The National Institute of Standards and Technology (NIST) released a preview of its plans for a standard Privacy Framework this past week. The purpose of the Framework is to help organizations better manage privacy risks.
The Privacy Framework would breakdown privacy functions into five categories: identify the context of processing, protect private data, control data through data management, inform individuals about data processing, and respond to adverse breach events.
Also, organizations would be able to reference the Privacy Framework when deciding how to tailor compliance to the organization’s risk tolerance, privacy objectives, and financial resources.
NIST enters the privacy policy-making arena in a crowded field. The NTIA has solicited comments on developing an approach to consumer privacy, Congress is considering competing legislative options for federal privacy legislation, and California is gearing up this year for the 2020 implementation of the CCPA.
But as NIST explains on its website, the NIST framework is intended to compliment statutory and regulatory rules, not replace them: “the NIST framework is envisioned as an enterprise-level privacy risk management tool that can be compatible with and support organizations’ ability to operate under applicable domestic and international legal or regulatory regimes.”
Throughout the process of developing the Privacy Framework, NIST has emphasized that it will leverage its 2014 Cybersecurity Framework – both as a template and as an example of the value of standards documents. The agency recently celebrated the five-year anniversary of the Cybersecurity Framework in February, touting the fact that the Framework has been downloaded more than half a million times.
Kelley Drye will continue to track developments at NIST on the development of a Privacy Framework.
[View source.]
