NIST releases enterprise risk management privacy framework

The National Institute of Standards and Technology (NIST) recently shared its privacy framework that guides organizations on how to improve their approach to protecting sensitive data. The framework also highlights privacy risk management concepts while helping organizations identify the privacy outcomes they want to achieve and the steps needed to meet their goals.   

The NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management was created in collaboration with industry stakeholders and follows the structure of the NIST Cybersecurity Framework that’s complementary to the privacy guide.  

What the privacy framework supports

The privacy framework outlines enhanced privacy engineering practices that support privacy with design concepts. Organizations can also find insights on ways to build consumer trust through ethical decision making in product and service design and to minimize unwanted consequences around protecting individuals’ security and privacy.   The framework also provides guidelines on maintaining compliance obligations and methods for achieving this in an ever-changing technological and policy environment. Facilitating communication on privacy practices with partners, regulators, and individuals is also outlined. 

How the framework ensures privacy compliance

Given the increasing amount of large data and privacy breaches, many industry stakeholders have noted that the two-decades-old HIPAA Privacy Rule has some critical gaps for the digital age. NIST’s privacy framework can be used to demonstrate compliance with laws like the California Consumer Privacy Act (CCPA) and the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD).     Naomi Lefkovitz, a senior privacy policy advisor at NIST and leader of the framework project stated that “A class of personal data that we consider to be of low value today may have a whole new use in a couple of years, or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit. That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”

The framework covers three main areas: 

• Privacy protection activities 
• Profiles that help organizations choose the activities relevant to their privacy goals
• Tiers to optimize privacy risk management resources. 

Conclusion

NIST intends to continue building the framework to maximize its benefits for organizations far into the future. This way even organizations with strong existing privacy and security practices can be sure that all privacy requirements are addressed throughout any advances in compliance laws and the digital environment.    

Additional Reading: HIPAA Compliant Email: The Definitive Guide