You’ve waded through the relevant privacy regulations until your brain hurts, and you understand the basic requirements under GDPR, CCPA, or whatever industry rules you must abide by. But how do you ensure that you’re compliant? Worry no more. NIST has released a Privacy Framework to help you get your house in order.
The federal US government’s National Institute of Standards and Technology (NIST) has a good track advising organisations on cybersecurity. It published a set of password rules in 2016. It also publishes a Cybersecurity Framework that has become a litmus test for those trying to secure their data.
The brand new Privacy Framework 1.0 is the equivalent document for protecting peoples’ personal privacy. As NIST points out, cybersecurity and privacy are connected, but different. Some privacy events aren’t related to cybersecurity incidents, but stem from other issues like over-aggressive data collection, poorly thought-out marketing practices, or manual mishandling of data.
You can use the Privacy Framework when developing new products and services to ensure that they tick all your privacy boxes. It’s a good tool when conducting the privacy impact assessments that regulations like GDPR demand. It isn’t a compliance toolkit for meeting the requirements of specific regulations. Instead, it’s a voluntary toolkit that you can use to think about your approach to privacy. You can use bits of or all of it – NIST isn’t prescriptive.
The Framework breaks down into three broad areas: the core, the profiles, and the implementation tiers. The core contains a set of five functions that you work through as part of your privacy assessment process.
The first, Identify-P, involves spotting and understanding privacy risks.
The second, Govern-P, is where you define the rules to deal with them, thinking up your privacy policies to help meet risk and regulatory requirements.
The Control-P function is the sharp end, where you manage data in line with your governance structure. You then establish lines of communication to tell people about those risks and controls as part of the Communicate-P function.
The final function, Protect-P, is the part of the core framework that governs cybersecurity risk. It’s where you take the appropriate cybersecurity measures, and it’s the part where you can follow the guidelines outlined in NIST’s Cybersecurity Framework. They’re designed to dovetail together.