Even if you’re the kind of person who loves to overshare on social media – and who doesn’t?! – you have the right to your privacy. You also have the right to expect that your privacy will be protected by anyone you come in contact with, whether it’s people in your personal or professional network, for-profit organizations or even the government.
Kudos to the NIST Privacy Team! In January 2020, the US National Institute of Standards and Technology (NIST) released its Privacy Framework v1.0. We’ve been tracking the growth of this program since the focus group was kicked off in September 2018 and appreciate its carefully explored yet fundamentally grass roots approach. As a company that’s at the forefront of security and privacy with our pioneering intelligence-led Active Defense MDR solution, we often come across professionals who don’t understand the differences between cybersecurity risk and privacy risk. Managing the former can help with controlling the latter, but the fact is, it is not sufficient. Privacy risks can – and do – often arise by means unrelated to cybersecurity events.The Privacy Framework is NIST’s laudable effort to articulate these issues and recommend ways to effectively manage them.
This free tool provides a general ‘how-to guide’ to help organizations identify, prioritize and manage their privacy risks, optimize their use of personal information and manage and communicate these risks to stakeholders while protecting individuals’ privacy.
The ‘fluid’ nature of privacy
Over the years, regulations such as the California Consumer Privacy Act (CCPA) and the European Union’s (EU’s) General Data Protection Regulation (GDPR) have championed digital privacy rights and made it mandatory for organizations to pay more attention to how they gather, manage, share and protect consumer data. Nonetheless, when it comes to privacy, adhering to regulatory norms and successfully meeting expectations around it can be very challenging. One reason for this is that the idea of privacy can change over time. It can also vary from person to person and culture to culture. Moreover, new products and services may provide new ways to violate privacy, regardless of whether such violations are deliberate or inadvertent.
The NIST Privacy Framework provides a common, easily implementable approach to help organizations navigate this fluid privacy environment so they can build innovative products and services while addressing diverse privacy needs and staying compliant with new regulations.
New privacy risks require newer solutions: Enter NIST Privacy Framework!
If we’re not living in the age of a ‘Data Armageddon’, we’re da*n close to it!
The pool of information that now falls under the ambit of ‘personal’ (aka Personally Identifiable Information or PII) has expanded in ways that would give Ant-Man an inferiority complex! In addition to names and addresses, telephone numbers, email addresses, financial information and bank account numbers, PII now encompasses biometric information, employment history, social media activity history, education history, behavioral data and even web cookies.
The collection and processing of PII data creates new security and privacy challenges, even if specific safeguards are spelled out in regulations such as the GDPR. With the Privacy Framework, organizations can identify such new privacy risks and mitigate their impact as they design new solutions or systems that are innovative and meet market needs on the one hand, but have the potential to affect individuals’ privacy on the other.
How to make the Privacy Framework work for your organization
The Privacy Framework is regulation-agnostic, flexible and adaptable by any organization that faces privacy concerns due to data collection and processing. It can be used in conjunction with the Cybersecurity Framework (also used at LMNTRIX) to develop or improve a privacy program in order to close gaps in privacy norms, policies and processes, while minimizing adverse consequences for individuals’ privacy. It also helps promote collaboration and strengthens org-wide accountability with respect to privacy risk management across every level, from senior leaders and process managers all the way down to the foot soldiers at the operations/implementation level.
The framework consists of 3 parts:
i) The Core provides a set of activities, functions and outcomes as a way to effectively implement risk responses and manage privacy risks.
Organizations can use the core’s 5 functions to analyze and articulate gaps. They can also map informative references like standards, laws, regulations, best practices, etc., to subcategories in order to prioritize activities or outcomes that may enable economies of scale and drive the development of solutions that are innovative and satisfy privacy regulations and laws.
ii) Profiles provide a set of functions, categories and subcategories that enable organizations to analyze gaps in their current privacy ‘state’, set priorities and develop improvement plans so they can achieve their desired privacy outcomes.
Organizations can select the functions, categories and subcategories that account for their unique privacy risks or they may develop their own. They may also develop multiple profiles for different roles, systems, products, etc. DIY Privacy at its finest!
iii) Finally, the 4 Implementation Tiers – Partial, Risk-informed, Repeatable and Adaptable – support organizational decision-making about how best to manage privacy risk.
Organizations can use these tiers to gauge progress in their risk management capability and to assign resources to ensure this progress. NIST recommends (but does not dictate) that most organizations aim to reach at least Tier 2.
Putting it all together
The NIST Privacy Framework does not recommend a one-size-fits-all ‘prescriptive’ strategy for organizations to manage their privacy protection practises. The framework is not a checklist of actions or a to-do list with a specific implementation order, neither is it a law or standard.
Its use is flexible and completely depends on the organization’s business environment, goals, operations and its current privacy risk management processes. It simply provides a common language and practical recommendations that can help organizations of all sizes and in any sector to manage their privacy risks, and ensure that they collect and use data in ways that are compliant with applicable regulations. These advantages are always crucial, but more so when the data processing ecosystem crosses national boundaries and raises serious concerns about whether (and how) the privacy rights of individuals are being protected.
We expect the NIST Privacy Framework will become as popular as the CSF because of the simplicity of integration into existing security and risk management frameworks. By complementing and extending these frameworks that organizations already employ, we help ourselves build scalable, flexible programs that can adapt to evolving requirements (such as emerging privacy regulations) with minimal effort.
Ultimately, how you use the NIST Privacy Framework in your organization is up to you. But since it is the brainchild of an authoritative and highly-respected source, it’s certainly worth looking into. And the cherry on the cake – it’s completely free. Give it a whirl. We definitely recommend it!