In response to an increasingly complex data privacy regulatory environment, the National Institute of Standards and Technology (NIST) released version 1.0 of its Privacy Framework, subtitled “A Tool for Improving Privacy Through Enterprise Risk Management.” NIST intends the framework “to be widely usable by organizations of all sizes and agnostic to any particular technology, sector, law, or jurisdiction.” Given that current privacy regulations apply to a host of different industries, the NIST framework was built to help all organizations create a foundation for their data privacy practices and quickly adapt to the various compliance requirements.
Somewhat similarly to how the International Organization for Standardization (ISO) 27701 guideline for privacy information management is an extension of ISO 27001; the NIST Privacy Framework was built with the same structure as the NIST Cybersecurity Framework (CSF), allowing the two to be used together and resulting in a more innovative and effective solution.
The framework is made-up of three components: the Core, Profiles and Implementation Tiers.
Overall, the NIST Privacy Framework is easy to understand and meant to provide organizations with a roadmap for managing privacy risk. While privacy will always be associated with compliance, the new laws and regulations go far beyond having appropriate documentation. Using a framework such as this to embed privacy from the beginning of a new project helps to ensure that principles such as collection, minimization, sharing and even monetization are responsibly considered.
While accepting a privacy framework is a great step to creating a sustainable privacy program it will not guarantee compliance with the variety of privacy regulations that exist. Regulations such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) include some select requirements that are not specifically addressed by the NIST Privacy Framework. For this reason, before adopting any framework, organizations should perform a privacy assessment to determine what their personal processing activities are and whose personal data they process. This will provide the organization the information necessary to determine what, if any, privacy regulations apply and allow the organization to identify and adopt a privacy framework that aligns well with its regulatory exposure and the organization’s goals.
For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.