NIST Releases Draft Version of Privacy Framework

data privacy, people, personal data, binary

The National Institute of Standards and Technology (NIST) released a discussion draft version of the upcoming NIST Privacy Framework on Wednesday, May 1, with principles and practices aligned with the NIST Cybersecurity Framework.

“The Privacy Framework has been developed to improve privacy risk management for organizations delivering or using data processing systems, products, or services in any sector of the economy or society, regardless of their focus or size,” the draft framework states.

At the heart of the framework are the five functions that have some overlap with the Cybersecurity Framework:

  • Identify
  • Protect
  • Control
  • Inform
  • Respond

Under each function are specific categories, which tie to programmatic needs and specific activities (ex: data processing awareness), and subcategories, which focus on the technical and management activities needed to implement (ex: data sources are informed of data deletion and correction). In total, there are 23 categories, and 111 subcategories under the draft framework.

Similar to the Cybersecurity Framework, the Privacy Framework sets four implementation tiers, although the Privacy Framework does not refer to them as maturity levels. The tiers are:

  • Partial
  • Risk-Informed
  • Repeatable
  • Adaptive

“Some organizations may never need to achieve Tier 3 or 4 or may only focus on certain areas of these tiers. Progression to higher Tiers is appropriate when the nature of the privacy risks requires more multi-faceted risk management processes and resources,” the framework states.

To determine the appropriate level of implementation, organizations can set Profiles, both for their current state and their target state.

“An organization determines these needs by considering organizational or industry sector goals, legal/regulatory requirements and industry best practices, the organization’s risk management priorities, and the privacy needs of individuals who are part of – or directly or indirectly served or affected by – an organization’s systems, products, or services,” the framework states.

For those looking to comment on the framework, NIST will hold a workshop in Atlanta on May 13-14 to discuss the draft.

Categories

Recent