The General Data Protection Regulation (GDPR) brought data privacy issues to the doorstep of organizations collecting personal data and ensures proper use and protections are in place. Large or small, businesses needed to comply. However, GDPR was just the beginning.
In the United States, states began enforcing their own consumer protections laws and regulations to the tune of the California Consumer Protection Act (CCPA) and more. Even now, Federal legislation is being brought before decision makers to protect privacy. Great, in theory, but a new-ish concept for the U.S. leaves many asking, “What is privacy and how do we manage it?”
Thirsty, and quite honestly desperate for guidance, the National Institute of Standards and Technology (NIST), answered the S.O.S call in January and published the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.
Do you have questions about data privacy and your third parties? Our team can help.
NIST, who already has industry credibility via their NIST Cybersecurity Framework and other applicable frameworks, developed a useful set of privacy protection strategies for organizations that wish to improve their approach to using and protecting personal data. This tool aims to help organizations manage privacy risk resulting from their products and services, identify the privacy outcomes they want to achieve, and then prioritize the actions needed to do so.
The NIST‘s Privacy Framework’s approach is broken down into three parts:
The NIST describes The Core as a set of privacy protection activities and outcomes that allow for communicating prioritized privacy protection activities and outcomes across an organization. The focus here is to identify where privacy needs exist within the organization, defining best practices, and effectively communicating the “privacy vision.”
To highlight (and modify) the phrase, “you can’t fix what you don’t know is broken," if you don’t know which processes, products, and services need to fall under a privacy agenda, they will go unaccounted for and unprotected. Therefore, a deep dive into the organization’s ecosystem is a critical aspect of The Core. Once complete, governing these entities begins.
A Profile represents an organization’s current privacy activities or desired outcomes by taking into account their data ecosystem, such as data processing and privacy needs. Profiles are used to communicate within an organization or between organizations about how privacy risks are being managed. This step is critical to see where you are as an organization. This is also the point where all stakeholders agree on the direction and goals of their privacy program. The identification, from the top, of who is accountable and responsible for this approach is an essential part of this phase.
Lastly, The NIST guidance uses tiers to help an organization view privacy risk and identify if the resources within the organization exist to manage that risk. Ultimately, these tiers lay out how organizations can optimize resources dedicated to privacy risk management.
Collectively, The Core, Profile, and Implementation tiers, form a risk-based approach to addressing the protection of privacy information in a language that is easily understood. No framework is one size fits all, but, thankfully, NIST has rescued organizations struggling with privacy management by providing this guidance. As far as implementing these privacy controls, the sooner, the better.
Privacy issues emerge every day, thus increasing privacy risk for any organization collecting personal data. It's important that organizations understand the importance of protecting the privacy of their customers.
Contact us today for a demo