The Federal Trade Commission (FTC) offered its comments on the draft version of the National Institute of Standards and Technology’s (NIST’s) Privacy Framework, including praise and suggestions for several additions to the policy.
In comments drafted by FTC staff at the Bureau of Consumer Protection, approved unanimously by FTC commissioners, and released October 24, the FTC suggested five additions to the finalized version of the NIST Privacy Framework:
- Address privacy breaches at each step of the process;
- Emphasize the risk-based nature of safeguard prioritization;
- Include more on the analysis of existing data processing practices;
- Require the designation of a person in charge of the privacy program; and
- Highlight a comprehensive risk assessment as a prerequisite to an effective privacy program.
“We commend NIST for addressing this timely issue by proposing a tool designed to help management start a dialogue about how to manage privacy risks within their organizations,” FTC staff wrote.
The letter calls on the FTC’s experiences in enforcing privacy regulations, and the challenges that the commission has encountered.
“These enforcement actions, including the complaints, consent agreements, and corresponding analyses to aid public comment, provide guidance on the Commission’s views as to which privacy practices violate the law as well as the necessary elements of a reasonable privacy program,” the letter states.