulations and regulatory agencies (like the Federal Trade Commission) are requiring organizations to proactively and periodically engage in risk assessments and establish risk management programs. For example, the new Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires proactive actions on the part of companies to protect personal data of New York residents. Under its reasonable security requirement, it requires any company that collects personal data on New York residents to ““develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information” for both types of data.” Among these reasonable safeguards includes performing risk assessment to determine foreseeable internal or external risks and assess the sufficiency of safeguards in place to control the identified risks. Note, risks assessments are also required under other regulations like New York State Department of Financial Services Cybersecurity Requirements (NYDFS) and the Health Insurance Portability and Accountability Act.

Companies of all sizes and across all industries should consider implementation of both technical and organizational measures in order to maintain a strong privacy and security program that will address minimum legal and industry standards. This may include utilizing existing technical and organizational tools and standards within an organization and seeking out new tools (like the NIST Privacy Framework). Data privacy is not a zero sum game, so there is no perfect solution or tool out there. However, staying knowledgeable about shifting and changing data privacy requirements and applicable tools that may help meet those requirements can only help! Luck favors the prepared! 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.