Pierluigi Paganini January 21, 2020

The NIST released version 1.0 of Privacy Framework, it is a tool designed to help organizations to manage privacy risks.

The National Institute of Standards and Technology (NIST) has published the release version 1.0 of its privacy framework. The Framework is a voluntary tool that can be used by organizations to manage risks in compliance with privacy legislation, including the European GDPR.

The NIST Privacy Framework is designed to help organizations manage privacy risks, with specific focuses on:

• Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole;
• Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment;
• Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.

The framework provides building blocks that help organizations in achieving privacy goals.

The Framework is composed of three main parts, the Core, Profiles, and Implementation Tiers.

The Core enables communications within organizations about privacy protection activities and desired goals. Profiles allow organizations to prioritize the outcomes and activities according to privacy values, the business mission, and risks.

Implementation tiers help organizations to optimize the resources that are necessary to manage the risk.

Organizations, one analyzed the potential impact of privacy risks, may choose to prioritize according to their strategy. The response to privacy risk includes:

• Mitigating the risk (e.g., organizations may be able to apply technical and/or policy measures to the systems, products, or services that minimize the risk to an acceptable degree);
• Transferring or sharing the risk (e.g., contracts are a means of sharing or transferring risk to other organizations, privacy notices and consent mechanisms are a means of sharing risk with individuals);
• Avoiding the risk (e.g., organizations may determine that the risks outweigh the benefits, and forego or terminate the data processing);
• Accepting the risk (e.g., organizations may determine that problems for individuals are minimal or unlikely to occur, therefore the benefits outweigh the risks, and it is not necessary to invest resources in mitigation).

The framework should also organizations to keep up with technology advancements and new uses for data.

“A class of personal data that we consider to be of low value today may have a whole new use in a couple of years, or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit,” said Naomi Lefkovitz, NIST privacy policy adviser who led the development of the framework. “That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”

The Privacy Framework is considered complementary with the NIST Cybersecurity Framework, using both it is possible to have a good understanding of the different origins of cybersecurity and privacy risks and allow to determine the most effective solutions to address the risks.

Additional details are included in the document titled “NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT. “

Pierluigi Paganini

(SecurityAffairs – privacy, NIST)

[adrotate banner=”5″]

[adrotate banner=”13″]