The United States’ National Institute for Standards and Technology (NIST) recently released their  Privacy Framework, a useful resource for organizations working to manage privacy risk and comply with privacy regulations, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Like NISTs widely-used Cybersecurity Framework, the Privacy Framework is not a regulation or prescriptive standard, but rather a flexible, regulation-agnostic guide to evaluating privacy risks, defining privacy goals, and prioritizing actions to meet those goals.

How Does it Work

The Privacy Framework is divided into three parts: The Core, Profiles, and Implementation Tiers.

The Core contains five Functions that organizations may use as part of a privacy risk assessment process:

  • Identify-P: Understand how your organization collects and uses personal information, the privacy risks this use may pose to individuals and the impact those risks may have on your organization.
  • Govern-P: Develop privacy policies and make privacy risk management decisions based on your organization’s priorities, constraints, risk tolerance, and assumptions.
  • Control-P: Establish data processing procedures to protect individual privacy.
  • Communicate-P: Establish procedures to communicate privacy policies, manage data subject access requests or opt-in/out requests, and respond to privacy breaches.
  • Protect-P: Implement appropriate data processing control to ensure the security, availability, and integrity of personal information.

Each Function contains several Categories and Subcategories, which describe outcomes an organization may wish to achieve. As an example, the Control-P function includes a Data Processing Management Category that lists a set of Subcategory outcomes including:

  • Data elements can be accessed for review.
  • Data elements can be accessed for disclosure.
  • Data elements can be accessed for alteration.
  • Data elements can be accessed for deletion.

The Privacy Framework is not intended to be a checklist of mandatory privacy activities. NIST suggests that an organization prioritize the Core Subcategories that are most relevant to their privacy risk management goals. The Subcategories listed above would all likely be priorities for any organization required to comply with GDPR data subject access requests; other organizations might only prioritize data element review and disclosure outcomes.

The Core Subcategories are clearly influenced by the requirements of the GDPR and the CCPA, but the Framework itself is regulation agnostic. Organizations select which outcomes to prioritize, and additional outcomes may be added to the Framework as new regulations, such as Brazil’s General Data Protection Law (LGPD), and the proposed New York Privacy Act come into effect.

Profiles, the second component of the Privacy Framework, are simply sets of selected outcomes and activities. An organization could create a Current Profile listing the privacy outcomes it currently achieves and a Target Profile of outcomes it wants to achieve as part of a gap analysis, for example. Alternatively, an organization that shares data with third parties, could define a Partner Profile defining privacy outcomes the partner needs to achieve.

NIST recommends adding informative references to profiles, describing tools, regulations, best practices, or anything else that may help an organization achieve a specific privacy outcome. For the example Subcategories listed above, these informative references could be a link to the GDPR articles defining the data subject access rights, and a link to a tool or service the organization uses to manage compliance with these rights.

The final piece of the Privacy Framework is a set of four Implementation Tiers, which indicate how rigorously an organization is implementing privacy risk management:

  • Tier 1: Partial – privacy risk management is ad hoc and reactive.
  • Tier 2: Risk Informed – some understanding of privacy risks, practices, and priorities.
  • Tier 3: Repeatable – formal, consistent approach to privacy risk management.
  • Tier 4: Adaptive – continuous improvement in adoption of privacy technologies and practices to adapt to changes in policy, regulatory requirements, and technical developments.

NIST suggests that most organizations should try to achieve at least Tier 2, but not all organizations may need to achieve Tiers 3 or 4.

Using the Privacy Framework

The Privacy Framework is an optional, free tool to manage privacy risk management from a trusted source. As such, any organization struggling to comply with new privacy regulations should probably take a look at it as well as the other privacy engineering resources available from NIST.  The resources include common Profiles, guidance and tools, and crosswalks mapping regulatory requirements and standards to the Privacy Framework outcomes. NIST may not be able to solve all your privacy problems, but it will give you a good start on complying with new regulations, and the price can’t be beat.

Infocomply champions a Measure – Comply – Thrive model of continuous privacy improvement centered on Five Best Practices:

  1. Carefully assess your organization’s business practices, revenue model and risk tolerance to inform your compliance choices as you design a compliance strategy appropriate to your available resources and risk level.
  2. Continually evaluate the regulatory landscape to ensure compliance with existing and future regulations.
  3. Enlist technical and legal partners to develop or identify the best privacy compliance platform for your unique needs.
  4. Plan to perform regular audits and attestations to measure and document privacy controls.
  5. Practice continuous privacy improvement to adjust your controls to operational, technical or regulatory changes.

Infocomply’s partner-friendly platform was designed to foster collaboration by tying internal IT departments, product teams, and internal or external legal teams into the implementation of continuous privacy improvements. Our platform provides all the necessary components for closer collaboration with your chosen legal experts, allowing for rapid response to changing requirements and faster risk remediation and mitigation.