The NIST Privacy Framework Helps Organizations Manage Privacy Risk
The National Institute for Standards and Technology (NIST) provides technical guidance for numerous technologies and industries. The unit is in the US Department of Commerce and began in 1901 as the bureau of standards and measures, renamed to NIST in 1988. For data security and privacy, NIST released the Cybersecurity Framework in 2014 and launched the NIST Privacy Framework in January of 2020.
The NIST Privacy Framework provides guidance for organizations to better identify, assess, manage, and communicate about privacy risks. Organizations can leverage the Privacy Framework to help assess their privacy readiness and to conduct Data Protection Impact Assessments as required by GDPR.
What are the Components of the NIST Privacy Framework?
- The Core: The Core provides the basic operational guidelines for privacy. Directly from the April 30, 2019 working draft: “The Core consists of five concurrent and continuous functions—Identify, Protect, Control, Inform, and Respond. Together these functions provide a high-level, strategic view of the life cycle of an organization’s management of privacy risk.”
- The Profile: The Profile enumerates the privacy goals of an organization. Based on business objects and goals, companies can create a current profile and a target profile, with the delta representing the privacy improvements the company want to achieve. The achievement to the target state can be leveraged as a privacy Key Performance Indicator.
- Implementation Tiers: The implementation tiers provide a status of the company’s current state of readiness. The Privacy Framework provides definitions for the tiers that progress from partial, risk-informed, repeatable, and adaptive.