NIST Publishes Privacy Framework
The National Institute of Standards and Technology, an arm of the U.S. Department of Commerce, has published version 1.0 of a privacy framework to help organizations think through the process of securing personal data.
The NIST privacy framework consists of three primary sections. The Core section defines a set of fundamental privacy protection activities, while the Profiles defines activities an organization should pursue to reach its goals most effectively. The Implementation Tiers section addresses how organizations should optimize resources to managing privacy risk to apply the controls defined in the Core section on a granular basis.
Naomi Lefkovitz, senior privacy policy advisor for NIST, said the document is a natural extension of the agency’s work in defining a cybersecurity policy framework, which has been adopted widely, and is in response to the increased number of incidents involving data privacy in recent years. Rather than a checklist, the framework is designed to help organizations better align their engineering efforts and business processes around a set of privacy goals and policies before an application is built and deployed, she said.
In some cases, that will result in organizations aligning the structure of their teams around the privacy framework. In other cases, organizations will employ the framework as a means of explaining to senior business leaders what privacy policies need to be implemented.
Lefkovitz said the biggest challenge in creating the document was defining what elements should be part of the Core definition and what elements should be part of the Implementation Tiers section that organizations could decide to implement based on the amount of risk involved.
NIST has been working on defining the privacy framework for several years now. A draft version of the framework developed in conjunction with a limited number of stakeholders was published last year. NIST is now looking for additional feedback on what Lefkovitz described as a “living document.”
While the U.S. has yet to implement any privacy laws, interest in privacy issues as part of the application development process is on the rise in the wake of regulations such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 have been enacted. NIST is seeking to provide organizations trying to address data privacy issues with a framework that is agnostic from both a legal and a technology perspective, said Lefkovitz.
Despite increased regulation, approaches to data privacy today remain uneven at best. However, as awareness of how data is being used by organizations continues to rise among consumers, it’s only a matter of time before all organizations will need to address data privacy concerns. The challenge will be determining whether addressing those concerns will require new technologies or simply re-engineering existing processes. In most cases, organizations will need to focus on both aspects.
In the meantime, data privacy is sure to be an issue during the next election cycle. As politicians vie over what constitutes the appropriate level of regulation, organizations should get prepared now for much higher levels of scrutiny—and potential fines—ahead.