NIST Logo
PHOTO: NIST/CMSWire

It was inevitable that once the European Union passed the GDPR that other jurisdictions would do the same. Given that the technology sector in the U.S. has been working on trying to find a way to solve the conundrum of enabling enterprises to use personal data for deeper and better insights into customers and, at the same, keep personal data safe, it seemed inevitable that regulations in the U.S. would also be forthcoming.

US And Data Privacy

However, the U.S. has the added problem of federal versus state legislation making it even more problematic to regulate than it was to apply the GDPR across the EU’s 28 states (the UK has said it will abide by the GDPR even after it leaves the EU block with Brexit.)

The result is that at the beginning of this month the California Consumer Privacy Act (CCPA) came into force, which, as well as regulating data privacy in California could also act as blueprint for other state regulations. Then in January 2020 (this month), the National Institute of Standards and Technology (NIST) also stepped up to the mark and released the NIST Privacy Framework 1.0, which it describes as a tool for improving enterprise risk management. In introducing the Framework, the NIST summed up the dilemma quite nicely. It said that in a data-driven society there is a fine between building innovative products and services that use personal data and still protecting people’s privacy. This is where the NIST framework comes in.

According to the document, it provides a useful set of privacy protection strategies for organizations that wish to improve their approach to using and protecting personal data. The publication also provides clarification about privacy risk management concepts and the relationship between the Privacy Framework and NIST’s Cybersecurity Framework. To be clear, personal data includes information about specific individuals, such as their addresses or social security numbers, that a company might gather and use in the normal course of business.

Because this data can be used to identify the people who provide it, an organization must frequently take action to ensure it is not misused in a way that could embarrass, endanger or compromise the customers.

Related Article: What is the California Consumer Privacy Act of 2018 and How Does it Affect Marketers?

The NIST Privacy Framework

Enterprises should note, however, that the NIST Privacy Framework is not a law or regulation, but rather a voluntary tool that can help organizations manage privacy risk arising from their products and services, as well as demonstrate compliance with laws that may affect them. It helps organizations identify the privacy outcomes they want to achieve and then prioritize the actions needed to do so.

The Privacy Framework 1.0 has an overarching structure modeled on that of the widely used NIST Cybersecurity Framework, and the two frameworks are designed to be complementary and updated over time. Privacy and security are related but distinct concepts, merely adopting a good security posture does not necessarily mean that an organization is addressing all its privacy needs. In practical terms this means that the privacy framework’s purpose is to help organizations manage privacy risks by:

  • Taking privacy into account as they design and deploy systems, products, and services that affect individuals;
  • Communicating about their privacy practices
  • Encouraging cross-organizational workforce collaboration — for example, among executives, legal, and information technology (IT).

Why Do I Need a Framework?

Ilia Sotnikov is an expert in cybersecurity and IT management and VP of product management at Netwrix, a vendor of information security and governance software. Netwrix based in Irvine, Calif. He said, the idea of a framework is particularly useful. Frameworks generally help professionals in charge to structure their understanding of the problem. This framework will enable them better map privacy and compliance requirements with specific workflows and controls.

The NIST Privacy Framework is not aimed to give guidance and present a privacy checkbox that can lead you from zero to 100% compliance. Instead, it will help you oversee the key aspects of privacy management and be more prepared for negotiating compliance strategy with Legal and business stakeholders. More importantly, the Privacy Framework does not exist in a vacuum and was created in alignment with the Cybersecurity Framework and its cybersecurity controls. This means that organizations can repurpose existing security workflows they already have for the privacy matters instead of investing ever-limited resources into establishing a completely new set of rules.

“NIST conducted extensive and transparent research to build this framework and created it together with other IT professionals. The IT community being a part of it increases the chances that the framework can be implemented in practice, not just on paper, “he said.

Helping Data Management

If we look at simply managing data, the NIST Privacy Framework can help companies to list and effectively analyse their data. This not only creates a more organised framework for companies to work from, but allows for security gaps to be more easily discovered, Will Ellis, founder of Privacy Australia and an IT security consultant

In addition, the tools that the NIST provides allow for a controlled environment to be created, which increases cybersecurity and implements more layers of prevention. It’s a great framework to use for all these things and more. From data organization to response and recovery when there is an attack, the NIST Privacy Framework really can help companies to improve their methods and protect them from malicious individuals. “The voluntary nature of the framework means that companies are able to alter procedures to fit their needs accordingly, which also makes it a great tool for anyone to use,” he said.

All this considered, there are two elements to remember here, Mark Cassetta, senior vice president of strategy for Titus said.

Formalize Existing Practices

The first is that a lot of what NIST is recommending here isn't groundbreaking. Enterprises worldwide are adopting elements of this framework in varying ways and have been for years. What is new is formalizing a lot of these practices, which will greatly benefit organizations that don't know where to start when it comes to data privacy and risk management.

Ongoing Process

No one solution or framework can make your organization compliant or provide an instant path to data privacy in and of itself. This framework is a great start, but true data privacy and risk management is an ongoing process.

NIST Privacy Framework In The Future

This is only the beginning for the framework and future editions will need to consider developing industry needs, Dave Castenaro, head of artificial intelligence R&D at Saint Louis-based Capacity. He pointed out that while the NIST framework has great potential to help enterprises manage data, the agency developing it needs to gather input from a wider range of voices first, including small business owners.

When NIST first sought out insight from academics and technology companies regarding the regulation of AI, most of the prominent voices in the conversation were large enterprises with deep pockets. “As a next step, I think smaller organizations or an entity like the Small Business Administration should assemble a group of like-minded individuals and develop a point of view on AI and any associated regulation for it to have a larger impact,” he said.