Ride the Lightning

NIST Begins Developing Voluntary Online Privacy Framework

November 15, 2018

The National Law Review reported earlier this month that the National Institute of Standards and Technology (NIST) had announced that it would be creating a Privacy Framework. This Privacy Framework would provide voluntary guidelines to help organizations manage privacy risks. The NIST announcement recognized that the Privacy Framework is timely because disruptive technologies, such as artificial intelligence and the internet of things, not only enhance convenience, growth, and productivity, but also require more complex networking environments and massive amounts of data.

Building on the success of the NIST Cybersecurity Framework, the Privacy Framework is meant to be a transparent, enterprise-level tool that helps organizations prioritize resources and strategies in order to create flexible, risk-based privacy solutions.

Why is the new framework needed? Although good cybersecurity practices can help manage privacy risks by protecting people’s information, privacy risks also can arise from organizations’ authorized collection, storage, use, and sharing of information to meet their mission or business objectives. If not effectively managed and communicated, privacy risks can have both individual and industry-wide consequences (such as failure to achieve societal acceptance of an otherwise useful technology due to lack of trust in the marketplace).

The NIST Privacy Framework incorporates a risk-based model that encourages self-evaluation by organizations. Specifically, the Framework is meant to enable organizations to determine what programs and protocols are appropriate for the organization based on the type, nature, and quantity of data collected. In addition, because the model is framed around outcomes, rather than as a set of prescriptive requirements or a “check-the-box” exercise, the Privacy Framework will be more effective because it will be more tailored to the organization’s extent and scope of data collection, storage, use, and sharing.

The Privacy Framework does not bucket activities or roles, but instead asks organizations to think through the type of data they collect and use, the risks involved with the data, and how to mitigate those risks through organizational controls.

As an initial step, NIST is considering how it should structure the Framework in order to achieve its proposed minimum attributes, which include being consensus-driven, adaptable, non-prescriptive, and compatible with other privacy approaches.

NIST is scheduled to host a Q&A-based webinar on the Framework on November 29th.

A quick fact sheet on the new Framework may be found here.

Hat tip to Dave Ries.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson