NIST Privacy Framework is consistently evolving to be inclusive and informative for all organizations regardless of vertical. As a security-first company, we are excited about this and how it will impact your business.
The overall goal of the framework is to enable better privacy engineering and privacy by design concepts into an organization’s business or services. Ideally, this will be used to help protect an individual’s data regardless of how they are encountered. The new NIST Privacy Framework lists out a few of ways this will help an organization:
- Building customer trust by supporting ethical decision making is shaping up to be a huge piece since privacy often is a bit of a gray area for some organizations. By helping enable businesses make ethical decisions, this will in turn build customers’ trust.
- Fulfill compliance obligations through future proofing services and products against future compliance regulations. This is beneficial as it coincides with the state and countries regulatory requirements such as GDPR and the California Consumer Privacy Act. As more compliance requirements or obligations arrive, the framework will evolve. Proactive efforts here will help to keep auditors and leadership aligned on best practices.
- Facilitating communication about privacy practices. Privacy can be ambiguous to a common consumer, so helping organizations communicate to consumers how they are managing privacy and protecting data is going to be a win.
This new framework was aimed to be flexible enough for any size or type of organization. The new information is brisk and outcome-based, which I think is positive instead of trying to be a one size fits all with rigid requirements. Had they done the latter; it is unclear if this would have been successful as a framework or adopted well. As it has been presented, this will be helpful no matter the size of an organization to address their privacy concerns.
Let’s talk about how it’s structured:
- If you are familiar with the NIST Cybersecurity Framework (NIST CSF), you might find that there’s a lot of similarities between this and the privacy framework. This is good to see as the NIST CSF has been super successful in helping to facilitate risk communication to executive leadership as well as to more technically minded folks.
- It has three parts, very much like the NIST CSF. Core, profiles, and implementation tiers are back in this privacy framework as well. The NIST CSF has these and were carried over.
- Each component of this privacy framework supports the risk management and communication up and down the chain of command.
- As with the NIST CSF, there are five components to this framework, identify, govern, control, communicate, and protect. With such nice crossover between the two, it will be interesting to see how this plays a role within an organization and how it works to support the organization’s overall goals.
The goal of this framework is just to help organizations build better privacy practices and foundations by bringing your privacy risk into the overall business profile. We anticipate this will be helpful as businesses look to continue to manage risk. If you would like more information on how this can be implemented into your business, contact us today.