Last week the National Institute of Standards and Technology (NIST) announced version 1.0 of its new Privacy Framework, a resource designed to help organizations manage privacy risks.
A preliminary version of the Privacy Framework was released in September 2019, but the release of version 1.0 was not officially announced until January 2016, 2020.
This new framework is designed to help organizations across all industries and sizes manage privacy risks by focusing on three essential elements: taking privacy into account when developing a product/service, disclosing privacy practices, and cross-organizational collaboration.
The NIST Privacy Framework is divided into three parts: the core, profiles, and implementation tiers. The core provides a granular set of actionable items and outcomes whose goal is to enable internal communication. The profiles represent functions, categories and subcategories from the core that have been prioritized by an organization. Lastly, the implementation tiers help organizations optimize the resources needed to achieve their target profile.
While this new framework is not a law or regulation, the voluntary tool can be used to help manage risks and ensure continuous compliance with existing regulations, such as the EU's General Data Protection Regulation (GDPR) and the new California Consumer Privacy Act (CCPA).
This framework should also make it easier for organizations to keep up with technology advancement and new uses for data. Data that may be considered low-value today could be put to good use in a few years by cybercriminals. That's why you need to adopt an approach that allows your organization to continually reevaluate and adjust to new risks.
NIST says that this new Privacy Framework is intended to complement the existing NIST Cybersecurity Framework, and both will be updated over time.
A PDF version of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management is available on NIST's website