What is the NIST Privacy Framework and how does it relate to data privacy?
The Federal Trade Commission (FTC) recently issued a fine of $170 million to Google and YouTube for privacy violations that affect children. When we look back at 2019, we may well find ourselves talking about the year of the privacy harm.
The issue of the rights of individuals to data privacy is being reflected in our laws and regulations the world over. Examples include the European Union who brought us the GDPR, California with the California Consumer Privacy Act (CCPA), and PIPEDA in Canada.
Trying to meet these regulations, which can have a far-reaching impact on a business, is a complicated area. However, the U.S. National Institute of Standards and Technology (NIST) is developing a specific privacy framework to help with this: the NIST Privacy Framework.
Here, we take a look at this framework and how it can help your business meet data privacy requirements.
Related Post: 2019 will be Privacy Rights’ Break Out Year
or NIST Special Publication 800-171 for optimizing the security of information technology (IT) systems and networks.
When NIST develops a framework, they usually put it out to public consultation. The Request for Information (RFI) on the NIST Privacy Framework began in November 2018; the current version is in Preliminary Draft form. (Note: This blog article was published in October 2019.)
The NIST Privacy Framework is designed to be a tool to help an organization determine the risk levels of data privacy within their systems. Risk level assessment plays an important part in making decisions on resource placement in reducing the likelihood of an issue, in this case, a privacy violation.
The NIST Privacy Framework offers guidance to help create a holistic data management program for your organization.
As part of the development of the NIST Privacy Framework, the relationship between privacy and cybersecurity was debated. Questions such as “How do we bring privacy risk management into parity with cybersecurity risk management” were presented at meetings to discuss the scope of the framework.
In asking these questions, the existing NIST Cybersecurity Framework and the new Privacy Framework were deemed to be symbiotic. As such, the Privacy Framework has been developed in line with the structure of the Cybersecurity Framework. This allows the two to work in unison. However, it should be noted that the Privacy Framework can act as a distinct advisory in its own right.
For ease of use and understanding, the framework is split into three key areas:
As the name suggests, this contains the core framework of the privacy management program.
It gives you the tools to determine the specific activities needed to manage the risk when a system, app, device, service, etc. processes data. The core allows for a dialog to be created between those at the top of an organization with those at the operational level.
The core has five key functions upon which your privacy risk management turns:
The first four help with data processing, the fifth is about dealing with privacy risk associated with a breach. The Protect function can be augmented by referring to the Cybersecurity Framework.
This covers an organization's current privacy policies and/or where they are trying to get to, in terms of privacy. The framework encourages the use of a “current” and “target” profile, which is called the “to be” state. Profiles are used to communicate across the organization and to help carry out self-assessments.
An organization's “tiers” allow it to stand back and look at processes and procedures around privacy. Tiers are designed to facilitate the organization in moving to a more agile approach to risk management.
Five main implementation advice takeaways of the framework are:
.This is a core focus of the framework. You should look at the overlap between cybersecurity and privacy. There are commonalities, but privacy is something that must be deeply embedded into systems.
Figure 1: Cybersecurity and Privacy Risk Relationship (Source)
Privacy should be approached as a process.
Data is expanding in amounts created, but it is also being used across increasingly complex and disparate systems. Privacy programs can identify and map the data across its lifecycle to ensure that the right protections and privacy measures follow it. The framework also sets out the importance of communication across the organization and clear lines of responsibility around privacy issues.
The ethos of Privacy by Design closely ties to the Privacy Framework. Privacy risk assessments are a useful way to double-check ethical approaches to data within a system. This should also be applied to extended systems such as vendor ecosystems. The Privacy Framework can be applied across the entire system development life cycle (SDLC).
An organization can use its current or target profile to help communicate privacy stance and needs. A common language allows these requirements to be communicated across an extended ecosystem of partners, vendors, clients, etc.
Figure 2: Data Processing Ecosystem Relationships (Source)
The work done in creating a current or target profile delivers a requirements list. This can be used to make informed decisions around buying in products that fit within the remit of privacy-enhancement.
The use of certified privacy and compliance consultants to develop your privacy posture can help you to navigate the legislative landscape. They can also guide you in the use and application of the guidelines within the NIST Privacy Framework.
Data privacy is an intrinsic aspect of our online relationships. Poor privacy equates to poor relationships. The result can be lost customers, non-compliance fines, and data loss.
As a reaction to this, NIST has created the Privacy Framework. This framework offers pillars to facilitate businesses across all sectors to develop an approach to privacy as well as implement privacy into systems.
Whilst it is important to note that the NIST Privacy Framework is voluntary, adhering to data privacy legislation is not. The EU’s GDPR has made in-roads into the privacy expectations of firms that deal with EU citizen data. In the U.S., although there are state-level privacy regulations such as the CCPA, there is no federal equivalent.
Therefore, there has been much talk about a move towards a ‘joined-up’ privacy law in the United States. Can we assume that with a comprehensive framework such as the NIST Privacy Framework, we should expect that federal privacy legislation will follow next?
The Preliminary Draft of the NIST Privacy Framework is open for public comments until October 24th 2019.