NIST Outlines Privacy Framework, Taking a Page from Past Cybersecurity Efforts
The National Institute of Standards and Technology (NIST) released a preview of its plans for a standard Privacy Framework this past week. The purpose of the Framework is to help organizations better manage privacy risks.
The Privacy Framework would breakdown privacy functions into five categories: identify the context of processing, protect private data, control data through data management, inform individuals about data processing, and respond to adverse breach events.
Also, organizations would be able to reference the Privacy Framework when deciding how to tailor compliance to the organization’s risk tolerance, privacy objectives, and financial resources.
But as NIST explains on its website, the NIST framework is intended to compliment statutory and regulatory rules, not replace them: “the NIST framework is envisioned as an enterprise-level privacy risk management tool that can be compatible with and support organizations’ ability to operate under applicable domestic and international legal or regulatory regimes.”
Throughout the process of developing the Privacy Framework, NIST has emphasized that it will leverage its 2014 Cybersecurity Framework – both as a template and as an example of the value of standards documents. The agency recently celebrated the five-year anniversary of the Cybersecurity Framework in February, touting the fact that the Framework has been downloaded more than half a million times.
Kelley Drye will continue to track developments at NIST on the development of a Privacy Framework. If you have questions about the Privacy Framework or are interested in submitting comments, please contact Alysa Hutnik or Alex Schneider at Kelley Drye.